This seems to be true. If you believe this to be a major oversight, we invite you to submit such a protection if you deem it to be necessary. Please note that if submitting it should be submitted to the 3.0 branch. Additionally, note the use of @detectXSS would not work here as libinjection is not designed to detectXSS in headers.
From: Michele Roviello <michelerovie...@gmail.com<mailto:michelerovie...@gmail.com>> Date: Wednesday, July 15, 2015 at 7:46 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Check for User-agent field missing in CRS Hello, I have done some tests on XSS attacks with ModSecurity and the base rules for XSS attack from the CRS. I have found that this set of rules doesn't check for an XSS attack vector in the User-agent field of the HTTP message. Is this true or am I missing something? Thank you for your consideration, Michele Roviello ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
