IDS mailing list archives

Re: how to avoid false positive in generic cross site scripting attack ids signature

From: "Sanjay R" <2sanjayr () gmail com>
Date: Fri, 2 Feb 2007 09:45:26 +0530

On 1 Feb 2007 12:48:54 -0000, singhamit4me () gmail com
<singhamit4me () gmail com> wrote:

Hi guys,
I am trying to catch cross site scripting attack, by a geneic ids signature which catch "javascript:" attck vector in 
http uri.

sanjay>> XXS is not confined to HTTP URI only. in fact, it is a very
trivial method. what happens in the case of http forms and POST
method?

In most of the cases it is working fine.

sanjay>> in the view of above, i think u r not exposing your signature
to many attack instances, otherwise u may see lot of FN.


but it gives false positive in case of visiting/viewing flash files in yahoo site.

packet capture of uri string is :-

10:59:06.000000 0:f:20:8d:13:c0 0:0:5e:0:1:64 0800 1049: IP (tos 0x0, ttl 127, id 1304, len 1035) 172.16.4.131.3040 > 
66.186.196.17.80: P [tcp sum ok] 837942285:837943280(995) ack 841946832 win 65070 (DF)


Now I have two quiries: 1st is, whether executing javascript on clients browser context in http req. is permissible.

sanjay>> this question is more on specific policy rather a general
rule. Seeing the prolifiration of web based services and applications,
I doubt you can simply get rid of javascript or any such script.

2nd as yahoo is one of the most visted sit, how can avoid cjances of false postive, and is there any way to harden this 
signature.

sanjay>> first of all, i dont see your signature in the list. i assume
u r looking for javascript: in the uri portion of the http packet. if
it is correct, the signature is very BAD (as u also observed this).
one thing that needed to be understood is that client side
vulnerabilities are hard to detect by using a generic rule. there can
be ten ways to write same thing. i suggest to include some more
patterns, for example "<img src=" (this is just a example, nothing to
do with real detection).

thanks
-sanjay


guys I realy need your help, looking forward to get your responses soon.

Regards
Amit Singh

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



--
PhD
Intoto Softwares, Hyderabad, India

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

how to avoid false positive in generic cross site scripting attack ids signature singhamit4me (Feb 01)
- Re: how to avoid false positive in generic cross site scripting attack ids signature Sanjay R (Feb 02)
- <Possible follow-ups>
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature rathnach (Feb 08)
  - Re: Re: how to avoid false positive in generic cross site scripting attack ids signature Abhishek Bhuyan (Feb 12)