Last week, Mazin Ahmed published a report with some XSS evasions for various WAFs including ModSecurity. It can be found as a PDF here: http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html
He describes three evasions against ModSecurity. They’re listed on page 14 of the PDF. It might be interesting to look at them and see if they need addressing. I’ll list the points here if the spam filters will accept it… 5.6.1 Using 
 and 	 <a href="j[785 bytes of (
	)]avascript:alert(1);">XSS</a> This first idiom to evade detection of “javascript:” string sounds potentially interesting, now I couldn’t reproduce this whole example because of the other rules, but it might be useful to investigate. 5.6.2 US-Encoding Bypass: 1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4 This sounds not so interesting to me since only IE6 and IE7 “auto-correct” this monstrosity. 5.6.3 Triple URL encoding: <b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)> The substring of URL-encoded characters does trigger the rule for multiple URL encoding, however this is logged at warning level only. I’m not sure what to make of it since the given examples themselves also trigger various other CRS rules, but passing it on just in case. Cheers, WH -- Walter Hop | PGP key: https://lifeforms.nl/pgp _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
