Am 27.06.2013 13:31, schrieb Bremgartner, Lucas:
> 2. Rule Pre-Filtering
> Most of the remaining rules (except the last 3 rules: 973316, 973325, 973319
> and of course rules from proposal 1) are beginning with one of the following
> characters: < " '
> Therefore I propose to pre-filter the whole "XSS Filters from IE" rule block
> (except the last 3 rules: 973316, 973325, 973319) with a rule like:
>
> SecRule
> REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
> "<|\"|\'" \
> "phase:2,id:'10000',rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'8',accuracy:'8',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,setvar:tx.pm_xss_filter_score=+%{tx.critical_anomaly_score}"
> SecRule &TX:PM_XSS_FILTER_SCORE "@eq 0"
> "phase:2,id:'10001',t:none,pass,skipAfter:END_XSS_FILTER_CHECK,nolog"
> ...
> SecMarker END_XSS_FILTER_CHECK
Are these rules only handling XSS injections in context of HTML?
Or should they also match in CSS, JavaScript, JSON context?
If so, a prefix containing "'< is not sufficient, you need also
,;.\/)]}|&=?+-
(and probably many more, as JavaScript is not limited to 7-bit US-ASCII :-)).
Just my 2 pence
Achim
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
