owasp-modsecurity/ModSecurity-nginx

Wordpress WooComerce checkout on Mobile Devices, rule exclusions not working, not identified

Danrancan opened this issue · 2 comments

Danrancan commented

I am running a LEMP server on a Raspberry Pi 4.
I am working on a wordpress woocommerce website at https://www.mcmo.is. Currently on iOS using Safari or Google Chrome, it is mostly working, except that I can't get past the woocommerce checkout with modsecurity enabled. When trying to check out an item, the payment method options are greyed out (see the photos beneath).
The error particularly happens when on the page https://www.mcmo.is/checkout/, while you have items in your shopping cart.
McMo is-shop-checkout-error - 1
McMo is-shop-checkout-error - 2

Here is my Modsec_audit.log, and My Modsec_Debug.log Part1, Part2, Part3, Part4, and Part5.

In my REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file I have the following rule exclusions:

SecRule REQUEST_URI "@streq /" \
    "id:1060,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=920230,\
    ctl:ruleRemoveById=942430,\
    ctl:ruleRemoveById=949110"

# referer: https://www.mcmo.is/checkout/
SecRule REQUEST_URI "@streq /ngx_pagespeed_beacon" \
    "id:1061,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=942200,\
    ctl:ruleRemoveById=942260,\
    ctl:ruleRemoveById=942340,\
    ctl:ruleRemoveById=942370,\
    ctl:ruleRemoveById=942430,\
    ctl:ruleRemoveById=949110"

but these exclusions still don't unblock the credit checkout area on my website.
I have been wracking my brains out on this one going over different rule exclusions over and over but just can't seem to figure out how to unblock the woocommerce checkout page. Could someone take a look at my log files, and tell me which rules I should exactly be excluding, and how exactly I can exclude them? It seems something in Modsecurity's custom rules isn't working. Any help is highly appreciated!

martinhsv commented

Hello @Danrancan ,

I haven't examined all of the data that you have supplied but an example of what stood out to me is that:

  • Modsec_Audit_4 shows rule 942200 being matched
  • It looks like you are attempting to exclude that rule with your custom rule 1061 as posted above
  • however, that exclusion will only happen if REQUEST_URI "@streq /ngx_pagespeed_beacon"
  • the same Modsec_Audit_4 file, in part B shows the url as /ngx_pagespeed_beacon?url=https%3A%2F%2Fwww.mcmo.is%2Fcheckout%2F
  • note that REQUEST_URI includes the query arguments, which means the exclusions won't happen in this case (your operator streq is trying to perform an exact string match)

If that is the case, and you were intending for the rule to be removed when the the filename is /ngx_pagespeed_beacon, then you should try changing the rule -- REQUEST_FILENAME might be a better choice for you.

martinhsv commented

Anything further on this?