Try not to be an alarmist by calling it a vulnerability. It is a protection that is simply not offered because most people don't end up reflecting user agents onto their page, for pretty obvious reasons. That being said you are fully encouraged to develop protections for this if you feel it to be an oversight. If you don't know how to do this I am more then willing to work offline to help you accomplish this goal. In general you would modify a rule present in the XSS section to include Request_Headers:User-Agent. (https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/rules/REQUEST-41-APPLICATION-ATTACK-XSS.conf). Within this config file we have accumulated a number of different XSS filters over time. Feel free to identify which ones make the most sense for where your protection should be placed and add it. You can then issue a push request adding this feature as we use github for version control.
From: Michele Roviello <michelerovie...@gmail.com<mailto:michelerovie...@gmail.com>> Date: Sunday, July 19, 2015 at 5:34 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Submit a change in the CRS Hello, I have found a vulnerability in the CRS, I discussed it in a previous mail and they suggested me to submit the protection to this issue. Can someone tell me what I should I do to submit a change in the CRS? Thank you for your help Michele Roviello ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
