|
From: William - U. <wi...@ub...> - 2015-06-04 05:22:14
|
Not sure if this is the right place to send this, but here goes. Had an issue with Rule ID: 973337 that picked up on a cookie value. (?i)([\\s\"'`;\\/0-9\\=\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]+on\\w+[\\s\\x0B\\x09\\x0C\\x3B\\x2C\\x28\\x3B]*?=) As best I can tell, this rule is looking for dodgy usage of the HTML on*= attributes for execution of unexpected JavaScript such as onload, onresize etc. Great; except it doesn’t appear to care how many characters are between “on” and “=” so long as there is more than 1 (w+ bit). Assuming what I’ve said so far is remotely correct, I think the rate of false positives could be reduced by looking for a limited number of characters so that it won’t match non-existent attributes such as “on1=”, “onuiysfuiyegsfuygsfgdjsh=” and so on. Regards, William wi...@ub... |
