Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Javascript "console.log()" and "console.dir()" not being detected #3633

Open
dune73 opened this issue Mar 27, 2024 · 4 comments
Open

Javascript "console.log()" and "console.dir()" not being detected #3633

dune73 opened this issue Mar 27, 2024 · 4 comments
Labels
➖ False Negative - Evasion

Comments

@dune73
Copy link
Member

dune73 commented Mar 27, 2024
edited 

$ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=console.log(msg)'
-- no output --

$ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=console.dir(msg)'
-- no output --
@dune73 dune73 changed the title Javascript "console.log()" not being detected Javascript "console.log()" and "console.dir()" not being detected Mar 27, 2024
@azurit
Copy link
Member

azurit commented Apr 12, 2024

Is it really possible to run a javascript like this? We have no rule which is catching javascript functions on it's own (except 941390 but it's very specific). The common usage of javascript is, for example, this:

$  curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=javascript:console.log(msg)'
941170 PL1 NoScript XSS InjectionChecker: Attribute Injection
941210 PL1 IE XSS Filters - Attack Detected
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 10)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=10, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=10)

@dune73
Copy link
Member Author

dune73 commented Apr 12, 2024

This is taken from this thread: https://twitter.com/intigriti/status/1772929816360050857

The idea was to take these ideas and detect them even if they are naked.

If this is too cumbersome / too prone of FPs or would add too much overhead in the form of a new rule, we may one want to skip it.

But I think it could be worthwhile to plug these holes since they are used while trying out exploits.

@theseion
Copy link
Contributor

I can't view the thread, only the original message, so it's possible I don't have the full picture.

Your requests look like the injection vulnerability would exist only because the application was badly designed. It's not a classical XSS injection IMO, since it wouldn't work with plain HTML. I don't think it makes sense for us to invest our energy here at the moment.

@dune73
Copy link
Member Author

dune73 commented Apr 15, 2024

The thread is about ~ "How do you prove an XSS when script-alert is blocked by a WAF". So these are all ways to evade detection. You can say they do not work when naked, but I still think it warranted and if only as a 2nd net of safety since they indicate the desire to inject code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➖ False Negative - Evasion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@theseion @dune73 @azurit