Snort mailing list archives
Vulnerable to Cross Site Scripting (XSS) or not?
From: Jesper Skou Jensen <jesper.skou.jensen () uni-c dk>
Date: Tue, 05 Aug 2008 10:36:02 +0200
Hi there, Our snort quite often trigger the following rule rules/web-misc.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT"; nocase; classtype:web-application-attack; sid:1497; rev:7;) and the syslog messages looks like this: Aug 5 06:25:53 snort: [1:1497:7] WEB-MISC cross site scripting attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 1.1.1.1:24628 -> 2.2.2.2:80 1.1.1.1 = the outside attacker 2.2.2.2 = our webserver I'm trying to understand why that is, and what exactly it is that is triggering it, and I hope you guys can help me doing that. 1. As far as I understand it, 1.1.1.1 is trying to send "<SCRIPT" in eg. a webform on 2.2.2.2. Is that correct? 2. It's triggered because there should be no "<SCRIPT" coming from the outside to our server, correct? 3. Is there an easy way to work out if the webserver/application is vulnerable or not? -- Jesper S. Jensen ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Vulnerable to Cross Site Scripting (XSS) or not? Jesper Skou Jensen (Aug 05)
- Re: Vulnerable to Cross Site Scripting (XSS) or not? Jesper Skou Jensen (Aug 05)
- Re: Vulnerable to Cross Site Scripting (XSS) or not? Valter Santos (Aug 05)
- Re: Vulnerable to Cross Site Scripting (XSS) or not? Jesper Skou Jensen (Aug 05)