Thayyile kandy, Subin : CSO GIS
2017-05-09 16:27:30 UTC
Hello
Im having some issues with some of my requests being blocked based on extension , I do not have .php or .html on my restricted extensions list.
Has anyone come across this before ?
This happens when I run in detection mode by default and turn on blocking using
SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On"
http://localhost /forms.php (works fine)
http://localhost /forms.php? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.php?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.html (works fine)
http://localhost /forms.html? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )
http://localhost /forms.html?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )
debug logs
-------------
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b6536900; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1031"] [id "920430"] [rev "2"].
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b6536900:
SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}<mailto:!@within%20%25%7btx.allowed_http_versions%7d>"
"phase:request,nolog,auditlog,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920430,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 0 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "HTTP/1.1"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 6 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 0.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] No match, not chained -> mode NEXT_RULE.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b652be08; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1058"] [id "920440"] [rev "2"].
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b652be08: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$<file:///\\.(.*)$>" "phase:request,nolog,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'URL
file extension is restricted by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/,deny,ctl:ruleEngine=On"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) urlDecodeUni: "forms.php"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) lowercase: "forms.php"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 12 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "rx" with param "\\.(.*)$<file:///\\.(.*)$>" against REQUEST_BASENAME.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "forms.php"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.0: .php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.1: php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 11 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Setting variable: tx.extension=.%{tx.1}/
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.1} to: php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Set variable "tx.extension" to ".php/".
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Ctl: Set ruleEngine to On.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 1.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Match, intercepted -> returning.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Access denied with code 403 (phase 2). Pattern match "\\.(.*)$<file:///\\.(.*)$>" at REQUEST_BASENAME.
[file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
audit logs
------------
--54296d51-A--
[08/May/2017:11:28:14 --0500] WRCcnn8AAQEAAAt0ypkAAAAE 127.0.0.1 36183
127.0.0.1 80
--54296d51-B--
GET /forms.html? HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
--54296d51-F--
HTTP/1.1 403 Forbidden
Content-Length: 286
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--54296d51-H--
Message: Access denied with code 403 (phase 2). [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1494260894110924 11283 (- - -)
Stopwatch2: 1494260894110924 11283; combined=6030, p1=2122, p2=3429, p3=0, p4=0, p5=479, sr=14, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "ENABLED"
--54296d51-Z--
audit log when in detection mode ( please note this is in case of an extension that is in the list )
--8092f761-A--
[09/May/2017:13:39:38 +0000] WRHGmawSZJUAADb7nuwAAAHN 40.77.167.66 54957 10.176.10.21 4464
--8092f761-B--
GET /activate.com?domainCPC=HCL&legacy=true HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
--8092f761-F--
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Connection: Keep-Alive
Transfer-Encoding: chunked
--8092f761-H--
Message: String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Apache-Handler: proxy-server
Stopwatch: 1494337177995510 28864 (- - -)
Stopwatch2: 1494337177995510 28864; combined=1228, p1=291, p2=865, p3=1, p4=2, p5=69, sr=32, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
--8092f761-Z--
Thanks
Subin
Barclaycard
www.barclaycardus.com<http://www.barclaycardus.com>
This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
Im having some issues with some of my requests being blocked based on extension , I do not have .php or .html on my restricted extensions list.
Has anyone come across this before ?
This happens when I run in detection mode by default and turn on blocking using
SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On"
http://localhost /forms.php (works fine)
http://localhost /forms.php? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.php?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.html (works fine)
http://localhost /forms.html? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )
http://localhost /forms.html?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )
debug logs
-------------
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b6536900; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1031"] [id "920430"] [rev "2"].
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b6536900:
SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}<mailto:!@within%20%25%7btx.allowed_http_versions%7d>"
"phase:request,nolog,auditlog,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920430,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 0 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "HTTP/1.1"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 6 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 0.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] No match, not chained -> mode NEXT_RULE.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b652be08; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1058"] [id "920440"] [rev "2"].
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b652be08: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$<file:///\\.(.*)$>" "phase:request,nolog,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'URL
file extension is restricted by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/,deny,ctl:ruleEngine=On"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) urlDecodeUni: "forms.php"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) lowercase: "forms.php"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 12 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "rx" with param "\\.(.*)$<file:///\\.(.*)$>" against REQUEST_BASENAME.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "forms.php"
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.0: .php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.1: php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 11 usec.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Setting variable: tx.extension=.%{tx.1}/
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.1} to: php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Set variable "tx.extension" to ".php/".
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Ctl: Set ruleEngine to On.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 1.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Match, intercepted -> returning.
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php
[08/May/2017:11:27:18 --0500]
[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Access denied with code 403 (phase 2). Pattern match "\\.(.*)$<file:///\\.(.*)$>" at REQUEST_BASENAME.
[file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
audit logs
------------
--54296d51-A--
[08/May/2017:11:28:14 --0500] WRCcnn8AAQEAAAt0ypkAAAAE 127.0.0.1 36183
127.0.0.1 80
--54296d51-B--
GET /forms.html? HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
--54296d51-F--
HTTP/1.1 403 Forbidden
Content-Length: 286
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--54296d51-H--
Message: Access denied with code 403 (phase 2). [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 2)
Stopwatch: 1494260894110924 11283 (- - -)
Stopwatch2: 1494260894110924 11283; combined=6030, p1=2122, p2=3429, p3=0, p4=0, p5=479, sr=14, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "ENABLED"
--54296d51-Z--
audit log when in detection mode ( please note this is in case of an extension that is in the list )
--8092f761-A--
[09/May/2017:13:39:38 +0000] WRHGmawSZJUAADb7nuwAAAHN 40.77.167.66 54957 10.176.10.21 4464
--8092f761-B--
GET /activate.com?domainCPC=HCL&legacy=true HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
--8092f761-F--
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Connection: Keep-Alive
Transfer-Encoding: chunked
--8092f761-H--
Message: String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Apache-Handler: proxy-server
Stopwatch: 1494337177995510 28864 (- - -)
Stopwatch2: 1494337177995510 28864; combined=1228, p1=291, p2=865, p3=1, p4=2, p5=69, sr=32, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
--8092f761-Z--
Thanks
Subin
Barclaycard
www.barclaycardus.com<http://www.barclaycardus.com>
This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.