-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Javascript "console.log()" and "console.dir()" not being detected #3633
Comments
Is it really possible to run a javascript like this? We have no rule which is catching javascript functions on it's own (except
|
This is taken from this thread: https://twitter.com/intigriti/status/1772929816360050857 The idea was to take these ideas and detect them even if they are naked. If this is too cumbersome / too prone of FPs or would add too much overhead in the form of a new rule, we may one want to skip it. But I think it could be worthwhile to plug these holes since they are used while trying out exploits. |
I can't view the thread, only the original message, so it's possible I don't have the full picture. Your requests look like the injection vulnerability would exist only because the application was badly designed. It's not a classical XSS injection IMO, since it wouldn't work with plain HTML. I don't think it makes sense for us to invest our energy here at the moment. |
The thread is about ~ "How do you prove an XSS when script-alert is blocked by a WAF". So these are all ways to evade detection. You can say they do not work when naked, but I still think it warranted and if only as a 2nd net of safety since they indicate the desire to inject code. |
The text was updated successfully, but these errors were encountered: