Mod_Security Cross Site Scripting Bypass

2013.06.20
Credit: Rafay Baloch
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Product: Mod_security Author: Rafay Baloch Status: Fixed Details: The Mod_Security firewall is one of the most known WAF around, It has an online smoke test where we can check if a vector bypassed the regular expressions. Payload: It was though detecting null bytes, but it was generating a false positive marking an xss attack as a SQL Injection attack. The payload that was injected was: <scri%00pt>confirm(0);</scri%00pt> I changed alert/eval to confirm, because alert was being detected but prompt and confirm were not being detected. Fix: The ModSecurity has updated the rule set and it now the detects the vector as an xss vector. More details can be found in the following tweet: https://twitter.com/ModSecurity/status/347364390737178625 -- Warm Regards, Rafay Baloch http://rafayhackingarticles.net http://techlotips.com

References:

https://twitter.com/ModSecurity/status/347364390737178625
http://rafayhackingarticles.net
http://techlotips.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top