I've enabled WAF for Synology DSM. I have mixed success.
At first I was getting blocked due to cookie signature checks, and I've bypassed that through an exception. Now I'm able to access Synology Note web application, but I cannot access the main DSM page.
Seems like the 403 error generated by the WAF is the following:
ModSecurity: Access denied with code 403 (phase 4). Pattern match "(.*)" at TX:981000-OWASP_CRS/MALICIOUS_IFRAME-RESPONSE_BODY. [file "/usr/apache/conf/waf/modsecurity_crs_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 7): Last Matched Message: Possibly malicious iframe tag in output"] [data "Last Matched Data:
What do I need to check to bypass that?
I'm also getting warning like the ones below, but I guess they're not critical (just warnings) and not blocking the access (I removed the hostname):
ModSecurity: Warning. Operator GE matched 4 at TX[:$]utbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 7): Possibly malicious iframe tag in output"] [hostname "removed"] [uri "/webman/index.cgi"] [unique_id "VCy1nMCoAQEAAHhaEZkAAABC"]
ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]
Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]
Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 4, SQLi=, XSS=): Request Missing a User Agent Header"] [hostname "removed"] [uri "/webapi/_______________________________________________________entry.cgi"] [unique_id "VCy2ksCoAQEAAHhaEZoAAABD"]
Thanks!
Dmitri
This thread was automatically locked due to age.
