[Owasp-modsecurity-core-rule-set] Xss rules- can these be simplified/combined ?

Ryan Barnett ryan.barnett at breach.com
Wed May 19 10:10:19 EDT 2010


On Wednesday 19 May 2010 04:08:51 Rajeev Sethi wrote:
> Hi all,
> 
> I've noticed that core rule set comes loaded with several XSS filter,
> during my testing, I found that many filters from different categories
> (PHPID, IE8 etc) are hit. So, I am wondering, if someone has been able to
> reduce xss filters by removing redundant filters?
> 
> For example, I think IE8 XSS rule is always hit whenever I try XSS, so does
> it mean if I use ONLY IE8 XSS filter, I'm covered from XSS attacks? or, if
> I use only PHPIDS XSS filter, will I be missing any potential xss
> payloads? I'm hoping to find an "intersection" of all the rules.
> 
> thoughts?

I am sure that there is some overlap between the signatures in the CRS XSS file 
(modsecurity_crs_41_xss_attacks.conf) and the PHP filters 
(modsecurity_crs_41_phpids_filters.conf) however there are also signatures that are unique 
to each.  We chose to keep the 2 files separate since the PHP signatures, which are 
converted from the PHPIDS default_filter.xml file (https://svn.php-
ids.org/svn/trunk/lib/IDS/default_filter.xml), are updated periodically and outside of the 
control of the CRS.  We have a script that will convert the PHPIDS filters so we just run 
it when we update the CRS.

-Ryan 


More information about the Owasp-modsecurity-core-rule-set mailing list