[Owasp-modsecurity-core-rule-set] How to to with this type of attack?
Ryan Barnett
rcbarnett at gmail.com
Sat Mar 13 10:36:47 EST 2010
You could do two things -
1) Use the @validateByteRange operator to identify/block on the
existence of Null Bytes (%00), or
2) Use the t:removeNulls transformation function which will normalize
the data before the operator inspection.
On 3/13/10, Junyong Jiang <dreamice.jiang at gmail.com> wrote:
> Dear all,
>
> I have tested modsecurity rules set for more than one years. Recently, I
> came accross the following type of attack.
> When I test the xss attack, I check the key word of "script", for url
> encoding, it is "%53%43%72%69%50%74".
> But the tricky attacker use the encoding key word as
> "%53%43*%00*%72%69%50%74"(sc
> ript).
> I write "t:urlDecodeUni" in my modsecurity rules for url decoding,
> unfortunately the url deconding procedure is only end with meeting "%00".
> So current modsecurity core rules set can not do anything with this type of
> attack. Even if I use "t:compressWhiteSpace", there is no effect.
>
> Can anyone help with this type of attack? Thanks a lot!
>
--
Sent from my mobile device
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/
More information about the Owasp-modsecurity-core-rule-set
mailing list