I have simple HTML POST form with text input which is triggering modsecurity deny rule remote file inclusion for following input:
https://wa.me/111111111?text=Olá Katarina, tudo bem?
The end question mark is problematic. If I delete it – it’s not blocked. Basically if the input ends with question mark – is denied. If I add space it will pass.
It’s a shared webhosting.
What can I do? Can I do something with headers to prevent being blocked by firewall? (The only thing I have in my mind is to use double URL encoding.
ModSecurity: Access denied with code 429 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs-new/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs-new/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=5,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"]
<!DOCTYPE html>
<html>
<head>
<title>My Form</title>
</head>
<body>
<form action="test2.php" method="post">
<input type="text" name="my_text">
<input type="submit" value="Submit">
</form>
</body>
</html>