Closed
Description
Motivation
We run some sites having mod_security with the OWASP-Core Ruleset 3.3.0 enabled. (thanks for your work ;))
After doing some security analysis, we found out, that some requests bypassed modsecurity and led to successful XSS attacks.
Such an example request would be:
GET https://mysite.com/en/search/%3Cimg+src%3Dx+onerror%3Dalert%281%29%3B%3E
In my opinion, the XSS-Attacks are not checked against the Request-Path. (only COOKIES, ARGS, ARG_NAMES, XML, HEADERS, ...)
Proposed solution
Include REQUEST_FILENAME in the XSS-Detection rules. (in REQUEST-941-APPLICATION-ATTACK-XSS.conf)
e.g.
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
"id:941100,\
...
After applying these changes, the XSS attacks were correctly blocked.