ModSecurity False Positive (Rule 200002)

  • Resolved keeleon

    (@keeleon)


    2 months, 3 weeks ago

    I am seeing a ModSecurity error on my website that is interfering with a WordPress plugin (Burst Statistics). The plugin is unable to send tracking data because the firewall is blocking the request.

    I am getting this error in my log:

    [:error [pid 2662990:tid 2663067 [client 162.248.64.34:0 [client 162.248.64.34 ModSecurity: Cannot add scalar value without an associated key [hostname “darkridedatabase.com” [uri “/wp-json/burst/v1/track/” [unique_id “acAjQtu-H2NfSuD8r2mnhQAADhs”, referer: https://darkridedatabase.com/park/joyland/

    Is there a setting to fix this already, or is it possible to create a targeted exception for this URI rather than disabling the rule server-wide to maintain overall security?

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter keeleon

    (@keeleon)

    2 months, 3 weeks ago

    I am getting this error every few seconds

    Sun Mar 22 18:00:23

    [:error [pid 2740444:tid 2740458 [client 66.249.77.167:0 [client 66.249.77.167 ModSecurity: Cannot add scalar value without an associated key [hostname “darkridedatabase.com” [uri “/wp-json/burst/v1/track/” [unique_id “acAuN_mPhubsqC_GS0a-UQAABX0”, referer: https://darkridedatabase.com/blog/page/11/?nocache=1774175513&jet_blog_ajax=1

    Sun Mar 22 18:00:10

    [:error [pid 2662990:tid 2663158 [client 192.161.58.81:0 [client 192.161.58.81 ModSecurity: Cannot add scalar value without an associated key [hostname “darkridedatabase.com” [uri “/wp-json/burst/v1/track/” [unique_id “acAuKtu-H2NfSuD8r2mr_gAADnY”, referer: https://darkridedatabase.com/sally-dark-rides-announce-care-bears-ride/

    Sun Mar 22 18:00:08

    [:error [pid 2711386:tid 2711436 [client 66.249.77.165:0 [client 66.249.77.165 ModSecurity: Cannot add scalar value without an associated key [hostname “darkridedatabase.com” [uri “/wp-json/burst/v1/track/” [unique_id “acAuKFGt9glbhf7eLnPsGQAAAC4”, referer: https://darkridedatabase.com/blog/page/14/?nocache=1774126768&jet_blog_ajax=1

    Sun Mar 22 17:59:53

    [:error [pid 2711386:tid 2711414 [client 66.249.77.165:0 [client 66.249.77.165 ModSecurity: Cannot add scalar value without an associated key [hostname “darkridedatabase.com” [uri “/wp-json/burst/v1/track/” [unique_id “acAuGVGt9glbhf7eLnPsEQAAABg”, referer: https://darkridedatabase.com/blog/page/46/?nocache=1774183455&jet_blog_ajax=1

    Sun Mar 22 17:59:49

    [:error [pid 2711386:tid 2711495 [client 65.34.143.61:0 [client 65.34.143.61 ModSecurity: Cannot add scalar value without an associated key [hostname “darkridedatabase.com” [uri “/wp-json/burst/v1/track/” [unique_id “acAuFVGt9glbhf7eLnPsDwAAAGk”, referer: https://darkridedatabase.com/

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    2 months, 2 weeks ago

    @keeleon This is due to a security configuration by your server, we don’t have any control over that within Burst.

    I don’t know much about Mod Security, so I’ve checked with AI what possible solutions there are for such an issue. Let me know if this is helpful!

    ————-

    This is a well-known ModSecurity/JSON parsing conflict. The error “Cannot add scalar value without an associated key” means ModSecurity’s request body processor is trying to parse the JSON payload sent by Burst Statistics to /wp-json/burst/v1/track/, but the JSON structure contains array-style or scalar values at the root level that confuse the parser.

    The cleanest fix is a targeted rule that overrides the body processor for that specific URI, keeping all other rules intact.

    Option 1: Switch the body processor to URLENCODED for that endpoint (recommended)

    Add this to your custom ModSecurity rules file (e.g. /etc/modsecurity/custom-rules.conf or inside a .conf file in your modsecurity.d/ directory):

    apache

    SecRule REQUEST_URI "@beginsWith /wp-json/burst/v1/track" \
    "id:9009001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:requestBodyProcessor=URLENCODED"

    This tells ModSecurity to treat the body as plain URL-encoded data instead of trying to parse it as JSON, so no parsing error occurs and the request goes through. All other rules keep running.

    Option 2: Disable request body inspection for that URI only

    If option 1 doesn’t fully resolve it:

    apache

    SecRule REQUEST_URI "@beginsWith /wp-json/burst/v1/track" \
    "id:9009001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:requestBodyAccess=Off"

    This turns off body inspection entirely for that endpoint. Slightly broader, but still highly targeted since it only applies to that one URI.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.