IDS mailing list archives
Re: how to avoid false positive in generic cross site scripting attack ids signature
From: "Sanjay R" <2sanjayr () gmail com>
Date: Fri, 2 Feb 2007 09:45:26 +0530
On 1 Feb 2007 12:48:54 -0000, singhamit4me () gmail com <singhamit4me () gmail com> wrote:
Hi guys, I am trying to catch cross site scripting attack, by a geneic ids signature which catch "javascript:" attck vector in http uri.
sanjay>> XXS is not confined to HTTP URI only. in fact, it is a very trivial method. what happens in the case of http forms and POST method?
In most of the cases it is working fine.
sanjay>> in the view of above, i think u r not exposing your signature to many attack instances, otherwise u may see lot of FN.
but it gives false positive in case of visiting/viewing flash files in yahoo site. packet capture of uri string is :- 10:59:06.000000 0:f:20:8d:13:c0 0:0:5e:0:1:64 0800 1049: IP (tos 0x0, ttl 127, id 1304, len 1035) 172.16.4.131.3040 > 66.186.196.17.80: P [tcp sum ok] 837942285:837943280(995) ack 841946832 win 65070 (DF) Now I have two quiries: 1st is, whether executing javascript on clients browser context in http req. is permissible.
sanjay>> this question is more on specific policy rather a general rule. Seeing the prolifiration of web based services and applications, I doubt you can simply get rid of javascript or any such script.
2nd as yahoo is one of the most visted sit, how can avoid cjances of false postive, and is there any way to harden this signature.
sanjay>> first of all, i dont see your signature in the list. i assume u r looking for javascript: in the uri portion of the http packet. if it is correct, the signature is very BAD (as u also observed this). one thing that needed to be understood is that client side vulnerabilities are hard to detect by using a generic rule. there can be ten ways to write same thing. i suggest to include some more patterns, for example "<img src=" (this is just a example, nothing to do with real detection). thanks -sanjay
guys I realy need your help, looking forward to get your responses soon. Regards Amit Singh ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
-- PhD Intoto Softwares, Hyderabad, India ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- how to avoid false positive in generic cross site scripting attack ids signature singhamit4me (Feb 01)
- Re: how to avoid false positive in generic cross site scripting attack ids signature Sanjay R (Feb 02)
- <Possible follow-ups>
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature rathnach (Feb 08)
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature Abhishek Bhuyan (Feb 12)