Hello! I am trying to use Discourse under WAF and I am getting 403 on only message bus post requests. I understand this isn’t a Discourse specific problem but I have tried many things in the last day and I can’t understand why would I get 403 request on specifically message bus. Any guesses/ideas would be appreciated! Thank you.
Error messages:
Okay I solved the problem! I am going to write it here. Maybe by some chance somebody will have the same problem in the future:
I was using BunkerWeb and it uses Modsecurity in one of their backend applications. Appearently that modsecurity core-set rule take message bus post request as an sql injection attack.
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^[\W\d]+\s*?(?:(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nve (1040 characters omitted)' against variable `ARGS_NAMES:/delete' (Value: `/delete' ) [file "/usr/share/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "426"] [id "942360"] [rev ""] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: /delete found within ARGS_NAMES:/delete: /delete"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"]
I have added a exclusion to ModSec rules like this
SecAction "id:10000,phase:1,nolog,pass,t:none,ctl:ruleRemoveById=942360
And the problem is solved! I know this probably won’t help most of you but as I said maybe it’ll help someone. Cheers!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.