ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Redirect action does not work properly in IIS

Open oniric85 opened this issue 11 years ago • 5 comments

I'm using IIS 7.5 with ModSecurity 2.8.0. I've created a simple configuration file with only one rule

SecRule ARGS "foo" "id:99999,pass,redirect:/"

These are the request headers I get when firing the rule:

HTTP/1.1 302 ModSecurity Action
Server: Microsoft-IIS/7.5
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
Date: Tue, 27 May 2014 15:08:05 GMT
Content-Length: 0

X-XSS-Protection and X-Frame-Options are added by my IIS configuration. Problem is with Location header that is not present so redirect is not working.

oniric85 avatar May 27 '14 15:05 oniric85

A side note: why is ModSecurity changing HTTP status text? I think it should leave the default one.

oniric85 avatar May 27 '14 15:05 oniric85

facing the same problem, any updates?

bedirhan avatar Dec 19 '14 20:12 bedirhan

Facing the same issue as well using ModSecurity in Azure Websites - Microsoft Support confirmed issue with ModSecurity as same rules worked fine in Apache.

mosoccer avatar Apr 29 '15 03:04 mosoccer

Issue still persists in version 2.9.0

ojasp avatar Nov 04 '15 23:11 ojasp

Easily fixed by the following workaround;

  1. Create a Modsecurity rule; SecRule REQUEST_URI "robots.txt" "id:400131,phase:1,log,msg:'Redirecting to URL',status:444,deny"

  2. Create a rule in IIS Manager. Click Sites > website > Error Pages > Right click and go to Add. Enter status code of 444 and click on 'Respond with a 302 redirect'. Enter the URL of the error page you wish to display.

  3. Create your custom error page on at the URL you provided in the previous step.

  4. Restart the application pool of the website.

  5. Test!

NZUser01 avatar Jan 13 '21 02:01 NZUser01