Join Log in
Score:0
DanRan avatar Server

Modsecurity Nginx breaking Wordpress Woocommerce checkout page. Can't find working rule exclusions

mx flag
DanRan

I am running an Ubuntu 20.04 based LEMP server on a Raspberry Pi 4. I am working on a Wordpress Woocommerce website at https://www.mcmo.is. Currently on iOS using Safari or Google Chrome, I can't get past the websites Woocommerce checkout page with Modsecurity enabled. When trying to check out an item, the payment method options under "YOUR ORDER" are greyed out (see the photos beneath), blocking me from checking out. Mcmo.is/checkout payments blocked 1Mcmo.is/checkout payments blocked 2

The error particularly happens when on the page https://www.mcmo.is/checkout/, while you have items in your shopping cart.

Here is my Modsec_audit.log that is triggered after refreshing the checkout page on iOS Safari:

---PVwDGcNo---H--
ModSecurity: Warning. Matched "Operator `Pm' with parameter `AppleWebKit Android' against variable `REQUEST_HEADERS:User-Agent' (Value: `jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1267"] [id "920300"] [rev ""] [msg "Request Missing an Accept Header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "168487174739.348118"] [ref "v0,4v46,57"]
 
---PVwDGcNo---J--
 
---PVwDGcNo---K--
 
---PVwDGcNo---Z--
 
---CQNTU3vm---A--
[23/May/2023:14:56:57 -0500] 168487181772.491223 104.28.103.67 12879 10.10.10.2 443
---CQNTU3vm---B--
POST /?wc-ajax=update_order_review HTTP/2.0
user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1
sec-fetch-site: same-origin
origin: https://www.mcmo.is
accept-encoding: gzip, deflate, br
cookie: __stripe_mid=91fdd213-af74-4b85-9598-839fcc55d0cc5c6ea9; __stripe_sid=0cdbb2f7-444e-48fe-aba6-703176fe86b4147508; _pk_id.1.37a4=b74807d259313be5.1684820191.; _pk_ses.1.37a4=1; woocommerce_cart_hash=08cc07e027a73f2cd5bd1311c4c41d0d; woocommerce_items_in_cart=1; wp_woocommerce_session_173dd7436a96149bdd624d8b340b4484=t_e92a890f9274d560fca7a7d246ce0f%7C%7C1685044476%7C%7C1685040876%7C%7C7c2446cd6987f53d9ffa67544cca90e2
content-length: 1175
accept-language: en-US,en;q=0.9
accept: */*
x-requested-with: XMLHttpRequest
content-type: application/x-www-form-urlencoded; charset=UTF-8
sec-fetch-mode: cors
host: www.mcmo.is
referer: https://www.mcmo.is/checkout/
sec-fetch-dest: empty
 
---CQNTU3vm---C--
security=f0cfee6ae7&payment_method=stripe_cc&country=US&state=WI&postcode=&city=&address=&address_2=&s_country=US&s_state=WI&s_postcode=&s_city=&s_address=&s_address_2=&has_full_address=false&post_data=billing_email%3D%26billing_first_name%3D%26billing_last_name%3D%26billing_company%3D%26billing_country%3DUS%26billing_address_1%3D%26billing_address_2%3D%26billing_city%3D%26billing_state%3DWI%26billing_postcode%3D%26billing_phone%3D%26order_comments%3D%26payment_method%3Dstripe_cc%26stripe_cc_token_key%3D%26stripe_cc_payment_intent_key%3D%26stripe_applepay_token_key%3D%26stripe_applepay_payment_intent_key%3D%26stripe_afterpay_token_key%3D%26stripe_afterpay_payment_intent_key%3D%26stripe_affirm_token_key%3D%26stripe_affirm_payment_intent_key%3D%26stripe_klarna_token_key%3D%26stripe_klarna_payment_intent_key%3D%26stripe_giropay_token_key%3D%26stripe_giropay_payment_intent_key%3D%26stripe_sepa_token_key%3D%26stripe_sepa_payment_intent_key%3D%26stripe_wechat_token_key%3D%26stripe_wechat_payment_intent_key%3D%26stripe_alipay_token_key%3D%26stripe_alipay_payment_intent_key%3D%26woocommerce-process-checkout-nonce%3Dad56a76f3f%26_wp_http_referer%3D%252Fcheckout%252F
 
---CQNTU3vm---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00
 
---CQNTU3vm---F--
HTTP/2.0 403
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer-when-downgrade
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Connection: close
Content-Encoding: br
X-Content-Type-Options: nosniff
Content-Type: text/html
Date: Tue, 23 May 2023 19:56:57 GMT
Server: nginx
 
---CQNTU3vm---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `%[0-9a-fA-F]{2}' against variable `ARGS:post_data' (Value: `billing_email=&billing_first_name=&billing_last_name=&billing_company=&billing_country=US&billing_ad (739 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1236"] [id "920230"] [rev ""] [msg "Multiple URL Encoding Detected"] [data "billing_email=&billing_first_name=&billing_last_name=&billing_company=&billing_country=US&billing_address_1=&billing_address_2=&billing_city=&billing_state=WI&billing_postcode=&billing_phone=&order_co (639 characters omitted)"] [severity "4"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/267/120"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "168487181772.491223"] [ref "o825,3v1175,839"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){12})' against variable `ARGS:post_data' (Value: `billing_email=&billing_first_name=&billing_last_name=&billing_company=&billing_country=US&billing_ad (739 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1145"] [id "942430"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)"] [data "Matched Data: =&billing_first_name=&billing_last_name=&billing_company=&billing_country=US&billing_address_1=& found within ARGS:post_data: billing_email=&billing_first_name=&billing_last_name=&billin (775 characters omitted)"] [severity "4"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "168487181772.491223"] [ref "o13,96o13,96v1175,839t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `6' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 6)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.2"] [uri "/"] [unique_id "168487181772.491223"] [ref ""]
 
---CQNTU3vm---J--
 
---CQNTU3vm---K--
 
---CQNTU3vm---Z--
 
---vJW4uWev---A--
[23/May/2023:14:56:58 -0500] 168487181857.638634 104.28.103.67 12879 10.10.10.2 443
---vJW4uWev---B--
POST /ngx_pagespeed_beacon?url=https%3A%2F%2Fwww.mcmo.is%2Fcheckout%2F HTTP/2.0
user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1
sec-fetch-site: same-origin
referer: https://www.mcmo.is/checkout/
origin: https://www.mcmo.is
accept-encoding: gzip, deflate, br
cookie: __stripe_mid=91fdd213-af74-4b85-9598-839fcc55d0cc5c6ea9; __stripe_sid=0cdbb2f7-444e-48fe-aba6-703176fe86b4147508; _pk_id.1.37a4=b74807d259313be5.1684820191.; _pk_ses.1.37a4=1; woocommerce_cart_hash=08cc07e027a73f2cd5bd1311c4c41d0d; woocommerce_items_in_cart=1; wp_woocommerce_session_173dd7436a96149bdd624d8b340b4484=t_e92a890f9274d560fca7a7d246ce0f%7C%7C1685044476%7C%7C1685040876%7C%7C7c2446cd6987f53d9ffa67544cca90e2
content-length: 1518
accept-language: en-US,en;q=0.9
accept: */*
content-type: application/x-www-form-urlencoded
sec-fetch-mode: cors
host: www.mcmo.is
sec-fetch-dest: empty
 
---vJW4uWev---C--
oh=2RDKPDrkqK&n=oXR-u9g8ZBY&ci=3819676361,3704443330,2391801292&rd=%7B%22807302714%22%3A%7B%22rw%22%3A2500%2C%22rh%22%3A1075%2C%22ow%22%3A2500%2C%22oh%22%3A1075%7D%2C%221098383817%22%3A%7B%22rw%22%3A43%2C%22rh%22%3A26%2C%22ow%22%3A43%2C%22oh%22%3A26%7D%2C%221857610682%22%3A%7B%22rw%22%3A750%2C%22rh%22%3A205%2C%22ow%22%3A750%2C%22oh%22%3A205%7D%2C%221973805766%22%3A%7B%22rw%22%3A43%2C%22rh%22%3A26%2C%22ow%22%3A43%2C%22oh%22%3A26%7D%2C%222158018692%22%3A%7B%22rw%22%3A43%2C%22rh%22%3A26%2C%22ow%22%3A43%2C%22oh%22%3A26%7D%2C%222267908736%22%3A%7B%22rw%22%3A500%2C%22rh%22%3A500%2C%22ow%22%3A500%2C%22oh%22%3A500%7D%2C%222391801292%22%3A%7B%22rw%22%3A1%2C%22rh%22%3A1%2C%22ow%22%3A1%2C%22oh%22%3A1%7D%2C%222607940429%22%3A%7B%22rw%22%3A82%2C%22rh%22%3A23%2C%22ow%22%3A82%2C%22oh%22%3A23%7D%2C%222612327244%22%3A%7B%22rw%22%3A43%2C%22rh%22%3A26%2C%22ow%22%3A43%2C%22oh%22%3A26%7D%2C%223217526565%22%3A%7B%22rw%22%3A165%2C%22rh%22%3A105%2C%22ow%22%3A165%2C%22oh%22%3A105%7D%2C%223267582129%22%3A%7B%22rw%22%3A56%2C%22rh%22%3A32%2C%22ow%22%3A56%2C%22oh%22%3A32%7D%2C%223761568465%22%3A%7B%22rw%22%3A72%2C%22rh%22%3A36%2C%22ow%22%3A72%2C%22oh%22%3A36%7D%2C%223819676361%22%3A%7B%22rw%22%3A56%2C%22rh%22%3A17%2C%22ow%22%3A218%2C%22oh%22%3A68%7D%2C%223844434478%22%3A%7B%22rw%22%3A150%2C%22rh%22%3A48%2C%22ow%22%3A150%2C%22oh%22%3A48%7D%2C%224142142527%22%3A%7B%22rw%22%3A102%2C%22rh%22%3A52%2C%22ow%22%3A102%2C%22oh%22%3A52%7D%2C%224235224056%22%3A%7B%22rw%22%3A250%2C%22rh%22%3A250%2C%22ow%22%3A250%2C%22oh%22%3A250%7D%7D
 
---vJW4uWev---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00
 
---vJW4uWev---F--
HTTP/2.0 403
x-frame-options: SAMEORIGIN
Referrer-Policy: no-referrer-when-downgrade
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Connection: close
Content-Encoding: br
X-Content-Type-Options: nosniff
Content-Type: text/html
Date: Tue, 23 May 2023 19:56:58 GMT
Server: nginx
 
---vJW4uWev---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter|load)\s*?\(\s*?space\s*?\(|,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|\Wselect.+\W*?from))' against variable `ARGS:rd' (Value: `{"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26 (677 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "671"] [id "942200"] [rev ""] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,"rh":1075,"ow":2500,"oh":1075},"1098383817":{ found within ARGS:rd: {"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26},"1857610682":{" (660 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/ngx_pagespeed_beacon"] [unique_id "168487181857.638634"] [ref "o23,46v1028,777t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s* (166 characters omitted)' against variable `ARGS:rd' (Value: `{"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26 (677 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "732"] [id "942260"] [rev ""] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: ":{"rw":2 found within ARGS:rd: {"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26},"1857610682":{"rw":750,"rh":205,"ow":750,"oh":205}," (623 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/ngx_pagespeed_beacon"] [unique_id "168487181857.638634"] [ref "o11,9v1028,777t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:[\"'`](?:\s*?(?:is\s*?(?:[\d.]+\s*?\W.*?[\"'`]|\d.+[\"'`]?\w)|\d\s*?(?:--|#))|(?:\W+[\w+-]+\s*?=\s*?\d\W+|\|?[\w-]{3,}[^\w\s.,]+)[\"'`]|[\%&<>^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?an (121 characters omitted)' against variable `ARGS:rd' (Value: `{"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26 (677 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "858"] [id "942340"] [rev ""] [msg "Detects basic SQL authentication bypass attempts 3/3"] [data "Matched Data: "807302714":{" found within ARGS:rd: {"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26},"1857610682":{"rw":750,"rh":205,"ow":750,"oh":2 (628 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/ngx_pagespeed_beacon"] [unique_id "168487181857.638634"] [ref "o1,14v1028,777t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|[ (44 characters omitted)' against variable `ARGS:rd' (Value: `{"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26 (677 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "917"] [id "942370"] [rev ""] [msg "Detects classic SQL injection probings 2/3"] [data "Matched Data: ":{" found within ARGS:rd: {"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26},"1857610682":{"rw":750,"rh":205,"ow":750,"oh":205},"19738 (618 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/ngx_pagespeed_beacon"] [unique_id "168487181857.638634"] [ref "o11,4v1028,777t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){12})' against variable `ARGS:rd' (Value: `{"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26 (677 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1145"] [id "942430"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)"] [data "Matched Data: {"807302714":{"rw":2500,"rh":1075," found within ARGS:rd: {"807302714":{"rw":2500,"rh":1075,"ow":2500,"oh":1075},"1098383817":{"rw":43,"rh":26,"ow":43,"oh":26},"1857610682":{"rw":750,"rh (649 characters omitted)"] [severity "4"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "10.10.10.2"] [uri "/ngx_pagespeed_beacon"] [unique_id "168487181857.638634"] [ref "o0,35o0,35v1028,777t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `23' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 23)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.2"] [uri "/ngx_pagespeed_beacon"] [unique_id "168487181857.638634"] [ref ""]
 
---vJW4uWev---J--
 
---vJW4uWev---K--
 
---vJW4uWev---Z--

and here are my corresponding Modsec_Debug.logs: Modsec_debug.log.Part1 Modsec_debug.log.Part2 Modsec_debug.log.Part3 Modsec_debug.log.Part4 Modsec_debug.log.Part5

In my REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf custom rule exclusions file I have the following rule exclusions:

SecRule REQUEST_URI "@streq /" \
    "id:1060,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=920230,\
    ctl:ruleRemoveById=942430,\
    ctl:ruleRemoveById=949110"

SecRule REQUEST_URI "@streq /ngx_pagespeed_beacon" \
    "id:1061,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=942200,\
    ctl:ruleRemoveById=942260,\
    ctl:ruleRemoveById=942340,\
    ctl:ruleRemoveById=942370,\
    ctl:ruleRemoveById=942430,\
    ctl:ruleRemoveById=949110"

but these exclusions still don't unblock the credit card checkout area under "Your Order" on the website.

It seems something in Modsecurity's custom rules isn't working and I just can't seem to figure out the proper rule exclusions to unblock the Woocommerce payment options on the checkout page.

My Question Is: Could someone take a look at my log files, and tell me which rules I should exactly be excluding, and how exactly I can exclude them? Can you also explain why my current rules are seemingly ineffective? Any help is highly appreciated!

92
0 + 1
djdomi avatar
za flag
djdomi
Im unsure if it might help but se has Webmasters, mostly each commercial plugin has also a nice support, while I am surprised that it already working native on nginx
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.