[Owasp-modsecurity-core-rule-set] XSS false negative ?

Thayyile kandy, Subin : CSO GIS sthayyilekan at BarclaycardUS.com
Thu Jul 13 03:23:43 UTC 2017


Hey Chaim , Hope you are doing great. Yes , The data injected is in the JavaScript content already , have not been very successful trying to match patterns here without false positives.


From: chaim.sanders at gmail.com [mailto:chaim.sanders at gmail.com] On Behalf Of Chaim Sanders
Sent: Wednesday, July 12, 2017 23:10
To: Thayyile kandy, Subin : CSO GIS
Cc: owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] XSS false negative ?

THIS MAIL ORIGINATED FROM OUTSIDE OUR ORGANIZATION
Hey Subin,
Long time no speak. It does indeed look as if PL1 of CRS 3.0 doesn't catch that. PL2 catches it with rule 942340, 942370, and 942430. It might be worth looking into trying to add some logic that isn't false positive prone to PL1. In this case it'll be tricky as it appears that the XSS triggered here would be in the javascript context already. Any thoughts?

On Wed, Jul 12, 2017 at 9:25 PM, Thayyile kandy, Subin : CSO GIS <sthayyilekan at barclaycardus.com<mailto:sthayyilekan at barclaycardus.com>> wrote:
Shouldn't CRS3.0 be flagging this XSS ? I did check the XSS rules but couldn't figure out if why it wasn't getting flagged.

https://localhost/test.action?testingid=29776%27};alert(1);var%20x={%27myid%27:%2723233<https://localhost/test.action?testingid=29776%27%7d;alert(1);var%20x=%7b%27myid%27:%2723233>

Thanks
Subin
Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com><http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set



--
--
Chaim Sanders
http://www.ChaimSanders.com

Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20170713/59f263a8/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list