On Friday 31 July 2009 05:07:53 pm Ryan Barnett wrote:
> Please excuse the cross-postings but I want to jumpstart moving these types
> of Mod rules discussions over to the OWASP list.
> Just a follow-up - the new CRS 2.0.0 has significant updates for XSS
> protections. Specifically, the Ha.ckers XSS Cheatsheet
> (http://ha.ckers.org/xss.html) was reviewed and rules were updated to
> reflect the different vectors. Additionally, the WASC Script Mapping
> Project (http://projects.webappsec.org/Script-Mapping) was reviewed and all
> html event handlers were included.
> As a side note - at the Blac

Had a slight misfire there...

Anyways, at Blackhat this week, there was a great presentation on bypassing XSS filters - http://p42.us/favxss. In the preso they showed many ways to bypass the CRS v1.6.1 rules. Many of the deficiencies that they highlighted have been addressed (above) and we are going to be adding an XSS testing page soon to the modsecurity site so the community can bang on them and hopefully they will become stronger. This is what PHP-IDS has been doing here - http://demo.php-ids.org/ - and it has been very helpful.