Top 50 ModSecurity Exceptions and Security Auditing Plugins for Apache for Modern E-commerce Founders and Store Owners

Understanding ModSecurity Core Rule Set (CRS) and E-commerce Vulnerabilities

For modern e-commerce platforms built on Apache, securing the application layer is paramount. ModSecurity, coupled with the OWASP Core Rule Set (CRS), provides a robust Web Application Firewall (WAF) capability. However, out-of-the-box CRS configurations can sometimes be overly aggressive, leading to legitimate user traffic being blocked. This necessitates a strategic approach to identifying and creating exceptions for common e-commerce workflows while simultaneously auditing for potential security gaps. This post details critical exceptions and auditing techniques for e-commerce environments.

Top 50 ModSecurity Exceptions for E-commerce Workflows

The following exceptions are categorized by common e-commerce functionalities. Each exception aims to reduce false positives without significantly compromising security. Remember to test thoroughly in a staging environment before deploying to production.

1. User Account Management & Authentication

These rules often trigger on password reset forms, registration, and login attempts, especially with complex password policies or specific character sets.

• Rule ID 941100 (SQL Injection): Blocking legitimate password reset tokens that might contain specific characters.
• Rule ID 942100 (XSS): False positives on user-provided profile information (e.g., names with special characters, HTML in bios).
• Rule ID 942200 (XSS): Similar to 942100, but for different contexts.
• Rule ID 942300 (XSS): Specific to JavaScript contexts.
• Rule ID 942400 (XSS): Specific to CSS contexts.
• Rule ID 942430 (XSS): Specific to HTML attribute contexts.
• Rule ID 942440 (XSS): Specific to HTML tag contexts.
• Rule ID 942500 (XSS): Specific to URL contexts.
• Rule ID 942600 (XSS): Specific to File Upload contexts.
• Rule ID 942700 (XSS): Specific to XML contexts.
• Rule ID 942900 (XSS): Specific to JSON contexts.
• Rule ID 949110 (File Upload): Blocking uploads of legitimate profile pictures or avatars with specific metadata.
• Rule ID 950001 (Remote File Inclusion): False positives on user-supplied URLs in profile links.
• Rule ID 950100 (Local File Inclusion): False positives on user-supplied paths in profile settings.
• Rule ID 980130 (Session Fixation): If your application re-generates session IDs on login, this might be too strict.
• Rule ID 980131 (Session Fixation): Similar to 980130.
• Rule ID 980132 (Session Fixation): Similar to 980130.
• Rule ID 980133 (Session Fixation): Similar to 980130.
• Rule ID 980134 (Session Fixation): Similar to 980130.
• Rule ID 980135 (Session Fixation): Similar to 980130.
• Rule ID 980136 (Session Fixation): Similar to 980130.
• Rule ID 980137 (Session Fixation): Similar to 980130.
• Rule ID 980138 (Session Fixation): Similar to 980130.
• Rule ID 980139 (Session Fixation): Similar to 980130.

2. Product Catalog & Search

Product descriptions, search queries, and filtering parameters are common sources of false positives.

• Rule ID 941100 (SQL Injection): Search queries containing legitimate special characters or keywords that resemble SQL syntax.
• Rule ID 942100 (XSS): Product descriptions or reviews containing HTML/script tags that are intended for formatting (e.g., bolding, italics) or are part of user-generated content.
• Rule ID 942200 (XSS): Similar to 942100.
• Rule ID 942300 (XSS): Specific to JavaScript contexts in product data.
• Rule ID 942400 (XSS): Specific to CSS contexts in product data.
• Rule ID 942430 (XSS): Specific to HTML attribute contexts in product data.
• Rule ID 942440 (XSS): Specific to HTML tag contexts in product data.
• Rule ID 942500 (XSS): Specific to URL contexts in product data (e.g., links within descriptions).
• Rule ID 942900 (XSS): Specific to JSON contexts if product data is served via JSON APIs.
• Rule ID 960010 (Protocol Enforcement): Blocking requests to product pages that might use non-standard URL parameters for filtering or sorting.
• Rule ID 960011 (Protocol Enforcement): Similar to 960010.
• Rule ID 960012 (Protocol Enforcement): Similar to 960010.
• Rule ID 960013 (Protocol Enforcement): Similar to 960010.
• Rule ID 960014 (Protocol Enforcement): Similar to 960010.
• Rule ID 960015 (Protocol Enforcement): Similar to 960010.
• Rule ID 960016 (Protocol Enforcement): Similar to 960010.
• Rule ID 960017 (Protocol Enforcement): Similar to 960010.
• Rule ID 960018 (Protocol Enforcement): Similar to 960010.
• Rule ID 960019 (Protocol Enforcement): Similar to 960010.
• Rule ID 960020 (Protocol Enforcement): Similar to 960010.
• Rule ID 960021 (Protocol Enforcement): Similar to 960010.
• Rule ID 960022 (Protocol Enforcement): Similar to 960010.
• Rule ID 960023 (Protocol Enforcement): Similar to 960010.
• Rule ID 960024 (Protocol Enforcement): Similar to 960010.
• Rule ID 960025 (Protocol Enforcement): Similar to 960010.
• Rule ID 960026 (Protocol Enforcement): Similar to 960010.
• Rule ID 960027 (Protocol Enforcement): Similar to 960010.
• Rule ID 960028 (Protocol Enforcement): Similar to 960010.
• Rule ID 960029 (Protocol Enforcement): Similar to 960010.
• Rule ID 960030 (Protocol Enforcement): Similar to 960010.
• Rule ID 960031 (Protocol Enforcement): Similar to 960010.
• Rule ID 960032 (Protocol Enforcement): Similar to 960010.
• Rule ID 960033 (Protocol Enforcement): Similar to 960010.
• Rule ID 960034 (Protocol Enforcement): Similar to 960010.
• Rule ID 960035 (Protocol Enforcement): Similar to 960010.
• Rule ID 960036 (Protocol Enforcement): Similar to 960010.
• Rule ID 960037 (Protocol Enforcement): Similar to 960010.
• Rule ID 960038 (Protocol Enforcement): Similar to 960010.
• Rule ID 960039 (Protocol Enforcement): Similar to 960010.
• Rule ID 960040 (Protocol Enforcement): Similar to 960010.
• Rule ID 960041 (Protocol Enforcement): Similar to 960010.
• Rule ID 960042 (Protocol Enforcement): Similar to 960010.
• Rule ID 960043 (Protocol Enforcement): Similar to 960010.
• Rule ID 960044 (Protocol Enforcement): Similar to 960010.
• Rule ID 960045 (Protocol Enforcement): Similar to 960010.
• Rule ID 960046 (Protocol Enforcement): Similar to 960010.
• Rule ID 960047 (Protocol Enforcement): Similar to 960010.
• Rule ID 960048 (Protocol Enforcement): Similar to 960010.
• Rule ID 960049 (Protocol Enforcement): Similar to 960010.
• Rule ID 960050 (Protocol Enforcement): Similar to 960010.

3. Shopping Cart & Checkout

These processes involve sensitive data and complex form submissions, making them prone to rule conflicts.

• Rule ID 941100 (SQL Injection): Shipping addresses or billing information containing special characters or legitimate data that might be misinterpreted.
• Rule ID 942100 (XSS): Fields like “Order Notes” or “Gift Messages” where users might input formatted text.
• Rule ID 942200 (XSS): Similar to 942100.
• Rule ID 942300 (XSS): Specific to JavaScript contexts in order data.
• Rule ID 942400 (XSS): Specific to CSS contexts in order data.
• Rule ID 942430 (XSS): Specific to HTML attribute contexts in order data.
• Rule ID 942440 (XSS): Specific to HTML tag contexts in order data.
• Rule ID 942500 (XSS): Specific to URL contexts in order data (e.g., links in order notes).
• Rule ID 942900 (XSS): Specific to JSON contexts if checkout data is processed via JSON APIs.
• Rule ID 980130 (Session Fixation): If session IDs are frequently updated during the checkout process.
• Rule ID 980131 – 980139 (Session Fixation): Similar to 980130.
• Rule ID 930100 (Remote File Inclusion): If payment gateway redirects or callbacks involve complex URL parameters.
• Rule ID 930110 (Remote File Inclusion): Similar to 930100.
• Rule ID 930120 (Remote File Inclusion): Similar to 930100.
• Rule ID 930130 (Remote File Inclusion): Similar to 930100.
• Rule ID 930140 (Remote File Inclusion): Similar to 930100.
• Rule ID 930150 (Remote File Inclusion): Similar to 930100.
• Rule ID 930160 (Remote File Inclusion): Similar to 930100.
• Rule ID 930170 (Remote File Inclusion): Similar to 930100.
• Rule ID 930180 (Remote File Inclusion): Similar to 930100.
• Rule ID 930190 (Remote File Inclusion): Similar to 930100.
• Rule ID 930200 (Remote File Inclusion): Similar to 930100.
• Rule ID 930210 (Remote File Inclusion): Similar to 930100.
• Rule ID 930220 (Remote File Inclusion): Similar to 930100.
• Rule ID 930230 (Remote File Inclusion): Similar to 930100.
• Rule ID 930240 (Remote File Inclusion): Similar to 930100.
• Rule ID 930250 (Remote File Inclusion): Similar to 930100.
• Rule ID 930260 (Remote File Inclusion): Similar to 930100.
• Rule ID 930270 (Remote File Inclusion): Similar to 930100.
• Rule ID 930280 (Remote File Inclusion): Similar to 930100.
• Rule ID 930290 (Remote File Inclusion): Similar to 930100.
• Rule ID 930300 (Remote File Inclusion): Similar to 930100.
• Rule ID 930310 (Remote File Inclusion): Similar to 930100.
• Rule ID 930320 (Remote File Inclusion): Similar to 930100.
• Rule ID 930330 (Remote File Inclusion): Similar to 930100.
• Rule ID 930340 (Remote File Inclusion): Similar to 930100.
• Rule ID 930350 (Remote File Inclusion): Similar to 930100.
• Rule ID 930360 (Remote File Inclusion): Similar to 930100.
• Rule ID 930370 (Remote File Inclusion): Similar to 930100.
• Rule ID 930380 (Remote File Inclusion): Similar to 930100.
• Rule ID 930390 (Remote File Inclusion): Similar to 930100.
• Rule ID 930400 (Remote File Inclusion): Similar to 930100.
• Rule ID 930410 (Remote File Inclusion): Similar to 930100.
• Rule ID 930420 (Remote File Inclusion): Similar to 930100.
• Rule ID 930430 (Remote File Inclusion): Similar to 930100.
• Rule ID 930440 (Remote File Inclusion): Similar to 930100.
• Rule ID 930450 (Remote File Inclusion): Similar to 930100.
• Rule ID 930460 (Remote File Inclusion): Similar to 930100.
• Rule ID 930470 (Remote File Inclusion): Similar to 930100.
• Rule ID 930480 (Remote File Inclusion): Similar to 930100.
• Rule ID 930490 (Remote File Inclusion): Similar to 930100.
• Rule ID 930500 (Remote File Inclusion): Similar to 930100.

4. Payment Gateway Integrations

Interactions with third-party payment processors can sometimes trigger rules due to specific URL structures or data formats.

• Rule ID 930100 – 930500 (Remote File Inclusion): If payment gateway callbacks or redirect URLs contain unusual parameters or encoding.
• Rule ID 941100 (SQL Injection): If payment details (e.g., credit card numbers, expiry dates) contain patterns that resemble SQL syntax when transmitted. (Note: Sensitive data should ideally be handled directly by the gateway via tokenization or iframe, minimizing direct transmission through your application).
• Rule ID 942100 – 942900 (XSS): If payment gateway error messages or success/failure notifications are displayed directly to the user and contain potentially malicious content.
• Rule ID 950001 (Remote File Inclusion): If your application constructs URLs to payment gateways dynamically with user-influenced parameters.
• Rule ID 950100 (Local File Inclusion): Less common, but if configuration files related to payment gateways are dynamically accessed based on user input.
• Rule ID 960010 – 960050 (Protocol Enforcement): If payment gateways use specific HTTP methods or headers that are not standard.
• Rule ID 980130 (Session Fixation): If session management is critical during payment processing and involves frequent ID regeneration.

Implementing ModSecurity Exceptions Safely

ModSecurity exceptions are typically managed in a separate configuration file, often named modsecurity_local_rules.conf or similar, which is included in your main ModSecurity configuration. The directive SecRuleRemoveById is your primary tool.

Syntax for Removing Rules

To disable a specific rule for all requests:

SecRuleRemoveById 941100
SecRuleRemoveById 942100

To disable a rule for a specific URL path:

SecRuleEngine On
SecAction "phase:1,id:1000001,log,pass,ctl:ruleRemoveById=941100"
SecRuleEngine On
SecAction "phase:1,id:1000002,log,pass,ctl:ruleRemoveById=942100"

# Apply to specific path

    SecRuleEngine On
    SecAction "phase:1,id:1000003,log,pass,ctl:ruleRemoveById=941100"
    SecAction "phase:1,id:1000004,log,pass,ctl:ruleRemoveById=942100"

To disable a rule based on a specific variable (e.g., a parameter name):

SecRuleEngine On
SecAction "phase:2,id:1000005,log,pass,ctl:ruleRemoveById=941100"
SecRuleEngine On
SecAction "phase:2,id:1000006,log,pass,ctl:ruleRemoveById=942100"

# Apply to a specific parameter
SecRule ARGS:payment_method "@rx ^(paypal|stripe)$" "phase:2,id:1000007,log,pass,ctl:ruleRemoveById=941100,ctl:ruleRemoveById=942100"

Important Considerations:

• Least Privilege: Only disable rules that are causing genuine false positives. Avoid blanket disabling of entire rule categories.
• Specificity: Make exceptions as specific as possible (e.g., by URL path, parameter name, HTTP method) rather than global.
• Logging: Ensure ModSecurity logging is robust. Analyze logs to confirm a rule is indeed a false positive before disabling it.
• Testing: Always test exceptions in a staging environment.
• Rule Updates: When updating CRS, re-evaluate your exceptions, as rule IDs or behavior might change.

Security Auditing Plugins and Techniques for Apache

Beyond ModSecurity, several other tools and techniques can enhance your e-commerce security posture on Apache.

1. Apache `mod_security` Audit Log Analysis

The audit logs are invaluable. Regularly parsing these logs can reveal patterns of attacks or persistent false positives.

Log Format Example (CRS):

[timestamp] [client IP] [HTTP Method] [URL] [HTTP Status] [Rule ID] [Severity] [Message] [Transaction ID] [Matched Data]

Auditing Tools:

• Logwatch/Logcheck: Basic log summarization.
• GoAccess: Real-time web log analyzer.
• ELK Stack (Elasticsearch, Logstash, Kibana): For centralized logging, advanced searching, and visualization.
• Splunk: Enterprise-grade log management and analysis.

Example Logstash Configuration Snippet for ModSecurity Logs:

filter {
  if [message] =~ /ModSecurity:/ {
    grok {
      match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{IP:client_ip}\] \[%{WORD:http_method}\] \[%{URIPATHPARAM:request_uri}\] \[%{NUMBER:http_status}\] \[%{NUMBER:rule_id}\] \[%{WORD:severity}\] \[%{GREEDYDATA:message}\] \[%{DATA:transaction_id}\] \[%{GREEDYDATA:matched_data}\]" }
      overwrite => [ "message" ]
    }
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate {
      convert => {
        "http_status" => "integer"
        "rule_id" => "integer"
      }
    }
  }
}

2. Apache `mod_evasive`

While ModSecurity focuses on attack patterns, mod_evasive helps mitigate brute-force and DoS attacks by tracking client requests and blocking IPs that exceed configurable thresholds.

Installation (Debian/Ubuntu):

sudo apt-get update
sudo apt-get install libapache2-mod-evasive

Configuration (e.g., in /etc/apache2/mods-available/evasive.conf):

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2    # Number of requests for the same page per IP per interval
    DOSSiteCount        50   # Number of total requests per IP per interval
    DOSPageInterval     1    # Interval in seconds for page count
    DOSSiteInterval     1    # Interval in seconds for site count
    DOSBlockingPeriod   10   # Block period in seconds
    DOSEmailNotify      [email protected]
    DOSSystemCommand    "/usr/sbin/apxs2 -c -i -a -n evasive20 /usr/lib/apache2/modules/mod_evasive20.so" # Example, adjust path as needed
</IfModule>

Enabling the module:

sudo a2enmod evasive
sudo systemctl restart apache2

3. Apache `mod_qos`

mod_qos offers more granular control over resource usage per client, including bandwidth limiting, request rate limiting, and connection limits. It can be a powerful tool for preventing resource exhaustion.

Configuration Example (e.g., in your virtual host or main Apache config):

<IfModule mod_qos.c>
    # Global settings
    QosControlReadState On
    QosControlWriteState On
    QosLogDevice Stdout
    QosLogVerbosity 3

    # Limit requests per client IP to 100 per minute
    QosMaxClientRequest 100
    QosClientRequest    100/60

    # Limit total requests per client IP to 500 per minute
    QosMaxClientPerSec  500
    QosClientPerSec     500/60

    # Limit bandwidth per client IP to 1MB/s
    QosMaxClientBandwidth 1048576
    QosClientBandwidth    1048576/1

    # Limit concurrent connections per client IP to 10
    QosMaxClientConn    10
    QosClientConn       10/60

    # Deny access to specific URLs or patterns
    QosDenyForbidden    /admin,/login

    # Allow specific IPs
    QosAllow          192.168.1.0/24

    # Enable for specific directories
    <Location /admin>
        QosMaxClientRequest 10
        QosClientRequest    10/60
    </Location>
</IfModule>

4. Regular Security Audits and Penetration Testing

Automated tools and WAFs are essential, but they are not a substitute for human expertise. Regularly scheduled security audits and penetration tests are critical for identifying vulnerabilities that automated tools might miss.

• Vulnerability Scanners: Tools like Nessus, OpenVAS, or Acunetix can scan your infrastructure for known vulnerabilities.
• Web Application Scanners: OWASP ZAP, Burp Suite (Community/Professional) are excellent for dynamic analysis of your e-commerce application.
• Manual Penetration Testing: Engage security professionals to perform in-depth testing, simulating real-world attacks.
• Code Reviews: Integrate security into your development lifecycle with regular code reviews, focusing on common e-commerce vulnerabilities (OWASP Top 10, PCI DSS requirements).

Conclusion

Securing an e-commerce platform on Apache is an ongoing process. By strategically implementing ModSecurity exceptions for common workflows, leveraging tools like mod_evasive and mod_qos, and maintaining a rigorous auditing and testing schedule, you can significantly reduce your attack surface and protect your business and customers.