ModSecurity 3 doesn't seem to be blocking anything sent through post (like forms). Logs say:
ModSecurity: Access denied with code 200 (phase 2). detected XSS using libinjection. [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:text:
alert('XSS')"] [severity "2"] [ver "OWASP_CRS/3.3.0"][maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "fullserver.ru"] [uri "/support/ticket.php"] [unique_id "1630221362"] [ref "v1106,29t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
But the request is being sent straight into database and added there.
GET requests like that are momentarily blocked in browser with 403.
I tried setting
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
But no luck there, nothing changed.
I don't know what to do, can anyone help?
