why the asm don't block this : "</script><script>window.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()</script>"><script>alert(150)</script>&arguments=-N2019,-A,-N325,-N0"
all the XSS signature are enabled and i see in the security logs that there is some XSS attacks that get blocked.
That string should trigger an attack signature violation. On my system, the attack signature ID is 200001475. Do you see that signature in your event log and is it possible that the signature is in staging?
How is that string being passed to the application? Is it via form input? Does that form input have parameters which are defined in the policy? If so, are XSS attack signatures applied to the parameter, and is the parameter enforced or in staging? Also, verify that the request is passing through the virtual server. It's possible that random tags, such as your first </script> example are not perceived as threats because a closing tag such as that, by itself, is not a threat.