Closed jeremyjpj0916 closed 4 years ago
Opp, closing this. Oddly enough my modsec audit logs are set to only log 400/403 events (blocking) but this one is 200 response and even though it says it found a match in the H section like above its not actually blocking the tx? Very strange, probably a mod security bug itself but not core rulsets problem, rule is working as expected and allowing this tx to pass.
Description
Seems the REQUEST_URI is valid to me in this request (%25's replacing for the % character for url encoded). Unsure why it's blocking it, I see no % signs isolated by themselves?
Irrelevant headers removed from Audit log.
Audit Logs / Triggered Rule Numbers
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L328
Your Environment