ModSecurity is participating in the upcoming Blackhat Arsenal Tools Demo next week in Las Vegas.
When: Wed. Aug 3rd from 1:45 pm - 4:30 pm
Where: POD 1
We will have live demos/challenges running from our kiosk. In addition to the SQL Injection Challenges, we will also have a great XSS Challenge as outlined below.
So if you are going to be at Blackhat, we encourage you to stop by Arsenal and try your hand at bypassing these protections.
The purpose of this demo is to show possible XSS defenses by using ModSecurity.
This defensive layer uses ModSecurity's Content Injection capability to insert defensive Javascript to the beginning of html responses. This demo uses Eduardo (sirdarckcat) Vela's Active Content Signatures (ACS) code.
Read more about this concept here.
This defensive technique uses ModSecurity rules to look for suspicious inbound payloads reflected back out to clients in the response body.
Read more about using ModSecurity's ability to identify improper output handling flaws here.
If a payload is found, then ModSecurity will use its new data substitution capabilities to alter the outbound html. It will do two things:
Here is an example attack with defense.
Your challenge is to try and bypass both the JS sandbox and PLAINTEXT protections and successfully execute a reflected XSS attack that executes JS code in your browser. You may toggle On/Off the defenses by checking the boxes in the form below. This will help to facilitate testing of working XSS payloads.
If you are successful, please notify us at any of the following places:
- OWASP ModSecurity Core Rule Set Mail-list