Product: Mod_security
Author: Rafay Baloch
Status: Fixed
Details:
The Mod_Security firewall is one of the most known WAF around, It has an
online smoke test where we can check if a vector bypassed the regular
expressions.
Payload:
It was though detecting null bytes, but it was generating a false positive
marking an xss attack as a SQL Injection attack.
The payload that was injected was:
<scri%00pt>confirm(0);</scri%00pt>
I changed alert/eval to confirm, because alert was being detected but
prompt and confirm were not being detected.
Fix:
The ModSecurity has updated the rule set and it now the detects the vector
as an xss vector. More details can be found in the following tweet:
https://twitter.com/ModSecurity/status/347364390737178625
--
Warm Regards,
Rafay Baloch
http://rafayhackingarticles.net
http://techlotips.com