Skip to content

Basic modsecurity setup with nginx docker image responds with HTML content but with content-type of text/plain #362

@jpierson-at-riis

Description

@jpierson-at-riis

When testing out the basic features of modsecurity, I tried accessing a non-existing page which is included by threat scanning tools to see how modsecurity would handle it. I was happy to see that the request resulted in a generic 403 response but instead of the HTML rendering in the browser it was displayed in plain text. When checking, it looks like the content-type of the response was text/plain when it really should have been text/html.

Additionally, the server header in the response was disclosing that the underlying system was using nginx which is a concern due to disclosure of the underlying technology, and which allows attackers narrow their possible set of attacks. In the same way, the default 403 error message show below also references nginx. My recommendation, if possible, would be to configure this product to remove these headers and to use something generic which does not signal anything unique to clue an attacker in on the use of modsecurity or nginx.

Image: owasp/modsecurity-crs:nginx
Example URL: http://localhost:8080/.env

Response:

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions