I certainly wouldn't say it was a vulnerability in CRS, but I have seen apps which logged User-Agent to a file and then in the admin section of the site wrote it straight to the page. Equally I've seen people do the same thing, but inserting User-Agent into a table in a manner vulnerable to SQL injection.
However, the kind of people who do these things are not the same kind of people who install mod_security and CRS, so it's debatable if it would really help anyone by being changed in CRS. cheers, Jamie On 19 July 2015 at 15:34, Chaim Sanders <csand...@trustwave.com> wrote: > Try not to be an alarmist by calling it a vulnerability. It is a protection > that is simply not offered because most people don’t end up reflecting user > agents onto their page, for pretty obvious reasons. That being said you are > fully encouraged to develop protections for this if you feel it to be an > oversight. If you don’t know how to do this I am more then willing to work > offline to help you accomplish this goal. In general you would modify a rule > present in the XSS section to include Request_Headers:User-Agent. > (https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/rules/REQUEST-41-APPLICATION-ATTACK-XSS.conf). > Within this config file we have accumulated a number of different XSS > filters over time. Feel free to identify which ones make the most sense for > where your protection should be placed and add it. You can then issue a push > request adding this feature as we use github for version control. > > From: Michele Roviello <michelerovie...@gmail.com> > Date: Sunday, July 19, 2015 at 5:34 AM > To: "owasp-modsecurity-core-rule-set@lists.owasp.org" > <owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: [Owasp-modsecurity-core-rule-set] Submit a change in the CRS > > Hello, > I have found a vulnerability in the CRS, I discussed it in a previous mail > and they suggested me to submit the protection to this issue. > Can someone tell me what I should I do to submit a change in the CRS? > > Thank you for your help > Michele Roviello > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > -- Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com http://uk.linkedin.com/in/jamieriden _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
