Christian Folini dune73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| test <a href="xxx">xxx</a> |
dune73
/ gist:67400bf4d1e23848564ad73c679fcbe5
Created
September 27, 2019 22:13
Portswigger XSS Cheatsheet vs OWASP ModSecurity CRS 3.2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cheatsheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet | |
| Extractedover 250 payloads and sent them against CRS 3.2 | |
| ****** payload-000 ******** | |
| Payload: | |
| payload=<a id=x tabindex=1 onactivate=alert(1)></a></a> | |
| --- Paranoia Level 1 --- |
dune73
/ gist:b5012ed09b97063abf3e80fd4d30c9f3
Last active
September 26, 2019 22:10
Report of new XSS payloads being sent against a vanilla OWASP ModSecurity Core Rule Set installation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is an attachment that goes with | |
| https://coreruleset.org/20190926/running-a-few-dozens-of-new-magic-xss-payloads-against-crs-3-2/ | |
| Multiline payloads were submitted as separate payloads for simplicity. | |
| We do not think this changes a thing. Single payloads would be easier to detect for CRS. | |
| ******* payload-002-001 *********** | |
| Payload: | |
| payload=<a href=# name=x id=x>Click me on IE11</a> | |
| payload=<script event="onclick(blah)<wtfbbq>{}" for=x>blah.view.alert(1)</script> |
NewerOlder