Security researchers shows how to completely bypass ModSecurity 3 web application firewall

A cybersecurity report ensures that ModSecurity 3 web application firewall (WAF) installations can be bypassed by threat actors with a relatively simple method. According to the report, these flaws only reside in this version of the rule set, so ModSecurity 2, previous version, is exempt from the problem.

This is a risk that researchers should consider. According to Ervin Hegeds, an expert who found the problem, this condition was reported more than three months ago and the necessary updates have not been released, so he decided to publish his findings for the cybersecurity community to begin an awareness campaign.

Still Trustwave, a developer of ModSecurity, denied the existence of such failures, describing this problem as a simple risk inherent in a specific advanced configuration.

ModSecurity is a popular open source WAF solution that was designed to work by applying preset rules. Administrators can create their own custom rules to deploy existing libraries, such as OWASP ModSecurity Core Rule Set (CRS). 

Christian Folini, co-director of the CRS project, said: “If you run CRS or one of the known commercial ModSecurity rule sets and disable Request Body Access for WAF, then you have configured a full WAF bypass. This is because bypassing access to the request body is implemented as skipping the body phase of a rule processing request in ModSecurity 3”.

As mentioned above, ModSecurity is maintained by the trustwave security company. In response to multiple requests for information, Trustwave issued a statement mentioning that this is not a security flaw, but that the problem arises due to the way advanced settings are activated: “This setting can be used to disable a significant portion of the ModSecurity workflow and should only be used by experienced users, as indicated in the documentation.”

However, Follini argues its version by explaining that it is difficult to establish a defense mechanism to prevent the exploitation of this flaw: “ModSecurity developers have not released any solution to correct this problem, despite having received a full report on it since December 2,” he says.

On the other hand, Follini also recognizes that less than 20% of all ModSecurity global installations operate with this vulnerable setting enabled: “Administrators can disable access to the request body for performance reasons in some cases (exchange security for performance, maintaining some security), or only be interested in certain types of rules.”