ModSecurity (Modsec) is an open-source web application firewall (WAF) supported by different web servers. It is most commonly deployed to provide protection against a range of vulnerabilities using the OWASP ModSecurity Core Rule Set.
If you can't immediately fix all vulnerabilities that Netsparker has detected, you can cover them up and defer fixing them until another time. You do this by exporting Netsparker's findings as rules for ModSecurity WAF (in both Netsparker Standard and Netsparker Enterprise, though how it works is different for each edition):
- In Netsparker Enterprise, you can only make a whole scan export. It is not possible to export a single vulnerability. Should you wish to import a single vulnerability rule, you can manually modify the exported ModSecurity configuration file.
- In Netsparker Standard, it is possible to either export the information about a single vulnerability as a ModSecurity rule or export information about all the vulnerabilities identified during the scan.
After you import the rules, the ModSecurity web application firewall (WAF) will then block any requests made by malicious hackers.
For further information, see Web Application Firewalls.
Types of ModSecurity Rules Netsparker Scanners Export
The export can include three types of ModSecurity rules:
- Denial of access to a URL with a vulnerable parameter
- Denial of access to a URL that can be attacked with a payload
- Denial of access to an exact URL
Netsparker scanners will automatically choose the type of rule depending on the vulnerability, so you do not have to configure anything.
Types of Vulnerabilities Netsparker Scanners Export as ModSecurity Rules
Not all vulnerabilities can be covered up by blocking access to a specific URL with a web application firewall, therefore not all vulnerabilities can be exported as ModSecurity rules. For example, security flaws related to HTTP Cookies, sensitive comments in source code, application source code disclosure and other similar vulnerabilities will not be exported.
In Netsparker Enterprise, you can also export the information about the identified vulnerabilities as rules for the ModSecurity web application firewall.
How to Generate ModSecurity WAF Rules from Netsparker Enterprise Scan Results
- From the main menu, click Scans, then Recent Scans. The Scans window is displayed.
- Next to the relevant scan, click Report. The Scan Summary window is displayed.
- Click Export. The Export Report dialog box is displayed.
- From the Report dropdown, select ModSecurity WAF Rules.
- From the Format dropdown, select TXT.
- Click Export. The Save As dialog opens.
- Select a save location and click Save. You can then use the downloaded rules in your web application firewall.
How to Export Netsparker Standard Scan Results as ModSecurity WAF Rules
As written above, rules can be exported in two ways from Netsparker Standard:
- All Vulnerabilities
- Single Vulnerability
If you want to export the rule for All Vulnerabilities:
- Navigate to the Reporting ribbon tab menu and click ModSecurity WAF Rules.
- In the File name field, enter a name and click Save. The Export Report dialog is displayed with the Path (generated from the location and filename from the previous step) already displayed.
- From the Policy dropdown, select an option.
- The Open Generated Report checkbox is already selected (which opens the report on completion). Deselect this option if required.
- Click Save. The ModSecurity WAF Rules Report opens in your default text editor (this example shows Notepad).
If you want to export the rule for a Single Vulnerability:
- Navigate to the Issues pane and select a single vulnerability (in this example, Cross-site Scripting).
- From the Vulnerability tab, click ModSecurity WAF Rules. The Save Report As dialog is displayed.
- In the File name field, enter a name (here ModSecurity WAF Rule - Cross-site Scripting is used), and click Save.
- The exported rule file can be opened in any text editor as shown.