[Owasp-modsecurity-core-rule-set] Some XSS evasions posted
modsec at spam.lifeforms.nl
Sun Sep 13 13:51:56 UTC 2015
Last week, Mazin Ahmed published a report with some XSS evasions for various WAFs including ModSecurity. It can be found as a PDF here: http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html
He describes three evasions against ModSecurity. They’re listed on page 14 of the PDF. It might be interesting to look at them and see if they need addressing.
I’ll list the points here if the spam filters will accept it…
<a href="j[785 bytes of (
5.6.2 US-Encoding Bypass:
This sounds not so interesting to me since only IE6 and IE7 “auto-correct” this monstrosity.
5.6.3 Triple URL encoding:
The substring of URL-encoded characters does trigger the rule for multiple URL encoding, however this is logged at warning level only.
I’m not sure what to make of it since the given examples themselves also trigger various other CRS rules, but passing it on just in case.
Walter Hop | PGP key: https://lifeforms.nl/pgp
More information about the Owasp-modsecurity-core-rule-set