WAF 可以防范 XSS 攻击。本节详细介绍了启用可自定义的 XSS 关键字以执行对 XSS 关键字不区分大小写的匹配并阻止这些关键字的步骤。
自定义规则语法:
SecRule 'variable "@pmfromfile xss-keywords.data"' "msg:'Node-Validator Blacklist Keywords', id:4099802, severity:'CRITICAL', phase:request, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E, capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3', tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
示例
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmfromfile xss-keywords.data" "msg:'Node-Validator Blacklist Keywords', id:4099802, severity:'CRITICAL', phase:request, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E, capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3', tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
Create the data file xss-keywords.datadocument.cookiedocument.write.parentnode.innerhtmlwindow.location-moz-binding<