Analysing Requests Blocked by Modsecurity
Vihtalahti, Ville (2025)
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025121637279
https://urn.fi/URN:NBN:fi:amk-2025121637279
Tiivistelmä
The objective of this study is to analyse various hacking attempts against a web application, by analysing malicious HTTP requests, which then are blocked by a Web Application Firewall (WAF). WAF resides on the application layer – the 7th layer – in the OSI model. The analysed data contains wellknown malicious attack types and common exploitation attempts, which web applications are known to be vulnerable, e.g. SQL-injections, Cross-Site Scripting, in naming a few. The WAF software in charge of analysing, logging and auditing the requests is known as Modsecurity.
This analysis gives a high-level overview of the data. A step-by-step approach is used by delving deeper into the data, searching for valuable insights from the data and information providing an understanding of what threats web applications face nowadays. The data is already cleaned and loaded into an Excel for the data to be efficiently accessible. The request logs contain data ranging from WHOIS information to timestamp of the request. The Excel files are read in Jupyter Lab, which is an interactive Python tool for programming, especially used in Machine Learning and Data Science, which are subfields of Artificial Intelligence. Files used in Jupyter Lab are called Notebooks which differentiate from regular Python files. Polars, which is a module in Python, is used for manipulating and displaying data in data frames on the Jupyter Lab editor, similar how to an Excel file displays the data in table format. Polars is effective in large datasets, when only one machine is available. Matplotlib is another module in Python that has been used for visualizing the data in different plots, from bar plots to line plots etc.
The analysis of this data is experimental and explorative, as the objective is to find key information, and can therefore be interpreted as a report of blocks made by Modsecurity. Results are presented in plots and tables with explanations and further insights. WAF proves to be a useful addition when adding protective capabilities to web applications, adding an extra layer of defence when protecting critical assets and data from malicious intent. It can be concluded that the configuration of Modsecurity is crucial for getting the best out of its capabilities, as auditing and logging need to be done properly if further investigation of a rule violation is needed, but also the configuration of rules relating to how strictly Modsecurity blocks request and how rule bypasses are made when handling false positives blocks, alas user experience is a topic needed to be considered.
This analysis gives a high-level overview of the data. A step-by-step approach is used by delving deeper into the data, searching for valuable insights from the data and information providing an understanding of what threats web applications face nowadays. The data is already cleaned and loaded into an Excel for the data to be efficiently accessible. The request logs contain data ranging from WHOIS information to timestamp of the request. The Excel files are read in Jupyter Lab, which is an interactive Python tool for programming, especially used in Machine Learning and Data Science, which are subfields of Artificial Intelligence. Files used in Jupyter Lab are called Notebooks which differentiate from regular Python files. Polars, which is a module in Python, is used for manipulating and displaying data in data frames on the Jupyter Lab editor, similar how to an Excel file displays the data in table format. Polars is effective in large datasets, when only one machine is available. Matplotlib is another module in Python that has been used for visualizing the data in different plots, from bar plots to line plots etc.
The analysis of this data is experimental and explorative, as the objective is to find key information, and can therefore be interpreted as a report of blocks made by Modsecurity. Results are presented in plots and tables with explanations and further insights. WAF proves to be a useful addition when adding protective capabilities to web applications, adding an extra layer of defence when protecting critical assets and data from malicious intent. It can be concluded that the configuration of Modsecurity is crucial for getting the best out of its capabilities, as auditing and logging need to be done properly if further investigation of a rule violation is needed, but also the configuration of rules relating to how strictly Modsecurity blocks request and how rule bypasses are made when handling false positives blocks, alas user experience is a topic needed to be considered.