Smartest Guru » Uncategorised » ModSecurity WAF Errors Triggered by Tracking Cookies on WooCommerce WordPress Sites. Solution / Fix

ModSecurity WAF Errors Triggered by Tracking Cookies on WooCommerce WordPress Sites. Solution / Fix

Last updated: October 27th, 2024 at 2:35pm.
Published by Pratish
Views: 97
Comment

Are you facing ModSecurity WAF Errors Triggered by Tracking Cookies on WooCommerce Sites. Here is the Solution or Fix for your problem if you are using WordPress ecommerce plugin with ModSecurity.

At Smartest Guru, we understand that managing security while maintaining a seamless user experience on your website can be challenging. ModSecurity, a popular Web Application Firewall (WAF), often flags tracking cookies as potential security risks, creating false positives that disrupt legitimate website functionality. This article will walk you through why these errors happen, how to resolve them effectively, and the steps you can take to avoid similar issues in the future.

ModSecurity WAF Errors Triggered by Tracking Cookies on WooCommerce WordPress Sites Image

ModSecurity WAF Errors Triggered by Tracking Cookies on WooCommerce WordPress
ModSecurity WAF Errors Triggered by Tracking Cookies on WooCommerce WordPress

The Problem: ModSecurity Blocking Tracking Cookies in WooCommerce

If you’ve recently encountered errors on your WooCommerce site similar to this in your error logs:

ModSecurity: Access denied with code 403 (phase 2). Pattern match detected on REQUEST_COOKIES:sbjs_first ...

You’re not alone. ModSecurity’s security rules are designed to detect threats like SQL injections and unauthorised requests. However, tracking cookies like sbjs_first (commonly used by tracking software such as Sourcebuster) can accidentally trigger these rules. When this happens, users may receive a 403 Forbidden error, blocking them from accessing WooCommerce pages.

Common Errors and Their ModSecurity Rule IDs

  1. Content-Type Restriction (Rule ID 210710):
  • This error appears when ModSecurity flags a request as an unapproved content type. If your site requires text/plain, this restriction can interfere with its functionality.
  1. SQL Injection Detection (Rule ID 218500):
  • This rule flags tracking cookies as potential SQL injection threats. In particular, the sbjs_first cookie used for tracking visitor origins often matches ModSecurity’s SQLi patterns.

These rules can significantly impact your WooCommerce site’s user experience, especially for legitimate traffic.

Full Mod Security Error Log Message

[Sun Oct 27 13:46:21.743081 2024] [:error] [pid 1073260:tid 140404541179648] [client 000.00.000.000:49504] [client 000.00.000.000] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_first. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||www.example.com|F|2"] [data "Matched Data: |||tct=(none) found within REQUEST_COOKIES:sbjs_first: typ=typein|||src=(direct)|||mdm=(none)|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)|||plt=(none)|||fmt=(none)|||tct=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "www.example.com"] [uri "/product/membership/"] [unique_id "Zx321VeTCLWowZ2G0rXjwwAAAAE"], referer: https://www.example.com/product/consultation/

The Solution: Configuring ModSecurity to Avoid False Positives

Let’s break down how to configure ModSecurity rules to bypass these specific issues.

1. Allow Specific Content Types by Updating ModSecurity Rules

To resolve issues triggered by text/plain content types (Rule ID 210710), you’ll need to update ModSecurity’s configuration file to whitelist text/plain for WooCommerce pages:

  1. Locate the ModSecurity configuration file, userdata_wl_content_type.
  2. Add text/plain to the list of allowed content types by modifying the file to include:
   SecRuleUpdateTargetById 210710 "REQUEST_HEADERS:Content-Type text/plain"
  1. Restart the server or ModSecurity service for the changes to take effect.

This allows text/plain requests without compromising security across your site.

2. Exclude Specific Cookies from SQL Injection Checks

To address Rule ID 218500 and prevent the sbjs_first cookie from triggering false positives:

  1. Add a custom ModSecurity rule to ignore the sbjs_first cookie when applying SQL injection checks.
  2. Insert the following line into the ModSecurity configuration file:
   SecRuleUpdateTargetById 218500 !REQUEST_COOKIES:sbjs_first
  1. Save and reload ModSecurity.

By excluding sbjs_first from SQL injection inspection, you’ll reduce unnecessary blocks on your WooCommerce site while maintaining robust security.

Preventing Future ModSecurity WAF Issues on WooCommerce

While ModSecurity offers a powerful line of defence against online threats, it can sometimes be too restrictive. Here are a few tips to avoid future WAF-related disruptions on your website:

  • Regularly Update ModSecurity Rules: Ensure you’re using the latest ModSecurity rules, including the OWASP Core Rule Set (CRS). Regular updates address known false positives and enhance security.
  • Implement Custom Rules: Adjust rules to exclude other non-sensitive cookies or content types that commonly trigger errors. This ensures that essential tracking doesn’t result in blocked requests.
  • Consult Your Hosting Provider: If you’re unable to modify the ModSecurity settings yourself, consult your hosting provider. Many providers offer tailored support for WordPress and WooCommerce and can help whitelist legitimate traffic sources without compromising site security.

By taking these proactive steps, you’ll maintain a balance between security and functionality, offering users a seamless experience on your WooCommerce site.

Get Expert Assistance with WAF and WordPress Security

Security issues can be frustrating, but we’re here to help! If you’re facing ongoing challenges with ModSecurity, WooCommerce, or any other WordPress functionality, contact us directly at Smartest Guru for expert guidance and support. With 19+ years of experience in IT, we can help you implement secure, seamless solutions tailored to your site’s unique needs.

Share Knowledge: Mod Security Error

Did you find this article helpful? Share it with others who may be experiencing similar issues and help them secure their WooCommerce WordPress sites without sacrificing usability.

For more guides and hands-on support in website security, optimisation, or any other WordPress and WooCommerce needs, reach out to Smartest Guru. We’re here to help you turn your challenges into opportunities for growth and success.

Together, let’s build a secure, seamless web experience!

About Author: Pratish
Pratish, founder of Smartest Guru, brings 19 years of experience in programming, teaching, and consulting across I.T., business, and fitness. Get 1-on-1 expert guidance to transform your challenges into success. Contact him today for actionable results! View Pratish Profile
Related Articles

Comments and Discussions

Leave a Comment

Your email address will not be published. Required fields are marked *