Detection of Injected XSS by IDS/IPS

[Surya Batchu <suryak_batchu () yahoo com>]

Hi,
 
Many IDS and WAF products support detection (and prevention) of both persistent and reflective XSS injection attemtps.
XSS injection detection by IDS/WAF installed infront of web server can be done by monitoring GET and POST variables. 
IDS or WAF can look for javascript and VB script related words in these variables to detect any injection. There are 
many bleeding threat (www.bleedingthreats.net) rules available to detect the injection.
 
My question is related to user access to injected XSS in the web sites. How do we write rules to protect innocent users 
while accessing the websites having injected XSS?  In this case IDS installation would be at the HTTP Client side. To 
detect reflective XSS, I guess same rules that are used at the IDS at web server level can be used. What about 
persistent XSS?  Rules looking for java script in HTTP response (HTML pages) is one solution, but it could have many 
false positives (as many web pages have genuine java script and vb scripting in their pages) and also many false 
negatives as HTMP page can come in multiple packets,  compressed, encoded etc..   
 
Is there any simple way?
 
Thanks
Surya


      ____________________________________________________________________________________
Check out the hottest 2008 models today at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------