Modsecurity Cross Site Scripting Bypass

Type packetstorm
Reporter Rafay Baloch
Modified 2013-08-31T00:00:00


                                            `# Product: Mod_security  
# Author: Rafay Baloch  
# Company: RHAINFOSEC  
# Website:  
# Reported: 8/8/2013  
# Fixed: 25/8/2013  
# Status: Fixed  
The Mod_Security firewall is one of the most known WAF around, It has  
anonline smoke test where we can check if a vector bypassed the regular  
expressions that are meant to block the attacks. Recently,  
Modsecurity setup a challenge for researchers, the challenge was  
divided into two parts.  
1) Bypassing Modsecurity's Firewall  
2) Bypassing MentalJS  
Luckily, i managed to bypass both of them.  
The modsecurity's rules were very strict, therefore i had to use a browser  
bug to crack modsecurity's challenge. The browser bug involved  
using seprators just before an event handler. I tried with lots of  
seprators, however only /x0b worked for me in this case.  
The ModSecurity has updated the rule set and it now the detects the vector  
as an xss vector. Along with that i also provided modsecurity with the list  
of seprators that may have allowed for an attacker to create a working  
bypass in other browsers too.