WAF 可以防范 XSS 攻击。本节详细介绍了启用可自定义的 XSS 关键字以执行对 XSS 关键字不区分大小写的匹配并阻止这些关键字的步骤。

自定义规则语法:

SecRule 'variable "@pmfromfile xss-keywords.data"' "msg:'Node-Validator Blacklist Keywords', id:4099802, severity:'CRITICAL', phase:request, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E, capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3', tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

示例

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmfromfile xss-keywords.data" "msg:'Node-Validator Blacklist Keywords', id:4099802, severity:'CRITICAL', phase:request, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E, capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3', tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Create the data file xss-keywords.datadocument.cookiedocument.write.parentnode.innerhtmlwindow.location-moz-binding<![cdata[

在此示例中,

Keyword = document.cookie

xss-keywords 数据文件中移除 document.cookie,然后发送下面显示的 curl 请求。

<%code>curl -v -b cookies -X GET ‘http://172.20.0.49/vulnerabilities/xss_r/?name=%3Cscript%3Edocument.location%3D%27http%3A%2F%2F172.20.0.49%2Flogin.php%3F+%27%2520%2Bdocument.cookie%3C%2Fscript%3E#’</code>
注:

或者,要保留 document.cookie,请移除例外,或启用上面的规则并清空(不删除)xss-keywords.data