XSS bypass with a payload not containing "<script>" #1705

dune73 · 2020-02-28T15:10:27Z

Description

The following request is not identified as an attack at PL1 - yet on the specific application I am lookin at, this is a successful XSS.

$> curl 'http://localhost/index.html?pa=BCDEGHKLMNPQRSTUVXYZ%26apos%3b%3balert(%27Hello%27)'

The problem is probably that it's "alert" without prior script tag. I wonder if we want to come up with a rule to detect this by default. I am a bit torn and I fear false positives.

Your Environment

CRS version (e.g., v3.2.0): v3.2.0
Paranoia level setting: PL1
ModSecurity version (e.g., 2.9.3): 2.9.3
Web Server and version (e.g., apache 2.4.41): 2.4.41
Operating System and version: Ubuntu

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

The text was updated successfully, but these errors were encountered:

dune73 added the False Negative - Evasion label Feb 28, 2020

CRS-migration-bot mentioned this issue May 13, 2020

XSS bypass with a payload not containing "<script>" coreruleset/coreruleset#1705

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS bypass with a payload not containing "<script>" #1705

XSS bypass with a payload not containing "<script>" #1705

dune73 commented Feb 28, 2020

XSS bypass with a payload not containing "<script>" #1705

XSS bypass with a payload not containing "<script>" #1705

Comments

dune73 commented Feb 28, 2020

Description

Your Environment

Confirmation