Not being able to block injections at one form and attacker is trying to inject code
What steps have you taken to resolve the issue?
Using WAF Filtering with no success.
Thinking about using mod_security at server level, but don’t know if it would work.
What are the steps to reproduce the issue?
We have been suffering from code injection at a Magento store.
A user without registering fills and order and injects code at several fields (name, address, …).
With mod_security we would use such rules:
SecRule ARGS|ARGS_GET|ARGS_POST|REQUEST_BODY “@contains {IFS%??}pub;curl$” “id:103,phase:2,t:none,t:lowercase,deny,status:403,log,msg:‘SPAM Not allowed’”
SecRule ARGS|ARGS_GET|ARGS_POST|REQUEST_BODY “@contains curl${IFS” “id:104,phase:2,t:none,t:lowercase,deny,status:403,log,msg:‘SPAM Not allowed’”
But with Cloudflare we don’t know how to do it.
We have PRO Plan. Don’t know if anything better is needed.
Also, would able to deploy such rules at mod_security despite Cloudflare?
From my understanding of the mod_security rules from above, could be oversight, may I ask if you’re trying to block, rather to show a 403 page for anyone trying to sent a HTTP request (POST) onto your <form> element where the user-agent contains curl?
