Mod security block due to insecure in the HTML body

Hi Experts,

There is a web app in our institute that anyone from outside world can access and it was running fine until today. The site is down currently and displays 404 error, According to Linux admin, it is because Mod security is blocking due to insecure in the HTML body that it returns to the user. So, it is down there is something in that was detected as insecure so it is being blocked with a 404 returned to the user.
The security functions get updated to check for newly found exploits and vulnerabilities and maybe it is possible that a vulnerability existed before that was not covered by mod security up until now.

My question is how do I figure out which part of html body is insecure?

thanks,
dkim18Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grahamnonweilerCommented:
Within the body of the HTML look for any cross-site calls to JavaScript, or perhaps an Iframe loading an external page.

However, it is somewhat unusual for mod_security to block a page based on its HTML content, and even more unusual to produce a 404 Page Not Found error.

Ask the Linux admin to provide you with copies of the log files that should highlight which specific rule within their mod_security filters is being triggered by that particular page.

If the Linux admin cannot provide you with the logs, then you must use a sequence of elimination to find the problem.  This means you need to ensure that page caching is disabled (so that you continually get a fresh version of the HTML from the server). And then knowing that you are getting fresh results, start by removing all JavaScript and the HTML within the BODY of the page. Check that the page loads (you should at least get an empty page in the browser) to establish that it is something in your HTML that is causing the problem.

If your page loads (meaning you do not get a 404 error), then you can start adding back the HTML and JavaScript in chunks and reloading the page each time in your browser until you find the part that is causing mod_security to block your page.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dkim18Author Commented:
>>However, it is somewhat unusual for mod_security to block a page based on its HTML content, and even more >>unusual to produce a 404 Page Not Found error.

I get a little more than just 404 error:

The requested URL /xxx/ was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
grahamnonweilerCommented:
This just means that the server is not handling 404 errors correctly.

There are probably some rewrite rules in place to direct a 404 error to CGI (or server-side ) script to give a "pretty" page not found report.

This a secondary issue and not related to your original problem - in that you cannot access a specific page on your website - which your Linux admin is telling you is the result of something within the HTML of your page.

Can you access all the other pages of your website?

If so then, as I suggested earlier, you need to find the problem in the specific page you cannot access.

If you cannot access your website at all, then that is a different problem, and probably not linked to mod_security at all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTML

From novice to tech pro — start learning today.