Reporter Rafay Baloch
Author: Rafay Baloch
The Mod_Security firewall is one of the most known WAF around, It has an
online smoke test where we can check if a vector bypassed the regular
It was though detecting null bytes, but it was generating a false positive
marking an xss attack as a SQL Injection attack.
The payload that was injected was:
I changed alert/eval to confirm, because alert was being detected but
prompt and confirm were not being detected.
The ModSecurity has updated the rule set and it now the detects the vector
as an xss vector. More details can be found in the following tweet: