-
Notifications
You must be signed in to change notification settings - Fork 300
Description
When testing out the basic features of modsecurity, I tried accessing a non-existing page which is included by threat scanning tools to see how modsecurity would handle it. I was happy to see that the request resulted in a generic 403 response but instead of the HTML rendering in the browser it was displayed in plain text. When checking, it looks like the content-type of the response was text/plain
when it really should have been text/html
.
Additionally, the server
header in the response was disclosing that the underlying system was using nginx
which is a concern due to disclosure of the underlying technology, and which allows attackers narrow their possible set of attacks. In the same way, the default 403 error message show below also references nginx
. My recommendation, if possible, would be to configure this product to remove these headers and to use something generic which does not signal anything unique to clue an attacker in on the use of modsecurity or nginx.
Image: owasp/modsecurity-crs:nginx
Example URL: http://localhost:8080/.env
Response:
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->