Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

XSS in URI / PATH_INFO going undetected

See original GitHub issue

_Issue originally created by user dune73 on date 2018-02-23 05:44:01. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1022._

There is a false negative in the way we ignore onXXX events in the URI.

curl "http://localhost/index.html/x%22%3E%3CsvG%20onLoad=prompt(9)%3E"

If the same URI appears in the Referer, it triggers 941101, 941120 and 941160. Adding the URI to be covered by these rules, won’t change a thing, so it’s also an encoding problem.

Issue Analytics

State:
Created 3 years ago
Comments:12

Top GitHub Comments

2reactions

CRS-migration-botcommented, May 13, 2020

User fgsch commented on date 2019-02-12 16:46:28:

I will submit a PR later today or tomorrow for 941110. I haven’t had a chance to look into the other vectors in detail but I expect FPs at least until https://github.com/client9/libinjection/pull/143 is merged, which seems to have gone awfully silent.

1reaction

CRS-migration-botcommented, May 13, 2020

User fgsch commented on date 2019-02-12 11:17:17:

Can we start by adding the path to 941110? Or anyone thinks this will cause many FPs?