8000 document.querySelector('p').textContent="XSS" and document.body.appendChild not being detected · Issue #3634 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
document.querySelector('p').textContent="XSS" and document.body.appendChild not being detected #3634
New issue
New issue
Closed
#4055
Closed
document.querySelector('p').textContent="XSS" and document.body.appendChild not being detected#3634
#4055
Labels
➖ False Negative - Evasion
@dune73

Description

@dune73
dune73
opened on Mar 27, 2024
$ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d "foo=document.querySelector('p').textContent=\"XSS\""
-- no output --

$ curl -H "x-format-output: txt-matched-rules" http://sandbox.coreruleset.org/ -d 'foo=document.body.appendChild(document.createElement("h1")).textContent = "XSS"'
-- no output --

The document.head.appendChild and document.querySelector should probably be enough to trigger an alert.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ➖ False Negative - Evasion

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0