Vulnerable to Cross Site Scripting (XSS) or not?

[Jesper Skou Jensen <jesper.skou.jensen () uni-c dk>]

Hi there,

Our snort quite often trigger the following rule

rules/web-misc.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
cross site scripting attempt"; flow:to_server,established; 
content:"<SCRIPT"; nocase; classtype:web-application-attack; sid:1497; 
rev:7;)

and the syslog messages looks like this:

Aug  5 06:25:53 snort: [1:1497:7] WEB-MISC cross site scripting attempt 
[Classification: Web Application Attack] [Priority: 1]: {TCP} 
1.1.1.1:24628 -> 2.2.2.2:80

1.1.1.1 = the outside attacker
2.2.2.2 = our webserver


I'm trying to understand why that is, and what exactly it is that is 
triggering it, and I hope you guys can help me doing that.

1. As far as I understand it, 1.1.1.1 is trying to send "<SCRIPT" in eg. 
a webform on 2.2.2.2. Is that correct?

2. It's triggered because there should be no "<SCRIPT" coming from the 
outside to our server, correct?

3. Is there an easy way to work out if the webserver/application is 
vulnerable or not?


-- 
Jesper S. Jensen


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users