Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

XSS Bypass

See original GitHub issue

Motivation

We run some sites having mod_security with the OWASP-Core Ruleset 3.3.0 enabled. (thanks for your work 😉) After doing some security analysis, we found out, that some requests bypassed modsecurity and led to successful XSS attacks.

Such an example request would be: GET https://mysite.com/en/search/%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E

In my opinion, the XSS-Attacks are not checked against the Request-Path. (only COOKIES, ARGS, ARG_NAMES, XML, HEADERS, …)

Proposed solution

Include REQUEST_FILENAME in the XSS-Detection rules. (in REQUEST-941-APPLICATION-ATTACK-XSS.conf)

e.g.

SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
    "id:941100,\
...

After applying these changes, the XSS attacks were correctly blocked.

Alternatives

Additional context

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:13 (12 by maintainers)

github_iconTop GitHub Comments

3reactions
dune73commented, Aug 25, 2021

I have another report with the following payload that goes undetected in default install:

$ curl "http://localhost/index.html/\"onmouseover='prompt(document.cookie)'\""

Adding REQUEST_FILENAME to 941100 or 941101 (PL2) does the trick.

0reactions
RedXanaducommented, Nov 1, 2021

Closing issue as resolved, unless there are any objections.

Read more comments on GitHub >

github_iconTop Results From Across the Web

XSS Filter Evasion - OWASP Cheat Sheet Series
This cheat sheet lists a series of XSS attacks that can be used to bypass certain XSS defensive filters. Please note that input...
Read more >
Bypassing Signature-Based XSS Filters: Modifying HTML
Signature-based filters designed to block XSS attacks normally employ regular expressions or other techniques to identify key HTML components, such as tag ...
Read more >
XSS Filter Bypass List - gists · GitHub
XSS Filter Bypass List. GitHub Gist: instantly share code, notes, and snippets.
Read more >
Basic Cross Site Scripting (XSS) Bypass Techniques
This post intends to serve as a list of simple bypass techniques to try when attempting to inject XSS payloads.
Read more >
XSS Filter Evasion | Invicti
XSS filter evasion refers to a variety of methods used by attackers to bypass Cross-Site Scripting filters. Attackers attempting to inject ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Rule: 942370: False positive 0202

Next page

copy, time and more false positives