Information disclosure - statuscode response containing WAF type

[erikvdijk]

The response status code of a blocked request contains the text: "ModSecurity Action"
This way an attacker could find for specific security holes in this product.

It would be great if this text could be changed by parameter, or not send at all.

Code:
https://github.com/SpiderLabs/ModSecurity/blob/v2/master/iis/mymodule.cpp#L670

(this is my first bug report, sorry for any possible missing information)

[zimmerle]

Hi @erikvdijk,

Thank you for the report. This issue was placed in triage.

[gstanchev]

Hi, any news on resolution?

[zimmerle]

Hi @gstanchev,

Not really. Latests release for IIS was - v2.9.3

[martinhsv]

This is not ideal behaviour. As the OP notes, intentionally giving away which WAF is protecting a site can give a malicious actor an advantage.

The two most obvious approaches here are:

1. Make the reason-phrase on the status line empty.

The relevant RFC (https://www.rfc-editor.org/rfc/rfc7230#section-3.1.2) notes that it can be empty ("a possibly empty textual phrase describing the status code"). This is probably better than the status quo.

On the other hand it might not be that much better than the status quo. Since IIS appears to normally populate the reason-phrase, leaving it empty could be enough to give a malicious actor a clue.

2. Populate the reason-phrase on the status-line with the standard text(s)

This is reasonable, but I'd prefer to be able to set these using the Native API. Unfortunately, I cannot find anything in the documentation that would allow retrieval of IIS's normal status-phrase using the 3-digit status. If anyone knows how to do this and would like to share, it would be appreciated.

The alternative is to duplicate those phrases directly in ModSecurity's IIS code. If we only had to concern ourselves with 400 and 403 that might be reasonable. But since we support more flexibility than that, this approach becomes increasingly unappetizing.