> thanks for the mod of apache, > You're welcome, I even contributed to some mod_security rules for ossec ;@) If you're interested, give a look here for lots of rules : http://www.gotroot.com/ (but looks like I can't access it for now...) > right, i have made a litle edit > <url>%3A%2F%2F|://</url> (just for :// in the request) > That you'll ave to filter :
- %3A%2F/ - %3A// - :%2F%2F - :/%2F - etc Not the best thing isn't it ? > yes ;) but not if the web rules are coupled with a url_encode function > to encode all request in %XX (and url_decode) > (i don't not if is possible, no i think...) > I don't remember well but I'm pretty sure to have seen some special crafted URL containing IDN encodes also... > not realy, because the attacker are blocked by a reponse-active of ossec > he use this type of attack, > but right, isn't a good idea (the best idea is just not use vulnerable > script) > I was saying that because the xss is not a direct attack but somewhat a diverted one. For example if I read some of my weblogs with a parser who understand HTML (like a browser ;)), I could send my admin session ID to an attacker. But Ossec will see ME trying to read this, so if active response is active, at best it will do nothing if whitelist is active and at worst it will block me... Not the kind of things we want... Sioban
