Even though cross-site scripting vulnerabilities have a 15-year history, they remain a big problem in the web security space. According to our research, there are hundreds of new issues discovered each month, and at least a few of them are being used in high-severity attacks.

The general problem of cross-site scripting has no easy solution. Yet, some of the existing mitigation techniques show high (over 95%) levels of efficiency in detection of real-life XSS attacks. One such solution is Internet Explorer’s XSS filter. As David Ross described in his blog posts, the core of the IE filter consist of a set of heuristics detecting common patterns of XSS attacks in URLs. Thanks to our collaboration with OWASP community, analogous set of rules is now available through OWASP ModSecurity Core Rule Set 2.2.7.

The new rules are present at the end of the file: base_rules\modsecurity_crs_41_xss_attacks.conf. They are divided into non-volatile (15 rules) and volatile (11 rules) sets, marked accordingly:

# non-volatile
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?>)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.7',maturity:'8',accuracy:'8',id:'973315',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

In our practice, the non-volatile rules produce a very low number of false-positive hits, while the volatile ones tend to be susceptible to application-specific behavior. On most applications volatile rules also have a low false-positives ratio, but when a web application relies too much in its design on “suspicious” characters, selective disabling of specific volatile rules might be needed.

Application of the XSS-catching heuristics on IIS server is very simple, since version 2.7.3 users can install ModSecurity IIS module using Web Platform Installer. Also, with the recent general-availability release, when using Windows Azure Virtual Machines one can easily automate installation of ModSecurity IIS over Remote PowerShell, for example, by extending the launching script from Michael Washam’s blog with this simple snippet:

# Use native PowerShell Cmdlet to install ModSecurity IIS on the remote virtual machine
Invoke-Command -ConnectionUri $uri.ToString() -Credential $credential -ScriptBlock {
$msidir = $env:temp+"\modsecurityiis"
md $msidir
$file = $msidir+"\modsecurityiis.msi"
$webclient = New-Object System.Net.WebClient
$webclient.DownloadFile("http://www.modsecurity.org/tarball/2.7.3/ModSecurityIIS_2.7.3.msi",$file)
msiexec /i $file /qb
}

After installation, the default OWASP CRS IIS rules can be enabled for a selected website by adding to the web.config file, in system.webServer section:

<ModSecurity enabled="true" configFile="c:\inetpub\wwwroot\owasp_crs\modsecurity_iis.conf" />

This simple step should let web server administrators see a significant majority of XSS attempts and attacks launched on their websites.


The releasing of ModSecurity IIS version was a major milestone for the ModSecurity web application firewall project. We also won some community awards and WAF comparison tests. It is good to look back on past accomplishments, but it is also important to look ahead. How can we make ModSecurity IIS better in the future?

As part of this effort, the ModSecurity Team in SpiderLabs Research has developed a new user survey for 2013.

Click here to take survey.

If you are a user of ModSecurity IIS, I encourage you to take the survey as it will give us a better understanding of how ModSecurity IIS is being used, and also to get feedback on what we are doing well and what we need to improve.

It is only 15 questions. As an added incentive, you can also enter your email address into a raffle to win a copy of Ryan Barnett’s new book: "The Web Application Defender's Cookbook: Battling Hackers and Protecting Users".

Thanks for using ModSecurity IIS and for helping us to make it better!

- Greg Wroblewski, SRD Blogger

*Postings are provided "AS IS" with no warranties, and confer no rights.*