nginx – WAF Modsecurity CRS rule not deduct HTML tags
we have used modsecurity nginx owasp coreruleset-3.3 in our nginx webserver. Below are the input from web ui.
1. {
"data": {
"id": 1002,
"email": "testmodsec@gmail.com",
"name": "ske<h1 onmouseover="console.log(\"js\")">test</h1>",
"locale": "en",
"category": 1,
"status": 0,
}
}
2. {
"data": {
"id": 1002,
"email": "testmodsec@gmail.com",
"name": "ske<img src=""onerror="alert(1)">",
"locale": "en",
"category": 1,
"status": 0,
}
}
3. {
"data": {
"id": 1002,
"email": "testmodsec@gmail.com",
"name": "ske<h1>test</h1>",
"locale": "en",
"category": 1,
"status": 0,
}
}
Input 1 & 2 triggered by HTML Injection crs rule-941, but for input 3 crs rule-941320 HTML Tag handler not triggered.
We need to block all 3 inputs by modsec crs rules.
Used coreruleset version v3.3
please help
Read more here: Source link