You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 14, 2020. It is now read-only.
The current implementation states that "Range Header exists and begins with 0 - normal browsers don't do this." (modsecurity_crs_20_protocol_violations.conf). This behavior can now be seen in both Firefox (tested with 26.0 and 27.0) and Chromium (tested with 33.0.1750.149). It only happens when requesting continuous content which requires loading, e.g. a video.
An example to reproduce: Go to http://www.videojs.com/, open development tools in Firefox/Chromium, go to network, klick on the video on the website and watch the requests for the video stream.
The request header for Chromium:
GET /v/oceans.mp4 HTTP/1.1
Host: vjs.zencdn.net
Connection: keep-alive
Accept-Encoding: identity;q=1, *;q=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36
Accept: */*
Referer: http://www.videojs.com/
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Range: bytes=0-
The current implementation states that "Range Header exists and begins with 0 - normal browsers don't do this." (
modsecurity_crs_20_protocol_violations.conf
). This behavior can now be seen in both Firefox (tested with 26.0 and 27.0) and Chromium (tested with 33.0.1750.149). It only happens when requesting continuous content which requires loading, e.g. a video.An example to reproduce: Go to
http://www.videojs.com/
, open development tools in Firefox/Chromium, go to network, klick on the video on the website and watch the requests for the video stream.The request header for Chromium:
Similarly for Firefox:
Solutions are to either remove this rule (https://github.com/arlimus/owasp-modsecurity-crs/tree/http-range-ruleset) or try to narrow it down and identify all cases where this is allowed to happen and specify them in the ruleset (better and cleaner solution, but more error-prone).
The text was updated successfully, but these errors were encountered: