Product: Mod_security
Author: Rafay Baloch
Status: Fixed

Details:

The Mod_Security firewall is one of the most known WAF around, It has an
online smoke test where we can check if a vector bypassed the regular
expressions.

Payload:

It was though detecting null bytes, but it was generating a false positive
marking an xss attack as a SQL Injection attack.

The payload that was injected was:

<scri%00pt>confirm(0);</scri%00pt>

I changed alert/eval to confirm, because alert was being detected but
prompt and confirm were not being detected.

Fix:

The ModSecurity has updated the rule set and it now the detects the vector
as an xss vector. More details can be found in the following tweet:
https://twitter.com/ModSecurity/status/347364390737178625

-- 
Warm Regards,
Rafay Baloch

http://rafayhackingarticles.net
http://techlotips.com