owasp-modsecurity-crs icon indicating copy to clipboard operation
owasp-modsecurity-crs copied to clipboard

Published 20 hours ago verified publisher icon SpiderLabs

XSS bypass with a payload not containing "<script>"

Open dune73 opened this issue 4 years ago • 0 comments

Description

The following request is not identified as an attack at PL1 - yet on the specific application I am lookin at, this is a successful XSS.

$> curl 'http://localhost/index.html?pa=BCDEGHKLMNPQRSTUVXYZ%26apos%3b%3balert(%27Hello%27)'

The problem is probably that it's "alert" without prior script tag. I wonder if we want to come up with a rule to detect this by default. I am a bit torn and I fear false positives.

Your Environment

  • CRS version (e.g., v3.2.0): v3.2.0
  • Paranoia level setting: PL1
  • ModSecurity version (e.g., 2.9.3): 2.9.3
  • Web Server and version (e.g., apache 2.4.41): 2.4.41
  • Operating System and version: Ubuntu

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

dune73 avatar Feb 28 '20 15:02 dune73