Modsecurity Cross Site Scripting Bypass

2013-08-31T00:00:00
ID PACKETSTORM:123026
Type packetstorm
Reporter Rafay Baloch
Modified 2013-08-31T00:00:00

Description

                                        
                                            `# Product: Mod_security  
# Author: Rafay Baloch  
# Company: RHAINFOSEC  
# Website: http://services.rafayhackingarticles.net  
# Reported: 8/8/2013  
# Fixed: 25/8/2013  
# Status: Fixed  
  
============  
Introduction  
============  
  
The Mod_Security firewall is one of the most known WAF around, It has  
anonline smoke test where we can check if a vector bypassed the regular  
expressions that are meant to block the attacks. Recently,  
Modsecurity setup a challenge for researchers, the challenge was  
divided into two parts.  
  
1) Bypassing Modsecurity's Firewall  
2) Bypassing MentalJS  
  
Luckily, i managed to bypass both of them.  
  
=======  
Details  
=======  
  
The modsecurity's rules were very strict, therefore i had to use a browser  
bug to crack modsecurity's challenge. The browser bug involved  
using seprators just before an event handler. I tried with lots of  
seprators, however only /x0b worked for me in this case.  
  
===  
POC  
===  
  
<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>rhainfosec  
  
===  
Fix  
===  
  
The ModSecurity has updated the rule set and it now the detects the vector  
as an xss vector. Along with that i also provided modsecurity with the list  
of seprators that may have allowed for an attacker to create a working  
bypass in other browsers too.  
`