[Owasp-modsecurity-core-rule-set] How to to with this type of attack?
rcbarnett at gmail.com
Sat Mar 13 10:36:47 EST 2010
You could do two things -
1) Use the @validateByteRange operator to identify/block on the
existence of Null Bytes (%00), or
2) Use the t:removeNulls transformation function which will normalize
the data before the operator inspection.
On 3/13/10, Junyong Jiang <dreamice.jiang at gmail.com> wrote:
> Dear all,
> I have tested modsecurity rules set for more than one years. Recently, I
> came accross the following type of attack.
> When I test the xss attack, I check the key word of "script", for url
> encoding, it is "%53%43%72%69%50%74".
> But the tricky attacker use the encoding key word as
> I write "t:urlDecodeUni" in my modsecurity rules for url decoding,
> unfortunately the url deconding procedure is only end with meeting "%00".
> So current modsecurity core rules set can not do anything with this type of
> attack. Even if I use "t:compressWhiteSpace", there is no effect.
> Can anyone help with this type of attack? Thanks a lot!
Sent from my mobile device
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
More information about the Owasp-modsecurity-core-rule-set