Hello Christian and team, Having recently tried out ModSecurity, it appears that lower paranoia levels (Basic, PL1, PL2, PL3) are not fully blocking all flavors of XSS and SQL injection.
Encoded XSS attacks are bypassing the CRS rules. Example below: http://localhost:8082/xss2?uid=%3Balert%281%29%3B Similarly for SQLi, the below pattern is getting through. http://localhost:8082/sqli2?uid=3-2 When the Paranoia Level is set to PL4, the encoded XSS attack is blocked, however it crashes the application. With PL4, SQLi attack reported by the vulnerability scanner above, is still not blocked. Is it possible to selectively add custom rules (for encoded XSS attacks) to the basic level or other lower levels that do not adversely impact the application? Thanks. From: owasp-modsecurity-core-rule-set-bounces+hiranmayi.palanki=aexp....@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-bounces+hiranmayi.palanki=aexp....@lists.owasp.org] On Behalf Of Christian Folini Sent: Tuesday, March 20, 2018 2:57 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org; mod-security-us...@lists.sourceforge.net Subject: [Owasp-modsecurity-core-rule-set] OWASP ModSecurity Core Rule Set Community Summit: July 4, 2018, in London Hi there, Please save the date of our first Community Summit: July 4, 2018, at 4pm in London. https://coreruleset.org/20180320/save-the-date-crs-community-summit-on-july-4-2018/<https://isolate.menlosecurity.com/1/3735928037/https:/coreruleset.org/20180320/save-the-date-crs-community-summit-on-july-4-2018/> This is meant to be a get-together of the community. We want to learn about you and how you use CRS in your setups - and we want to talk with you about the road map for the project and various feature requests. The date is the night before AppSecEU. So you can join this get-together on Wednesday and then attend AppSec EU on Thursday / Friday. Please do consider to join us when Chaim, Walter and I meet for the first time face2face. :) Best, Christian -- https://www.feistyduck.com/training/modsecurity-training-course<https://isolate.menlosecurity.com/1/3735928037/https:/www.feistyduck.com/training/modsecurity-training-course> https://www.feistyduck.com/books/modsecurity-handbook/<https://isolate.menlosecurity.com/1/3735928037/https:/www.feistyduck.com/books/modsecurity-handbook/> mailto:christian.fol...@netnea.com<mailto:christian.fol...@netnea.com> twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<https://isolate.menlosecurity.com/1/3735928037/https:/lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set> American Express made the following annotations ****************************************************************************** "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you." American Express a ajouté le commentaire suivant le Ce courrier et toute pièce jointe qu'il contient sont réservés au seul destinataire indiqué et peuvent renfermer des renseignements confidentiels et privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, duplication, utilisation ou distribution du courrier ou de toute pièce jointe est interdite. Si vous avez reçu cette communication par erreur, veuillez nous en aviser par courrier et détruire immédiatement le courrier et les pièces jointes. Merci. ******************************************************************************
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set