Common Questions About OWASP with OpenLiteSpeed

November 13th, 2023 by OpenLiteSpeed , Security 1 Comments

OWASP with OpenLiteSpeed

Running into difficulty with mod_security? Our support team provided this short list of Frequently Asked Questions. We hope they will help you to be successful using the OWASP rule set to secure your OpenLiteSpeed server!

How do I set up OWASP with OpenLiteSpeed?

OWASP, or Open Web Application Security Project, provides a comprehensive collection of mod_security rules to protect your server. There are three ways to start using OWASP with OpenLiteSpeed (OLS). Choose the method that applies to your configuration.

When your OLS is a cloud image, was installed using ols1clk, or was installed using the LiteSpeed repo, you can set up OWASP with the following command:

bash <( curl -k https://raw.githubusercontent.com/litespeedtech/ols1clk/master/ols1clk.sh ) --owasp-enable

If you’re using OLS with Docker, you can use the built-in bash bin/webadmin.sh --mod_secure enable feature to enable OWASP.

If you have compiled OLS from source, follow the instructions in our Knowledge Base and install OWASP manually.

What if mod_security doesn’t exist?

If the /usr/local/lsws/modules/mod_security.so file doesn’t exist, you can either install it from the repository with the apt-get install ols-modsecurity -y command, or build it from source.

Is syntax causing my problem?

It’s common for configuration syntax to be an issue. Here are a few things to remember:

  • Even if Enable Module is set to Yes, you still need to set Modsecurity ON.
  • When you are adding custom rules to the Modsecurity_rules block, be sure that they are enclosed inside of a backtick (`)

How do I verify if OWASP works?

You can test the effectiveness of an OWASP rule by trying to break it. For example, try some Cross Site Scripting on your domain:

http://example.com/?user=<script>alert(123)</script>

If the OWASP rule is working correctly, the server will return a 403` code, and the following error message will be appended to the server error log:

[Module:mod_security] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/lsws/conf/owasp/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "38"] [id "941100"]

You can try other simple test cases, such as:

  • Classic SQL Injection:
    http://www.example.com/?Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'
    
  • Select Statement:
    http://www.example.com/?id=10 AND 1=2
    

For each test, verify that the appropriate error message was logged.

There is much more to OWASP testing than this, so consider taking a look at OWASP’s official testing guide for more ideas.

What if I am seeing false positives?

If you are experiencing false positives, first make sure that you are using the most recent Core Rule Set version.

Then, if the false positives continue, you can raise an issue on the official Core Rule Set repo.

To keep a particular false positive from impacting access to your site, you might want to comment out the rule to keep it from firing.

For example, let’s say you have the following in your server’s error log, but it is a false positive:

[Module:mod_security] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/lsws/conf/owasp/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "38"] [id "941100"]

Edit the configuration file found at /usr/local/lsws/conf/owasp/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf and comment out every line of the 941100 rule, like so:

# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
    # "id:941100,\
    # phase:2,\
    # block,\
    # t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    # msg:'XSS Attack Detected via libinjection',\
    # logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    # tag:'application-multi',\
    # tag:'language-multi',\
    # tag:'platform-multi',\
    # tag:'attack-xss',\
    # tag:'paranoia-level/1',\
    # tag:'OWASP_CRS',\
    # tag:'capec/1000/152/242',\
    # ctl:auditLogParts=+E,\
    # ver:'OWASP_CRS/3.3.5',\
    # severity:'CRITICAL',\
    # setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    # setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Restart the server, and that rule will no longer fire.

Conclusion

OpenLiteSpeed and OWASP are a powerful combination for securing your server. If you have a busy server, try the more performant, highly scalable proprietary mod_security engine that comes with LiteSpeed Enterprise Web Server.

Thank you to Eric Leu for providing most of the information in this article.


Categories:OpenLiteSpeed , Security

Related Posts


Comments