Skip to content

False positive (403 Forbidden) when nagivating to site homepage while behind a vpn on Google Chrome (MacOS) #4202

New issue
New issue
Open
Open
False positive (403 Forbidden) when nagivating to site homepage while behind a vpn on Google Chrome (MacOS)#4202
Labels
➕ False Positive
@Danrancan

Description

@Danrancan
Danrancan
opened on Jul 11, 2025

Description

When navigating to the page https://www.mcmo.is while behind a VPN, the homepage turns up with a "403 Forbidden" error. When using my home IP address, it seems to work just fine. Very strange. I need help configuring rule exclusions for this error. I am very much a noob and could use a working example of a rule exclusion for this. Thankyou so much for any help you can give!

How to reproduce the misbehavior (-> curl call)

I don't know how to do a curl call, but if you turn on Mullvad VPN, and then navigate to https://www.mcmo.is, you should get a "403 Forbidden" error.

Logs

---ciEiaQq9---A--
[11/Jul/2025:02:03:39 -0500] 17522174197.475337 68.235.46.83 64031 10.10.10.2 443
---ciEiaQq9---B--
GET / HTTP/2.0
sec-ch-ua-platform: "macOS"
sec-fetch-user: ?1
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"
sec-fetch-site: none
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-mobile: ?0
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
host: mcmo.is
accept-encoding: gzip, deflate, br, zstd
cookie: sbjs_migrations=1418474375998%3D1; sbjs_first_add=fd%3D2025-07-08%2012%3A40%3A30%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_current_add=fd%3D2025-07-08%2021%3A00%3A53%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3Dhttps%3A%2F%2Fduckduckgo.com%2F; sbjs_current=typ%3Dreferral%7C%7C%7Csrc%3Dduckduckgo.com%7C%7C%7Cmdm%3Dreferral%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%2F%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; _ga=GA1.1.1023661496.1752053308; _ga_26BWL8FXB5=GS2.1.s1752053307$o1$g1$t1752054023$j58$l0$h0; sbjs_udata=vst%3D6%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F138.0.0.0%20Safari%2F537.36
accept-language: en-US,en;q=0.9
priority: u=0, i

---ciEiaQq9---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---ciEiaQq9---F--
HTTP/2.0 403
Server: nginx
Date: Fri, 11 Jul 2025 07:03:39 GMT
Content-Length: 548
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---ciEiaQq9---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dreferral%7C%7C%7Csrc%3Dduckduckgo.com%7C%7C%7Cmdm%3Dreferral%7C%7C%7Ccmp%3D%28none%29%7C%7C%7C (133 characters omitted)' ) [file "/etc/nginx/modsec/crs4.14.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "863"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=referral|||src=duckduckgo.com|||mdm=referral|||cmp=(none)|||cnt=/|||trm=(none)|||id=(none)|||plt=(none)|||fmt=(none)|||tct=(none)"] [severity "2"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-XSS"] [tag "capec/1000/152/242"] [hostname "mcmo.is"] [uri "/"] [unique_id "17522174197.475337"] [ref "o13,4v804,238t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso15,4v1193,233t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.14.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "mcmo.is"] [uri "/"] [unique_id "17522174197.475337"] [ref ""]

---ciEiaQq9---J--

---ciEiaQq9---K--

---ciEiaQq9---Z--

---fa68mFQF---A--
[11/Jul/2025:02:03:39 -0500] 175221741972.059572 68.235.46.83 64031 10.10.10.2 443
---fa68mFQF---B--
GET /favicon.ico HTTP/2.0
accept-encoding: gzip, deflate, br, zstd
cookie: sbjs_migrations=1418474375998%3D1; sbjs_first_add=fd%3D2025-07-08%2012%3A40%3A30%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; sbjs_current_add=fd%3D2025-07-08%2021%3A00%3A53%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.is%2F%7C%7C%7Crf%3Dhttps%3A%2F%2Fduckduckgo.com%2F; sbjs_current=typ%3Dreferral%7C%7C%7Csrc%3Dduckduckgo.com%7C%7C%7Cmdm%3Dreferral%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%2F%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29%7C%7C%7Cplt%3D%28none%29%7C%7C%7Cfmt%3D%28none%29%7C%7C%7Ctct%3D%28none%29; _ga=GA1.1.1023661496.1752053308; _ga_26BWL8FXB5=GS2.1.s1752053307$o1$g1$t1752054023$j58$l0$h0; sbjs_udata=vst%3D6%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F138.0.0.0%20Safari%2F537.36
referer: https://mcmo.is/
sec-ch-ua-platform: "macOS"
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
sec-ch-ua-mobile: ?0
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"
sec-fetch-dest: image
sec-fetch-mode: no-cors
host: mcmo.is
accept-language: en-US,en;q=0.9
priority: u=1, i

---fa68mFQF---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---fa68mFQF---F--
HTTP/2.0 403
Server: nginx
Date: Fri, 11 Jul 2025 07:03:39 GMT
Content-Length: 548
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---fa68mFQF---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=' against variable `REQUEST_COOKIES:sbjs_current' (Value: `typ%3Dreferral%7C%7C%7Csrc%3Dduckduckgo.com%7C%7C%7Cmdm%3Dreferral%7C%7C%7Ccmp%3D%28none%29%7C%7C%7C (133 characters omitted)' ) [file "/etc/nginx/modsec/crs4.14.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "863"] [id "941150"] [rev ""] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: src= found within REQUEST_COOKIES:sbjs_current: typ=referral|||src=duckduckgo.com|||mdm=referral|||cmp=(none)|||cnt=/|||trm=(none)|||id=(none)|||plt=(none)|||fmt=(none)|||tct=(none)"] [severity "2"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-XSS"] [tag "capec/1000/152/242"] [hostname "mcmo.is"] [uri "/favicon.ico"] [unique_id "175221741972.059572"] [ref "o13,4v725,238t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso15,4v1114,233t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/crs4.14.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "mcmo.is"] [uri "/favicon.ico"] [unique_id "175221741972.059572"] [ref ""]

---fa68mFQF---J--

---fa68mFQF---K--

---fa68mFQF---Z--

Your Environment

  • CRS version (e.g., v3.3.4): 4.14.0
  • Paranoia level setting (e.g. PL1) : PL2
  • ModSecurity version (e.g., 2.9.6): v3.0.14
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx v1.29.0 Mainline
  • Operating System and version: Ubuntu 24.04 Server for Raspberry Pi (aarch64)

Confirmation

[ X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ➕ False Positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions