Please excuse the cross-postings but I want to jumpstart moving these types of Mod rules discussions over to the OWASP list.


Just a follow-up - the new CRS 2.0.0 has significant updates for XSS protections. Specifically, the Ha.ckers XSS Cheatsheet (http://ha.ckers.org/xss.html) was reviewed and rules were updated to reflect the different vectors. Additionally, the WASC Script Mapping Project (http://projects.webappsec.org/Script-Mapping) was reviewed and all html event handlers were included.


As a side note - at the Blac


--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com



On Tuesday 21 July 2009 08:41:24 am Ryan Barnett wrote:
> On Tuesday 21 July 2009 12:20:34 am Bill Bradley wrote:
> > Bill Bradley
> > to mod-security-u.
> >
> > show details 11:24 AM (11 hours ago)
> >
> >
> > Reply
> >
> > Follow up message
> > Hey All,
> >
> > I am new to modsecurity
>
> Hey Bill, welcome aboard!
>
> > but have implemented the
> > modsecurity_crs_40_generic_attacks.conf from the optional_rules
> > directory to block and log XSS scripting. So far it is working great.
>
> The current Core Rule Set (CRS) does a decent job against most attack
> payload classes (including XSS) but as you found out, they are not perfect.
> The only way that they will get better is if users report these
> bypass/evasion issues. So thank you for reporting this issue. By the way -
> we have an official JIRA ticketing system so you can report issues there
> and it will be properly tracked to resolution -
> https://www.modsecurity.org/tracker/
>
> Also of note - we will be releasing CRS version 2.0 within the week which
> will include significant updates to the rules including a separate rule set
> just for XSS.
>
> > The app is being tested by penetration folks and they are still able
> > to pass on XSS attack:
> >
> >
> > XSS vulnerability found in backend parameter. The following attack
> > targets all browser(s) and was successful using plain
> > encoding:
> > "><iMg SrC=x OnErRoR=window.location=42114>
>
> If you look in the modsecurity_crs_40_generic_attacks.conf file, you will
> see the XSS section. It starts off with the set-based pattern matching
> pre- qualifiers where it is looking for any core keywords for the attack
> class -
>
> SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|
> XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder
> javas cript meta onchange onmove onkeydown onkeyup activexobject onmouseup
> ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml
> settimeout shell: onabort asfunction: onkeypress onmousedown onclick
> .fromcharcode background-image: .cookie ondragdrop onblur x-javascript
> mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert
> script onselect onmouseout application onmousemove background .execscript
> livescript: vbscript getspecialfolder .addimport iframe onunload
> createtextrange <input onload"
>
> In looking at these keywords, there are other browser/DOM actions such as
> onblur, onfocus, onmousemove, etc... but it doesn't appear that we have
> one for your example payload - onerror. So, I would go ahead and add the
> following rule to a modsecurity_crs_15_customrules.conf file -
>
> SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bonerror\b\W*?\=" \
>
> "phase:2,deny,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowe
>rcase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross- site Scripting (XSS)
> Attack',id:'1',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
>
> I tested this new rule against the following example request -
>
> http://www.example.com/cgi-bin/test-cgi?foo="><iMg SrC=x
> OnErRoR=window.location=42114>
>
> The rule triggered appropriately and generated the following alert in the
> Apache error_log file -
>
> [Sun May 31 02:25:14 2009] [error] [client 192.168.1.103] ModSecurity:
> Access denied with code 403 (phase 2). Pattern match
> "\\bonerror\\b\\W*?\\=" at ARGS:foo. [file
> "/usr/local/apache/conf/enhanced_rule_set-1.7.0/base_rules/modsecurity_ers_
>15_customrules.conf"] [line "2"] [id "958409"] [msg "Cross-site Scripting
> (XSS) Attack"] [data "onerror="] [severity "CRITICAL"] [tag
> "WEB_ATTACK/XSS"] [hostname "www.example.com"] [uri "/cgi-bin/test-cgi"]
> [unique_id "SiIiyn8AAQEAABGXB- QAAAAA"]
>
> Hope this info helps,
> Ryan