IDS mailing list archives
Detection of Injected XSS by IDS/IPS
From: Surya Batchu <suryak_batchu () yahoo com>
Date: Wed, 12 Sep 2007 07:24:04 -0700 (PDT)
Hi, Many IDS and WAF products support detection (and prevention) of both persistent and reflective XSS injection attemtps. XSS injection detection by IDS/WAF installed infront of web server can be done by monitoring GET and POST variables. IDS or WAF can look for javascript and VB script related words in these variables to detect any injection. There are many bleeding threat (www.bleedingthreats.net) rules available to detect the injection. My question is related to user access to injected XSS in the web sites. How do we write rules to protect innocent users while accessing the websites having injected XSS? In this case IDS installation would be at the HTTP Client side. To detect reflective XSS, I guess same rules that are used at the IDS at web server level can be used. What about persistent XSS? Rules looking for java script in HTTP response (HTML pages) is one solution, but it could have many false positives (as many web pages have genuine java script and vb scripting in their pages) and also many false negatives as HTMP page can come in multiple packets, compressed, encoded etc.. Is there any simple way? Thanks Surya ____________________________________________________________________________________ Check out the hottest 2008 models today at Yahoo! Autos. http://autos.yahoo.com/new_cars.html ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Detection of Injected XSS by IDS/IPS Surya Batchu (Sep 13)