[Owasp-modsecurity-core-rule-set] How to to with this type of attack?
Junyong Jiang
dreamice.jiang at gmail.com
Sat Mar 13 09:54:58 EST 2010
Dear all,
I have tested modsecurity rules set for more than one years. Recently, I
came accross the following type of attack.
When I test the xss attack, I check the key word of "script", for url
encoding, it is "%53%43%72%69%50%74".
But the tricky attacker use the encoding key word as
"%53%43*%00*%72%69%50%74"(sc
ript).
I write "t:urlDecodeUni" in my modsecurity rules for url decoding,
unfortunately the url deconding procedure is only end with meeting "%00".
So current modsecurity core rules set can not do anything with this type of
attack. Even if I use "t:compressWhiteSpace", there is no effect.
Can anyone help with this type of attack? Thanks a lot!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100313/851492b5/attachment.html
More information about the Owasp-modsecurity-core-rule-set
mailing list