Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

REQUEST-941-APPLICATION-ATTACK-XSS rules would not protect against attacks that aren't in the query string

See original GitHub issue

_Issue originally created by user greeniguana10 on date 2018-08-16 12:51:17. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1170._

I’ve looked through the documentation here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ARGS

And also searched through the REQUEST-941-APPLICATION-ATTACK-XSS.conf file.

My understanding is since the REQUEST_URI argument isn’t present before any of the rules, the full get request would never be passed to any of the regular expressions and any XSS attack that isn’t in a query string wouldn’t be detected?

I’m thinking specifically of an example such as the attack used in exercise 6 here: http://www.behindthefirewalls.com/2014/06/xss-game-by-google-exercises-4-5-and-6.html

Am fairly new to ModSec so apologies if this is a misunderstanding on my part. My understanding is that since the ARGS argument is present in all the rules only key value pairs of the query string would be passed to the regex?

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2018-08-16 13:46:30:

No, I think you are wrong. In ModSec, this is all about the phases. Most of the rules in 941 are in phase 2, and this is where the ARGS collection is fully populated with query strings and parameter out of the request body.

0reactions

CRS-migration-botcommented, May 13, 2020

User greeniguana10 commented on date 2018-08-16 14:29:02:

Using OWASP_CRS/3.0.0 and applying the regular expressions in REQUEST-941-APPLICATION-ATTACK-XSS.conf and REQUEST-942-APPLICATION-ATTACK-SQLI.conf to the request lines of apache log files using a python script which I’ve written to identify malicious GET requests (as part of a University project)

I’m just concerned about whether I’m applying these filters correctly - since I mentioned I am getting a lot of false positives for specific filters (if I pass the entire GET request to the regular expressions).

I’m not sure exactly what you mean by alert messages from the log.

Top Results From Across the Web

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf - GitHub

conf. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

This step creates a new identity in the azure active

Preventing such attacks in application code is challenging. It can require rigorous maintenance, patching, andmonitoring at multiple layers of the application ...

SpiderLabs - Bountysource

One utility will be to deal with JSON values in cookies. ... error on line 40 of /usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf:

Maltfield Log/2019 Q4 - Open Source Ecology

Append-only is a common access control that permits appending new data to the destination, but it does not permit deleting or overwriting ...

App Gateway PDF - Scribd

Installing IIS is not required to create the application gateway, ... REQUEST-941-APPLICATION-ATTACK-XSS Contains rules for protecting against cross site ...