WAF protects against XSS attacks. This section details steps for enabling customizable XSS keywords to perform a case-insensitive match of the XSS keywords and block them.

Custom Rule Syntax:

SecRule 'variable "@pmfromfile xss-keywords.data"' "msg:'Node-Validator Blacklist Keywords', id:4099802, severity:'CRITICAL', phase:request, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E, capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3', tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Example

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmfromfile xss-keywords.data" "msg:'Node-Validator Blacklist Keywords', id:4099802, severity:'CRITICAL', phase:request, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E, capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3', tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Create the data file xss-keywords.datadocument.cookiedocument.write.parentnode.innerhtmlwindow.location-moz-binding<![cdata[

In this example,

Keyword = document.cookie

Remove document.cookie from the xss-keywords data file and send the curl request shown below.

<%code>curl -v -b cookies -X GET ‘http://172.20.0.49/vulnerabilities/xss_r/?name=%3Cscript%3Edocument.location%3D%27http%3A%2F%2F172.20.0.49%2Flogin.php%3F+%27%2520%2Bdocument.cookie%3C%2Fscript%3E#’</code>
Note:

Alternatively, to retain the document.cookie, remove the Exceptions or enable the rules above and empty (not delete) the xss-keywords.data.