Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ModSecurity Version

🗓️ 02 Jul 2013 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 13 Views

Obtains version of the remote ModSecurity Install based on HTTP headers and provides information about the install

Code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(67123);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/22");

  script_name(english:"ModSecurity Version");
  script_summary(english:"Obtains the version of the remote ModSecurity Install");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to obtain the version number of the remote ModSecurity
install.");
  script_set_attribute(attribute:"description", value:
"Based on HTTP headers, the remote host appears to be running
ModSecurity, an open source web application firewall (WAF).  It was
possible to read the version number from the banner.");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:modsecurity:modsecurity");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2013-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("waf_detection.nbin");
  script_require_keys("www/ModSecurity");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

global_var port, src, ver;

function parse_banner(headers)
{
  local_var item, match, matches, pattern, patterns;

  src = NULL;
  ver = NULL;

  patterns = make_list(
    '^Server:.*[Mm]od_?[Ss]ecurity2?/([0-9]+(\\.[^ ]+)?)',
    '^Server:.*[Mm]od_?[Ss]ecurityPHP/([0-9]+(\\.[^ ]+)?)',
    '^Server:.*[Mm]od[_ ]?[Ss]ecurity ([0-9]+(\\.[^ ]+)?)'
  );

  foreach pattern (patterns)
  {
    matches = egrep(pattern:pattern, string:headers);
    if (strlen(matches) > 0) break;
  }

  # If no matches, just return; we won't get src and ver
  if (strlen(matches) == 0) return;

  foreach match (split(matches, keep:FALSE))
  {
    item = eregmatch(pattern:pattern, string:match);
    if (!isnull(item))
    {
      src = item[0];
      ver = item[1];
      break;
    }
  }
}

# May fork
port = get_kb_item_or_exit("www/waf/ModSecurity");

# Get pristine banner.
pristine = get_http_banner(port:port, exit_on_fail:TRUE);

# Ensure that the banner is usable.
if ("Server:" >!< pristine)
  audit(AUDIT_WRONG_WEB_SERVER, port, "one that provides a Server response header.");

if (egrep(pattern:"^Server:.*[Mm]od[_ ]?[Ss]ecurity", string:pristine))
  modsecurity_installed = TRUE;
else
  audit(AUDIT_WEB_APP_NOT_INST, "ModSecurity", port);

# Set a KB item so that we know it's ModSecurity on a certain port
set_kb_item(name:"www/" + port + "/modsecurity", value:TRUE);

# Parse the pristine banner.
parse_banner(headers:pristine);

if (isnull(src)) audit(AUDIT_WEB_APP_NOT_INST, "ModSecurity", port);
set_kb_item(name:"www/modsecurity/" + port + "/pristine/source", value:src);

if (isnull(ver)) ver = 'unknown';
set_kb_item(name:"www/modsecurity/" + port + "/pristine/version", value:ver);
orig_ver = ver;
orig_src = src;

# Parse backported banner.
get_backport_banner(banner:pristine);

if (isnull(src)) audit(AUDIT_WEB_APP_NOT_INST, "ModSecurity", port);
set_kb_item(name:"www/modsecurity/" + port + "/source", value:src);
set_kb_item(name:"www/modsecurity/" + port + "/backported", value:is_backported());

if (isnull(ver)) ver = 'unknown';
set_kb_item(name:"www/modsecurity/" + port + "/version", value:ver);
report_source = src;
report_version = ver;

# Report findings
if (modsecurity_installed)
{
  if (report_paranoia < 2 && is_backported())
  {
    report_backported_note =
      '  Note    : This install may have backported patches and thus,' +
      '\n            version checks will not be run in non-paranoid scan modes.' +
      '\n';

    # Use originally detected version in report for
    # non-paranoid scans
    report_version = orig_ver;
    report_source = orig_src;
  }

  if (report_verbosity > 0)
  {
    report = '\n' +
      'Nessus found the following version information in the HTTP Server header :' +
      '\n' +
      '\n  Source  : ' + report_source +
      '\n  Version : ' + report_version +
      '\n';
    if (!isnull(report_backported_note))
      report = report + report_backported_note;
    security_note(port:port, extra:report);
  }
  else security_note(port);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jan 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
modsecurityopen sourceweb application firewallversion numberremote hosthttp headersbannerdetectionwafrisk factorremoteasset inventoryfirewallstenableinc.affiliatewaf_detectionbackported banner
13