Max Leske

icon company Xovis.com

Results 149 comments of Max Leske

XSS Bypass on the official CoreRuleSet rules (REQUEST-941-APPLICATION-ATTACK-XSS.conf)

> I think the `:` in `jav
ascript:` is covered by the transformation [htmlEntityDecode](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#htmlEntityDecode) that we have in many of the 941 rules. That is not entirely correct, unfortunately. `:` is...

feat(list): update lfi-os-files

Where did those `[jboss]` entries come from? Are they really path components? I noticed that we have a file called `restricted-files.data`, that says to keep it in sync with `lfi-os-files.data`....

Add workaround for expirevar on NGiNX for DOS rules as a plugin

I've added an initial version of a plugin that implements the workaround: https://github.com/coreruleset/dos-protection-plugin-modsecurity-v3. Still needs to be tested.

context deadline exceeded (Client.Timeout exceeded while awaiting headers)

That message comes from the Go HTTP client, which must be the Kubernetes control plane. Since the container is configured as a proxy, it could be that your nginx container...

ModSecurity 3.0.3 collection expirevar does not work

Meanwhile here's a workaround for everyone who needs DOS protection to work. The hack uses dedicated variables in conjunction with the `TIME_EPOCH` variable to explicitly expire the DOS variables. [REQUEST-912-DOS-PROTECTION.conf.txt](https://github.com/SpiderLabs/ModSecurity/files/2988887/REQUEST-912-DOS-PROTECTION.conf.txt)

ModSecurity 3.0.3 collection expirevar does not work

Good to hear that, thanks. As for switching browsers: that shouldn't make a difference. AFAICT, only the IP is considered for the blocking logic. Are you sure that you don't...

ModSecurity 3.0.3 collection expirevar does not work

@pixelicous Sorry, this is very late. You're using `expirevar`, which does not work (at least it didn't when I wrote the workaround). Make sure to do everything as it's done...

CSS transforms on SVG elements

@drjecker I've been using your idea in production for about two years now and it works pretty well. There's one problem in particular I've discovered (and just had to fix)...

Request streaming with Zinc

As we discussed in https://github.com/SeasideSt/Grease/pull/103 I've moved `#newTemporaryFileReference` to the new `Seaside-Zinc-Pharo` package together with all of the stuff for request streaming. I've also renamed `Zinc-Seaside` to `Seaside-Zinc`, but we...

Request streaming with Zinc

I've reverted the renaming of Zinc-Seaside and opened a separated issue to do it for 3.6: https://github.com/SeasideSt/Seaside/issues/1197