[Owasp-modsecurity-core-rule-set] Check for User-agent field missing in CRS

Michele Roviello micheleroviello at gmail.com
Wed Jul 15 11:46:54 UTC 2015


Hello,
I have done some tests on XSS attacks with ModSecurity and the base rules
for XSS attack from the CRS.
I have found that this set of rules doesn't check for an XSS attack vector
in the User-agent field of the HTTP message.
Is this true or am I missing something?
Thank you for your consideration,
Michele Roviello
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150715/061ffcc6/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list