Mod_Security Cross Site Scripting Bypass

2013-06-19T00:00:00
ID PACKETSTORM:122093
Type packetstorm
Reporter Rafay Baloch
Modified 2013-06-19T00:00:00

Description

                                        
                                            `Product: Mod_security  
Author: Rafay Baloch  
Status: Fixed  
  
Details:  
  
The Mod_Security firewall is one of the most known WAF around, It has an  
online smoke test where we can check if a vector bypassed the regular  
expressions.  
  
Payload:  
  
It was though detecting null bytes, but it was generating a false positive  
marking an xss attack as a SQL Injection attack.  
  
The payload that was injected was:  
  
<scri%00pt>confirm(0);</scri%00pt>  
  
I changed alert/eval to confirm, because alert was being detected but  
prompt and confirm were not being detected.  
  
Fix:  
  
The ModSecurity has updated the rule set and it now the detects the vector  
as an xss vector. More details can be found in the following tweet:  
https://twitter.com/ModSecurity/status/347364390737178625  
  
--   
Warm Regards,  
Rafay Baloch  
  
http://rafayhackingarticles.net  
http://techlotips.com  
`