[Owasp-modsecurity-core-rule-set] XSS false negative ?

Chaim Sanders chaim at chaimsanders.com
Thu Jul 13 03:09:57 UTC 2017

Hey Subin,
Long time no speak. It does indeed look as if PL1 of CRS 3.0 doesn't catch
that. PL2 catches it with rule 942340, 942370, and 942430. It might be
worth looking into trying to add some logic that isn't false positive prone
to PL1. In this case it'll be tricky as it appears that the XSS triggered
here would be in the javascript context already. Any thoughts?

On Wed, Jul 12, 2017 at 9:25 PM, Thayyile kandy, Subin : CSO GIS <
sthayyilekan at barclaycardus.com> wrote:

> Shouldn't CRS3.0 be flagging this XSS ? I did check the XSS rules but
> couldn't figure out if why it wasn't getting flagged.
> https://localhost/test.action?testingid=29776%27};alert(1);
> var%20x={%27myid%27:%2723233
> Thanks
> Subin
> Barclaycard
> www.barclaycardus.com<http://www.barclaycardus.com>
> This email and any files transmitted with it may contain confidential
> and/or proprietary information. It is intended solely for the use of the
> individual or entity who is the intended recipient. Unauthorized use of
> this information is prohibited. If you have received this in error, please
> contact the sender by replying to this message and delete this material
> from any system it may be on.
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Chaim Sanders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20170712/4ac1ac2b/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list