Hey Chaim , Hope you are doing great. Yes , The data injected is in the JavaScript content already , have not been very successful trying to match patterns here without false positives.
From: chaim.sand...@gmail.com [mailto:chaim.sand...@gmail.com] On Behalf Of Chaim Sanders Sent: Wednesday, July 12, 2017 23:10 To: Thayyile kandy, Subin : CSO GIS Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] XSS false negative ? THIS MAIL ORIGINATED FROM OUTSIDE OUR ORGANIZATION Hey Subin, Long time no speak. It does indeed look as if PL1 of CRS 3.0 doesn't catch that. PL2 catches it with rule 942340, 942370, and 942430. It might be worth looking into trying to add some logic that isn't false positive prone to PL1. In this case it'll be tricky as it appears that the XSS triggered here would be in the javascript context already. Any thoughts? On Wed, Jul 12, 2017 at 9:25 PM, Thayyile kandy, Subin : CSO GIS <sthayyile...@barclaycardus.com<mailto:sthayyile...@barclaycardus.com>> wrote: Shouldn't CRS3.0 be flagging this XSS ? I did check the XSS rules but couldn't figure out if why it wasn't getting flagged. https://localhost/test.action?testingid=29776%27};alert(1);var%20x={%27myid%27:%2723233<https://localhost/test.action?testingid=29776%27%7d;alert(1);var%20x=%7b%27myid%27:%2723233> Thanks Subin Barclaycard www.barclaycardus.com<http://www.barclaycardus.com><http://www.barclaycardus.com> This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- -- Chaim Sanders http://www.ChaimSanders.com Barclaycard www.barclaycardus.com<http://www.barclaycardus.com> This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
