- Forum
- Main Forum
- English Section
- Server Security
- Fix ModSecurity 403 Forbidden False Positive Caused by Cookies on CWP / Apache /
×
Presentation and instructions about security tools used to prevent server hacking. Feel free to use them or ask us to protect your site hosting it to a safe, daily monitored vps senter. Freespirits will ensure great quality of services.
Fix ModSecurity 403 Forbidden False Positive Caused by Cookies on CWP / Apache /
- infogate
-
Συντάκτης θέματος
- Αποσυνδεμένος
- Administrator
-
- Imagination is the beginning of creation
2 Εβδομάδες 1 Ημέρα πριν #342
από infogate
The best possible way to start your online marketing : fspirits.com/go/leadsleap-home
Explode Your Web Site Traffice: fspirits.com/go/sparktraffic
Start your affiliate journey here: fspirits.com/go/olsp-academy
Best Solution To Create Videos: fspirits.com/go/create-studio-pro
Best Solution To Create Graphics: fspirits.com/go/clickdesigns
Smart Chat Automation: fspirits.com/go/chatterpal
Multi-Purpose Video Maker: fspirits.com/go/avatar-builder
Multi-Purpose Video Creator: fspirits.com/go/video-creator
AI Human Spokesperson Videos: fspirits.com/go/humanpal
Fix ModSecurity 403 Forbidden False Positive Caused by Cookies on CWP / Apache / δημιουργήθηκε από infogate
Problem
After enabling ModSecurity for a domain, the website may suddenly show:
This can happen even when the website itself is clean and working correctly.
In my case, the issue appeared on a WordPress / WooCommerce website after enabling ModSecurity with COMODO WAF rules on a CWP server.
The Apache error log showed something like this:
The important parts are:
In this case, ModSecurity was not blocking a real attack. It was falsely detecting a normal tracking/marketing cookie as a SQL injection attack.
The cookie was:
This cookie is commonly created by Sourcebuster or marketing/tracking plugins used by WordPress and WooCommerce websites.
Important
Do not disable ModSecurity completely.
Also, do not disable all SQL injection protection rules globally.
The correct solution is to exclude only the specific safe cookie from the specific ModSecurity rule that is causing the false positive.
Step 1: Find the exact ModSecurity rule ID
Run:
Replace:
with the real domain.
Look for:
and also check what variable was blocked, for example:
Example
If the log says:
then the rule ID is:
and the problematic cookie is:
Step 2: Add a safe ModSecurity exclusion
On CWP with COMODO WAF, create a custom rule file:
Add:
This does not disable rule 218500.
It only tells ModSecurity not to inspect these specific harmless cookies with that rule.
Step 3: Test Apache configuration
On some CWP servers, apachectl may not exist in PATH.
Use:
If the syntax is OK, restart Apache:
Step 4: Test the website
Clear browser cookies for the domain or open the site in an incognito/private browser window.
Then watch the log live:
Refresh the website.
If the fix worked, you should no longer see new errors like:
General rule for any domain
The same method can be used for any false positive.
You only need to replace:
with the actual ModSecurity rule ID from your logs.
And replace:
with the exact variable that was falsely blocked.
Example format:
or:
Do not whitelist blindly
Some ModSecurity blocks are real attacks.
For example, this is a real scan and should stay blocked:
Requests for files like:
are hostile scans and should remain blocked.
Summary
If enabling ModSecurity causes a normal website to show 403 Forbidden:
1. Check the Apache or ModSecurity logs.
2. Find the exact rule ID.
3. Find the exact cookie, argument, or request variable being blocked.
4. Exclude only that specific variable from that specific rule.
5. Do not disable ModSecurity completely.
6. Do not disable important rules globally unless absolutely necessary.
This keeps the website usable while preserving ModSecurity protection.
After enabling ModSecurity for a domain, the website may suddenly show:
Forbidden
You don't have permission to access this resource.This can happen even when the website itself is clean and working correctly.
In my case, the issue appeared on a WordPress / WooCommerce website after enabling ModSecurity with COMODO WAF rules on a CWP server.
The Apache error log showed something like this:
ModSecurity: Access denied with code 403 (phase 2).
Pattern match ... at REQUEST_COOKIES:sbjs_first.
[file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"]
[id "218500"]
[msg "COMODO WAF: SQLmap attack detected"]
[hostname "example.com"]
[uri "/"]The important parts are:
id "218500"
REQUEST_COOKIES:sbjs_first
COMODO WAF: SQLmap attack detectedIn this case, ModSecurity was not blocking a real attack. It was falsely detecting a normal tracking/marketing cookie as a SQL injection attack.
The cookie was:
sbjs_firstThis cookie is commonly created by Sourcebuster or marketing/tracking plugins used by WordPress and WooCommerce websites.
Important
Do not disable ModSecurity completely.
Also, do not disable all SQL injection protection rules globally.
The correct solution is to exclude only the specific safe cookie from the specific ModSecurity rule that is causing the false positive.
Step 1: Find the exact ModSecurity rule ID
Run:
grep -Rhi "ModSecurity: Access denied"
/usr/local/apache/domlogs/example.com.error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/modsec_audit.log
/var/log/httpd/* 2>/dev/null | tail -30Replace:
example.comwith the real domain.
Look for:
[id "RULE_ID"]and also check what variable was blocked, for example:
REQUEST_COOKIES:sbjs_first
REQUEST_URI
ARGS
REQUEST_HEADERSExample
If the log says:
[id "218500"]
at REQUEST_COOKIES:sbjs_firstthen the rule ID is:
218500and the problematic cookie is:
sbjs_firstStep 2: Add a safe ModSecurity exclusion
On CWP with COMODO WAF, create a custom rule file:
nano /usr/local/apache/modsecurity-cwaf/rules/99_custom_cookie_exclusions.confAdd:
# Fix false positive for Sourcebuster / WooCommerce sbjs_* cookies.
# Keeps the ModSecurity SQLi rule active, but excludes these safe cookies.
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_first"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_current"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_current_add"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_first_add"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_udata"
SecRuleUpdateTargetById 218500 "!REQUEST_COOKIES:sbjs_session"This does not disable rule 218500.
It only tells ModSecurity not to inspect these specific harmless cookies with that rule.
Step 3: Test Apache configuration
On some CWP servers, apachectl may not exist in PATH.
Use:
/usr/local/apache/bin/httpd -tIf the syntax is OK, restart Apache:
systemctl restart httpdStep 4: Test the website
Clear browser cookies for the domain or open the site in an incognito/private browser window.
Then watch the log live:
tail -n0 -f /usr/local/apache/domlogs/example.com.error.log /usr/local/apache/logs/error_logRefresh the website.
If the fix worked, you should no longer see new errors like:
id "218500"
REQUEST_COOKIES:sbjs_first
Access denied with code 403General rule for any domain
The same method can be used for any false positive.
You only need to replace:
218500with the actual ModSecurity rule ID from your logs.
And replace:
REQUEST_COOKIES:sbjs_firstwith the exact variable that was falsely blocked.
Example format:
SecRuleUpdateTargetById RULE_ID "!REQUEST_COOKIES:COOKIE_NAME"or:
SecRuleUpdateTargetById RULE_ID "!ARGS:PARAMETER_NAME"Do not whitelist blindly
Some ModSecurity blocks are real attacks.
For example, this is a real scan and should stay blocked:
Matched phrase "/.env" at REQUEST_URI
[id "210492"]
[uri "/.env"]Requests for files like:
/.env
/.env.example
/wp-config.php.bak
/configuration.php.old
/database.sqlare hostile scans and should remain blocked.
Summary
If enabling ModSecurity causes a normal website to show 403 Forbidden:
1. Check the Apache or ModSecurity logs.
2. Find the exact rule ID.
3. Find the exact cookie, argument, or request variable being blocked.
4. Exclude only that specific variable from that specific rule.
5. Do not disable ModSecurity completely.
6. Do not disable important rules globally unless absolutely necessary.
This keeps the website usable while preserving ModSecurity protection.
The best possible way to start your online marketing : fspirits.com/go/leadsleap-home
Explode Your Web Site Traffice: fspirits.com/go/sparktraffic
Start your affiliate journey here: fspirits.com/go/olsp-academy
Best Solution To Create Videos: fspirits.com/go/create-studio-pro
Best Solution To Create Graphics: fspirits.com/go/clickdesigns
Smart Chat Automation: fspirits.com/go/chatterpal
Multi-Purpose Video Maker: fspirits.com/go/avatar-builder
Multi-Purpose Video Creator: fspirits.com/go/video-creator
AI Human Spokesperson Videos: fspirits.com/go/humanpal
Παρακαλούμε Σύνδεση ή Δημιουργία λογαριασμού για να συμμετάσχετε στη συζήτηση.
- Forum
- Main Forum
- English Section
- Server Security
- Fix ModSecurity 403 Forbidden False Positive Caused by Cookies on CWP / Apache /
Χρόνος δημιουργίας σελίδας: 0.072 δευτερόλεπτα