Re: [mod-security-users] 2 xss vulnerabilities are not catched with core rules
Brought to you by:
victorhora,
zimmerletw
From: Ray <rp...@ho...> - 2008-12-12 02:09:08
|
1.60 or 1.61? 1.61 fixed several issues. Ray "Richard Holly" <rh...@in...> wrote in message news:493...@in...... Hello, core rules are 1.6 1. with default rules - no log 2. xss is executable when app is using Content-Type: text/html;charset=utf-8 output format. so it's interesting minimally for all "java people". Regards, Richard. Ryan Barnett wrote / napísal(a): What version of Core Rules are you using? I am guessing that it is an older version (based on your ModSecurity version). <!--[if !supportLists]-->1. <!--[endif]-->The first example you gave is identified by the current CRS due to the "onmouseover=" data. I sent your example request through my Mod host and it generated this alert/error message - Message: Access denied with code 500 (phase 2). Pattern match "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at ARGS:node. [file "/var/etc/rulesets/40_-_application_layer_attacks_protection_.conf"] [line "105"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "onmouseover="] [severity "CRITICAL"] <!--[if !supportLists]-->2. <!--[endif]-->As for the 2nd example, that specific version of the attack string does not match our current rules. That being said, there is something else to consider here - while that version did bypass the negative security rules, is the XSS payload in an executable format (meaning is it in a state where a web browser will execute it)? What I have found is that while there is a an almost unlimited amount of variation that an attacker can do alter the attack data to bypass filters, this process often will cause the resulting code to be in a non-executable format. What I did to test this was to use the WebGoat application from OWASP and to use your 2nd example XSS payload. I then submitted it in the XSS lab lessons and found that even though the WebGoat application was vulnerable to XSS (it isn't doing any input validation and it isn't properly html output encoding the user-supplied data), that particular XSS payload did not execute in IE 7. Perhaps this would execute in other browsers though. Another important point to bring up here regarding vuln scanners and XSS - they are simply testing to see of the web applications are missing output encoding and then they will flag it as an XSS vulnerability. They do this by sending some data and seeing if the web application echoes it back in the exact same format. This is still valid as it is showing that the target web app is not handling the data appropriately. -Ryan From: Richard Holly [mailto:rh...@in...] Sent: Tuesday, December 09, 2008 10:37 AM To: mod...@li... Subject: [mod-security-users] 2 xss vulnerabilities are not catched with core rules Hello, with version mod_security-2.5.0 (jason.2) httpd-2.2.8 (jason.3) with security scanner tests i found that those 2 xss vulnerabilities are not catched with core rules (i am using blocking rules) 1. The GET variable node has been set to "+onmouseover=alert(412497252422)+. GET /test/other/products-list?node="+onmouseover=alert(412497252422)+&paging=50&sorting=na HTTP/1.0 Accept: */* ..... 2. The GET variable cardId has been set to %253CScRiPt%253Ealert(398897230490)%3B%253C/ScRiPt%253E. GET /test/other/certify-items?cardId=%253CScRiPt%253Ealert(398897230490)%3B%253C/ScRiPt%253E HTTP/1.0 Accept: */* ....... Are there any suggestions how to improve rules sets to get rid of those 2 items 2 ? regards. ---------------------------------------------------------------------------- ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/---------------------------------------------------------------------------- _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ------------------------------------------------------------------------------ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |