IDS mailing list archives
how to avoid false positive in generic cross site scripting attack ids signature
From: singhamit4me () gmail com
Date: 1 Feb 2007 12:48:54 -0000
Hi guys, I am trying to catch cross site scripting attack, by a geneic ids signature which catch "javascript:" attck vector in http uri. In most of the cases it is working fine. but it gives false positive in case of visiting/viewing flash files in yahoo site. packet capture of uri string is :- 10:59:06.000000 0:f:20:8d:13:c0 0:0:5e:0:1:64 0800 1049: IP (tos 0x0, ttl 127, id 1304, len 1035) 172.16.4.131.3040 > 66.186.196.17.80: P [tcp sum ok] 837942285:837943280(995) ack 841946832 win 65070 (DF) 0x0000 4500 040b 0518 4000 7f06 3b76 ac10 0483 E.....@...;v.... 0x0010 42ba c411 0be0 0050 31f1 fc0d 322f 16d0 B......P1...2/.. 0x0020 5018 fe2e d44d 0000 4745 5420 2f75 732e P....M..GET./us. 0x0030 7969 6d67 2e63 6f6d 2f61 2f79 612f 7961 yimg.com/a/ya/ya 0x0040 686f 6f5f 6175 746f 732f 3130 3131 3036 hoo_autos/101106 0x0050 5f37 3531 3438 5f76 315f 3132 3078 3630 _75148_v1_120x60 0x0060 305f 736b 795f 7275 7373 6961 6e2e 7377 0_sky_russian.sw 0x0070 663f 636c 6963 6b54 4147 3d6a 6176 6173 f?clickTAG=javas 0x0080 6372 6970 743a 534b 596f 7065 6e57 696e cript:SKYopenWin 0x0090 646f 7728 3129 2663 6c69 636b 5441 4732 dow(1)&clickTAG2 0x00a0 3d68 7474 7025 3341 2532 4625 3246 7573 =http%3A%2F%2Fus 0x00b0 2e61 7264 2e79 6168 6f6f 2e63 6f6d 2532 .ard.yahoo.com%2 0x00c0 4653 4947 2533 4431 3268 6862 3461 376c FSIG%3D12hhb4a7l 0x00d0 2532 464d 2533 4433 3030 3331 302e 3937 %2FM%3D300310.97 0x00e0 3432 3634 352e 3130 3435 3239 3730 2e38 42645.10452970.8 0x00f0 3833 3935 3835 2532 4644 2533 446d 6169 839585%2FD%3Dmai 0x0100 6c25 3246 5325 3344 3135 3035 3530 3135 l%2FS%3D15055015 0x0110 3225 3341 5753 4b59 2532 4659 2533 4459 2%3AWSKY%2FY%3DY 0x0120 4148 4f4f 2532 4645 5850 2533 4431 3136 AHOO%2FEXP%3D116 0x0130 3634 3237 3038 3325 3246 4125 3344 3430 6427083%2FA%3D40 0x0140 3237 3133 3225 3246 5225 3344 3125 3246 27132%2FR%3D1%2F 0x0150 6964 2533 4466 6c61 7368 7572 6c25 3246 id%3Dflashurl%2F 0x0160 5349 4725 3344 3133 6873 366a 7162 3525 SIG%3D13hs6jqb5% 0x0170 3246 2a68 7474 7025 3341 2532 4625 3246 2F*http%3A%2F%2F 0x0180 6175 746f 732e 7961 686f 6f2e 636f 6d25 autos.yahoo.com% 0x0190 3246 7573 6564 5f63 6172 732e 6874 6d6c 2Fused_cars.html 0x01a0 2533 425f 796c 6325 3344 5833 6f44 4d54 %3B_ylc%3DX3oDMT 0x01b0 4532 6257 7872 5933 4579 4246 3954 417a E2bWxrY3EyBF9TAz 0x01c0 6b33 4d54 4133 4d44 6377 4248 4e6c 5977 k3MTA3MDcwBHNlYw 0x01d0 4e79 6458 4e7a 6157 4675 4c57 5276 6247 NydXNzaWFuLWRvbG 0x01e0 787a 4248 4e73 6177 4e31 6332 566b 2663 xzBHNsawN1c2Vk&c 0x01f0 6c69 636b 5441 4733 3d68 7474 7025 3341 lickTAG3=http%3A 0x0200 2532 4625 3246 7573 2e61 7264 2e79 6168 %2F%2Fus.ard.yah 0x0210 6f6f 2e63 6f6d 2532 4653 4947 2533 4431 oo.com%2FSIG%3D1 0x0220 3268 6862 3461 376c 2532 464d 2533 4433 2hhb4a7l%2FM%3D3 0x0230 3030 3331 302e 3937 3432 3634 352e 3130 00310.9742645.10 0x0240 3435 3239 3730 2e38 3833 3935 3835 2532 452970.8839585%2 0x0250 4644 2533 446d 6169 6c25 3246 5325 3344 FD%3Dmail%2FS%3D 0x0260 3135 3035 3530 3135 3225 3341 5753 4b59 150550152%3AWSKY 0x0270 2532 4659 2533 4459 4148 4f4f 2532 4645 %2FY%3DYAHOO%2FE 0x0280 5850 2533 4431 3136 3634 3237 3038 3325 XP%3D1166427083% 0x0290 3246 4125 3344 3430 3237 3133 3225 3246 2FA%3D4027132%2F 0x02a0 5225 3344 3225 3246 6964 2533 4466 6c61 R%3D2%2Fid%3Dfla 0x02b0 7368 7572 6c25 3246 5349 4725 3344 3133 shurl%2FSIG%3D13 0x02c0 3375 6976 7361 7025 3246 2a68 7474 7025 3uivsap%2F*http% 0x02d0 3341 2532 4625 3246 6175 746f 732e 7961 3A%2F%2Fautos.ya 0x02e0 686f 6f2e 636f 6d25 3246 2533 425f 796c hoo.com%2F%3B_yl 0x02f0 6325 3344 5833 6f44 4d54 4532 6257 6c6c c%3DX3oDMTE2bWll 0x0300 6147 5a70 4246 3954 417a 6b33 4d54 4133 aGZpBF9TAzk3MTA3 0x0310 4d44 6377 4248 4e6c 5977 4e79 6458 4e7a MDcwBHNlYwNydXNz 0x0320 6157 4675 4c57 5276 6247 787a 4248 4e73 aWFuLWRvbGxzBHNs 0x0330 6177 4e6f 6232 316c 2048 5454 502f 312e awNob21l.HTTP/1. 0x0340 310d 0a41 6363 6570 743a 202a 2f2a 0d0a 1..Accept:.*/*.. 0x0350 4163 6365 7074 2d45 6e63 6f64 696e 673a Accept-Encoding: 0x0360 2067 7a69 702c 2064 6566 6c61 7465 0d0a .gzip,.deflate.. 0x0370 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69 User-Agent:.Mozi 0x0380 6c6c 612f 342e 3020 2863 6f6d 7061 7469 lla/4.0.(compati 0x0390 626c 653b 204d 5349 4520 362e 303b 2057 ble;.MSIE.6.0;.W 0x03a0 696e 646f 7773 204e 5420 352e 313b 2053 indows.NT.5.1;.S 0x03b0 5631 3b20 2e4e 4554 2043 4c52 2031 2e30 V1;..NET.CLR.1.0 0x03c0 2e33 3730 353b 202e 4e45 5420 434c 5220 .3705;..NET.CLR. 0x03d0 312e 312e 3433 3232 290d 0a48 6f73 743a 1.1.4322)..Host: 0x03e0 2075 732e 6132 2e79 696d 672e 636f 6d0d .us.a2.yimg.com. 0x03f0 0a43 6f6e 6e65 6374 696f 6e3a 204b 6565 .Connection:.Kee 0x0400 702d 416c 6976 650d 0a0d 0a p-Alive.... 16:34:08.000000 0:f:20:8d:13:c0 0:0:5e:0:1:64 0800 494: IP (tos 0x0, ttl 127, id 11828, len 480) 172.16.4.69.1667 > 63.147.175.35.80: P [tcp sum ok] 1578997866:1578998306(440) ack 2178904868 win 65535 (DF) 0x0000 4500 01e0 2e34 4000 7f06 2cd8 ac10 0445 E....4@...,....E 0x0010 3f93 af23 0683 0050 5e1d 986a 81df 7324 ?..#...P^..j..s$ 0x0020 5018 ffff ee9a 0000 4745 5420 2f75 732e P.......GET./us. 0x0030 7969 6d67 2e63 6f6d 2f61 2f79 612f 7961 yimg.com/a/ya/ya 0x0040 686f 6f5f 666f 6f64 2f32 3030 3631 3130 hoo_food/2006110 0x0050 375f 3737 3939 365f 315f 3330 3078 3235 7_77996_1_300x25 0x0060 305f 6c72 6563 5f66 6f6f 645f 6469 6e69 0_lrec_food_dini 0x0070 6e67 6f75 742e 7377 663f 636c 6963 6b54 ngout.swf?clickT 0x0080 4147 3d6a 6176 6173 6372 6970 743a 4c52 AG=javascript:LR 0x0090 4543 6f70 656e 5769 6e64 6f77 2831 2926 ECopenWindow(1)& 0x00a0 6d6f 7669 6531 3d68 7474 7025 3341 2532 movie1=http%3A%2 0x00b0 4625 3246 7573 2e61 322e 7969 6d67 2e63 F%2Fus.a2.yimg.c 0x00c0 6f6d 2532 4675 732e 7969 6d67 2e63 6f6d om%2Fus.yimg.com 0x00d0 2532 4661 2532 4679 6125 3246 7961 686f %2Fa%2Fya%2Fyaho 0x00e0 6f5f 666f 6f64 2532 4632 3030 3631 3130 o_food%2F2006110 0x00f0 375f 3737 3939 365f 315f 3330 3078 3235 7_77996_1_300x25 0x0100 305f 6c72 6563 5f66 6f6f 645f 6469 6e69 0_lrec_food_dini 0x0110 6e67 6f75 745f 6d6f 7669 6531 2e73 7766 ngout_movie1.swf 0x0120 2048 5454 502f 312e 310d 0a41 6363 6570 .HTTP/1.1..Accep 0x0130 743a 202a 2f2a 0d0a 4163 6365 7074 2d45 t:.*/*..Accept-E 0x0140 6e63 6f64 696e 673a 2067 7a69 702c 2064 ncoding:.gzip,.d 0x0150 6566 6c61 7465 0d0a 5573 6572 2d41 6765 eflate..User-Age 0x0160 6e74 3a20 4d6f 7a69 6c6c 612f 342e 3020 nt:.Mozilla/4.0. 0x0170 2863 6f6d 7061 7469 626c 653b 204d 5349 (compatible;.MSI 0x0180 4520 362e 303b 2057 696e 646f 7773 204e E.6.0;.Windows.N 0x0190 5420 352e 313b 2053 5631 3b20 2e4e 4554 T.5.1;.SV1;..NET 0x01a0 2043 4c52 2031 2e31 2e34 3332 3229 0d0a .CLR.1.1.4322).. 0x01b0 486f 7374 3a20 7573 2e61 322e 7969 6d67 Host:.us.a2.yimg 0x01c0 2e63 6f6d 0d0a 436f 6e6e 6563 7469 6f6e .com..Connection 0x01d0 3a20 4b65 6570 2d41 6c69 7665 0d0a 0d0a :.Keep-Alive.... Now I have two quiries: 1st is, whether executing javascript on clients browser context in http req. is permissible. 2nd as yahoo is one of the most visted sit, how can avoid cjances of false postive, and is there any way to harden this signature. guys I realy need your help, looking forward to get your responses soon. Regards Amit Singh ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- how to avoid false positive in generic cross site scripting attack ids signature singhamit4me (Feb 01)
- Re: how to avoid false positive in generic cross site scripting attack ids signature Sanjay R (Feb 02)
- <Possible follow-ups>
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature rathnach (Feb 08)
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature Abhishek Bhuyan (Feb 12)