Christian Folini
Christian Folini
### Description The following request is not identified as an attack at PL1 - yet on the specific application I am lookin at, this is a successful XSS. ``` $>...
The following bypass was pasted on twitter. ``` { 1 }; ;+$u+cat+/etc$u/passwd$u { 2 }; ;+$u+cat+/etc$u/passwd+\# ``` https://twitter.com/spyerror/status/1162826904833089541?s=19 According to @franbuehler, this passes on PL1, but is being detected on...
CAPEC: Common Attack Pattern Enumeration and Classification (https://capec.mitre.org/) We have a few rules with CAPEC tags and links to CAPEC descriptions in their comments. But so far this, has not...
Creating this feature request was recommended by @drcaramelsyrup at https://github.com/cloudflare/pingora/issues/31#issuecomment-2000798482 OWASP CRS currently runs on the following WAF engines: * OWASP ModSecurity v2 * OWASP ModSecurity v3 * OWASP Coraza...
``` $ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d "foo=document.querySelector('p').textContent=\"XSS\"" -- no output -- $ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=document.body.appendChild(document.createElement("h1")).textContent = "XSS"' -- no output -- ``` The `document.head.appendChild`...
``` $ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=console.log(msg)' -- no output -- $ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=console.dir(msg)' -- no output -- ```
### Description ``` $ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=fetch("https://jsonplaceholder.typicode.com/todos/1")' -- no output -- $ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=import * as name from "module.js";' -- no...
See https://github.com/coreruleset/modsecurity-crs-docker/issues/215 for bug report and discussion.