Modsecurity redirect rule : Send threatening user back to referrer

Futh asked:

Consider the following SecRule, which takes a feed from a lua script that is executed:

SecRule &TX:SQLI "@eq 1"    "id:'129793',phase:2,t:none,redirect:http://www.example.com/failed.html,msg:'SQLi Injection Payload Found'"

If SQLi is found in a request parameter, the tx.sqli variable is populated and the user is redirected to a specific webpage : http://www.example.com/failed.html.

This process works well. However, I would like to redirect the user back to the referrer address or simply refresh their page or send them back to the previous page they were on.

This may involve, for example, populating the redirect address with the referrer value. Is it possible for ModSecurity to execute this?

My answer:


You don’t necessarily know what the referring page is. And most likely there isn’t one at all! Such attacks generally come from automata, not humans.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.