Transcription
So recently, I’ve been going back and seeing the full list of videos on my YouTube, and making sure that each one of those is also represented on my website, MattRefghi.com. So this was becoming pretty routine, I was putting up a lot of videos, you know, copying the same format, just changing certain things, knowing that I would come back later and perfect it.
But then I weirdly encountered one post that just wouldn’t load on my site. And bear in mind that I wrote the code for this website, so if something doesn’t load, and there’s some strange behavior, then there’s no one to blame but me, and that makes me especially curious to understand what’s going on, because maybe I can fix the bug and prevent this from ever happening. And so take a look at a case that actually works here. The top article here, how to hide recent items in Windows Explorer. Okay, so if I click this, it loads. Pretty simple, right? Just an article. Now if I go here and I search for another article here, and click the top one, look what happens. It goes right back to this… hmm. So something is happening here.
The first thing I knew I needed to try was to compare a healthy request, one that’s actually loading, with one that’s actually failing to see if I could spot a problem. So for example, if I right-click this one right here and say copy link address, and stick it in Notepad++, this is the link. And we know that one works, right?
Then if I go and search for the other one that has problems – copy that, stick it in Notepad++… then here I can see okay, there’s actually nothing weird going on here, like if there was a strange character that I forgot that was in the slug, which is everything in the P parameter here. So if I actually forgot a weird character, like a few special characters, then yeah, I mean the query string might be rejected by my site, because it’s pretty strict when it comes to what’s allowed in a query string parameter.
But there was no such thing – so I couldn’t immediately see what was wrong, but I thought okay, well listen, this request is a bit on the longer side, maybe there’s a limit I’m not aware of, maybe there’s a bug in my code and it’s only allowing a certain length of slug. But then again I also knew that I had posts that had much longer slugs, so that didn’t make sense to me.
And just so you know, of course continuing I went on my server to take a look at the logs – I took a look at cPanel’s error logs, which are right here. I also took a look at the logs generated in the file system itself on the server. The only thing I was able to see was that when I went into inspect mode here, in the browser, and then reloaded my site, this actually made sure that the network tab is recording, you know? And if I go here and work on a working post, and then filter for “viewPost”, because that’s actually the page that’s being called. Then here we see that viewPost is referring a status of 200, so all good, it loaded. Now if we compare to the other post, look what happens – 403. So if I open that up, you’ll notice 403 from service worker. Hm.
Again, I couldn’t really understand what was happening – I even checked for invisible characters, because hey, if an invisible character found its way into the slug, that could explain it. Still, there was no invisible character. I even got to the point where I was removing hyphens, seeing what could possibly be causing this, but I found nothing. But I definitely knew that something in here was the problem. So I kept changing the slug in the database and re-testing on my site. And so eventually I was able to figure out what it is that I could remove here to make this work.
And you know what I had to remove? This. “Stop-process”. So once I removed that, stop-process, right? And just put this slug, it worked. So I was like Stop-Process? What’s this? Is it thinking that I’m trying to send a command – and then it hit me, oh man, it’s probably that – it’s probably some form of a security reaction right? Where it thinks a command is being passed. So I quickly went to Google – Stop-Process, a PowerShell cmdlet. So I was like okay, PowerShell, that has nothing to do with my environment where I run my sites, right?
So I started searching for 403 errors related to that, and all that. But then I remembered – on my server, I am running a plugin specifically to protect against the common OWASP threats. So in case you weren’t familiar, the OWASP top 10 is a list of 10 security risks for web applications. And I remembered on my server, I set up a plugin to specifically help protect against their top 10 risks. So could it be related in this case? I started to think so.
So I went back to my web server and actually looked at my configuration. In the additional packages, indeed, here is the OWASP ModSecurity Core Rule Set (CRS) plugin. So this OWASP plugin actually ties into ModSecurity. So all I had to do then is type ModSecurity, and on this page, I scroll down to where it says ModSecurity Tools, and it’s in this list that I could see right here, “932120: Remote Command Execution: Windows PowerShell Command Found”.
And so that explained it. ModSecurity thought that it was under attack, and it shut down the request. This was actually a very good response by the server, so my inclination here is not even change anything, it’s just to change the wording of my post to make sure I don’t trigger it. I don’t mind getting creative in how I come up with slugs if it means keeping my site more secure.
And so that’s it guys, I thought it was interesting case that might help someone else – figured I’d post it.