Live ModSecurity Challenges at Blackhat Arsenal

ModSecurity is participating in the upcoming Blackhat Arsenal Tools Demo next week in Las Vegas.


When: Wed. Aug 3rd from 1:45 pm - 4:30 pm

Where: POD 1

We will have live demos/challenges running from our kiosk. In addition to the SQL Injection Challenges, we will also have a great XSS Challenge as outlined below.

So if you are going to be at Blackhat, we encourage you to stop by Arsenal and try your hand at bypassing these protections.

XSS Defense with ModSecurity

The purpose of this demo is to show possible XSS defenses by using ModSecurity.

XSS Defense #1: JS Sandbox

This defensive layer uses ModSecurity's Content Injection capability to insert defensive Javascript to the beginning of html responses. This demo uses Eduardo (sirdarckcat) Vela's Active Content Signatures (ACS) code.

Read more about this concept here.

XSS Defense #2: Neutralizing Reflected Payloads

This defensive technique uses ModSecurity rules to look for suspicious inbound payloads reflected back out to clients in the response body.

Read more about using ModSecurity's ability to identify improper output handling flaws here.

If a payload is found, then ModSecurity will use its new data substitution capabilities to alter the outbound html. It will do two things:

  • Prepend a JavaScript alert pop-up box warning the user that a security action has been taken on the response payload.
  • The malicious payload will be prepended with the HTML <PLAINTEXT> tag thus neutralizing the malicious payload.

Here is an example attack with defense.

    Demo Challenge

    Your challenge is to try and bypass both the JS sandbox and PLAINTEXT protections and successfully execute a reflected XSS attack that executes JS code in your browser. You may toggle On/Off the defenses by checking the boxes in the form below. This will help to facilitate testing of working XSS payloads.

    If you are successful, please notify us at any of the following places:

    - @ModSecurity on Twitter

    - OWASP ModSecurity Core Rule Set Mail-list

    - Submit bug report to Jira

    Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.