Mod_Security Cross Site Scripting Bypass

Credit: Rafay Baloch
Risk: Low
Local: No
Remote: Yes

Product: Mod_security Author: Rafay Baloch Status: Fixed Details: The Mod_Security firewall is one of the most known WAF around, It has an online smoke test where we can check if a vector bypassed the regular expressions. Payload: It was though detecting null bytes, but it was generating a false positive marking an xss attack as a SQL Injection attack. The payload that was injected was: <scri%00pt>confirm(0);</scri%00pt> I changed alert/eval to confirm, because alert was being detected but prompt and confirm were not being detected. Fix: The ModSecurity has updated the rule set and it now the detects the vector as an xss vector. More details can be found in the following tweet: -- Warm Regards, Rafay Baloch


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top