• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Input OWASP triggered on legitimate traffic from Googlebot!

blueberry

blueberry

Basic Pleskian
I wanted to share a very bad thing that I found in my log today. A modsecurity rule of OWASP (WAF) was triggered on visits of Googlebot. I mean come on, if OWASP is not able to make the difference between an attacker and Googlebot, it makes no sense to install OWASP.


This is really something that I feared and it happened. This means we can't trust these modsecurity rules. (You want to use modsecurity? implement your custom rule sets). You don't want to use modsecurity? There are plenty of other solutions to protect your website via htaccess, nginx and your cms. We are in 2021, these free modsecurity rules are around since a while now and they still wonder whether Googlebot is an enemy? Come on it is not serious!

So beware!

1619756284426.png


1619756223433.png
 
A) The OWASP CRS is known to be ultra-sensitive and product false positives. If you're using the CRS by default, you should know this and the risks it entails. Most will use a custom or modified version of the CRS

A1) The CRS was built to provide strict protection against the OWASP Top 10. Not to be compatible with your WP/Drupal/Custom/Website, so it does exactly that.

B) It doesn't look like the request was actually blocked. (w/ 403 / 404). The severity was a notice. There's no status code. Was the request blocked?

they still wonder whether Googlebot is an enemy?
Click to expand...
C) Again, as the systems administrator, its your responsibility to test and adjust the rules. Don't want to do this? Atomicorps has a paid ModSec rule set

htaccess, nginx and your cms
Click to expand...
D) ModSec is a regex engine that parses a library of regexs that match the request. That's all. If you think an htaccess provides the same level of protection you're solely mistaken. NGINX uses, guess what, ModSec too (w/ Plesk at least). Ideally you want to block requests before they ever get to your applications
 
From the Plesk ModSecurity configuration page:
"OWASP ModSecurity Core Rule Set is very restrictive and might block some functions (for example, file sharing, webmail) and some features of web applications (for example, WordPress plugins)."
You have been warned ;-)
 
You must log in or register to reply here.

Similar threads

E
How to Set up Your WordPress Website Security
Replies
0
Views
2K
Elvis Plesky
E
Back
Top