Reputation: 263
Why ModSecurity OWASP rule blocks .axd files?
I've been going over WAF findings in an ASP.NET application. WAF is ModSecurity with OWASP CRS. One of the findings is:
URL file extension is restricted by policy, Rule ID 920440
and it fired at files WebResource.axd and ScriptResource.axd.
I did some researching. I found that these files are HTTP Handlers and these are embedded in assemblies. I found said rule - it's a simple one, it just checks file extension and blocks request based on this. The .axd just happens to be one of the listed file extensions.
As I understood, these files might be connected with using AJAX (I might be wrong on this one). However, I didn't manage to find any reason/explanation over the internet why are these blacklisted by OWASP. The only piece of information that might give a clue was this question.
Why are .axd files blacklisted? Are they deprecated? Can these be listed as exceptions from the rule or maybe these introduce some actual risk? Finally, how can you modify ASP.NET application so it doesn't need these files?
Upvotes: 5
Views: 1831
Answers (1)
Reputation: 89
Maybe too late to reply but there are several security issues including Oracle padding attack CVE-2010-3332, Telerik remote code execution CVE-2019-18935 and ... which all are related to axd files.
Upvotes: 3
Related Questions
- 403 forbidden all *.axd files - aragh
- ModSecurity breaking the Wordpress Theme editor, cannot write proper exclusion rules
- Debugging triggered modsecurity rule hits
- OWASP CRS MoD security false positive - rule 942150 "@contains"
- modsecurity_rules_file directive Rules error
- .axd files generate a 404 error
- Installing ModSecurity with OWASP for Windows
- How can I modify a pattern in Modsecurity Core Rule Set
- Core OWASP ModSecurity - Allowing JSON
- Mod security whitelist, multiple conditions