Mod_Security Cross Site Scripting Bypass

2013.06.20

Credit: Rafay Baloch

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Product: Mod_security
Author: Rafay Baloch
Status: Fixed

Details:

The Mod_Security firewall is one of the most known WAF around, It has an
online smoke test where we can check if a vector bypassed the regular
expressions.

Payload:

It was though detecting null bytes, but it was generating a false positive
marking an xss attack as a SQL Injection attack.

The payload that was injected was:

<scri%00pt>confirm(0);</scri%00pt>

I changed alert/eval to confirm, because alert was being detected but
prompt and confirm were not being detected.

Fix:

The ModSecurity has updated the rule set and it now the detects the vector
as an xss vector. More details can be found in the following tweet:
https://twitter.com/ModSecurity/status/347364390737178625

-- 
Warm Regards,
Rafay Baloch

http://rafayhackingarticles.net
http://techlotips.com

References:

https://twitter.com/ModSecurity/status/347364390737178625

http://rafayhackingarticles.net

http://techlotips.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Mod_Security Cross Site Scripting Bypass

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.