Also inspect the path for the script tag

Part of SpiderLabs#1022.
fgsch · Feb 14, 2019 · 83d5f46 · 83d5f46
1 parent a46346b
commit 83d5f46
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -65,7 +65,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 # http://xssplayground.net23.net/xssfilter.html
 # script tag based XSS vectors, e.g., <script> alert(1)</script>
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<＜]script[^>＞]*[>＞][\s\S]*?" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<＜]script[^>＞]*[>＞][\s\S]*?" \
     "id:941110,\
     phase:2,\
     block,\

diff --git a/util/regression-tests/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml b/util/regression-tests/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml
@@ -71,3 +71,20 @@
               Referer: "<script >alert(1);</script>"
           output:
             log_contains: id "941110"                      
+    -
+      test_title: 941110-5
+      desc: XSS in URI / PATH_INFO going undetected - GH issue 1022
+      stages:
+      -
+        stage:
+          input:
+            dest_addr: 127.0.0.1
+            method: GET
+            port: 80
+            uri: "/foo/bar</script><script%20>alert(1)</script>/"
+            headers:
+              Host: localhost
+              Accept: "*/*"
+              User-Agent: ModSecurity CRS 3 Tests
+          output:
+            log_contains: id "941110"