WebApp Sec mailing list archives
Re: Detecting cross-site scripting attacks
From: Cedar Moore <cedar1420 () yahoo com>
Date: 14 May 2003 14:31:36 -0000
In-Reply-To: <97FD849ABD38514A9E4233C77E6DDD29322AFB () cerberus dns co uk> Thanks for all the responses. If you look at one of the possible cross sire scripting attack. http://legitimatesite.com/modules.php?username=bla<script>alert (document.cookie)</script> Is it fine if we look at only the REQ portion of the packet to determine if it is a cross-site scripting attack (By checking the <script> tags. I guess any valid HTTP REQUEST should not have <script> or any other HTML tags in GET or POST request messages. If that is the case can I write a signature in SNORT to look for <HTML Tags> on port 80 in REQ direction and conclude that it is a invalid request? Would be there any false positives?
Received: (qmail 12017 invoked from network); 14 May 2003 12:06:19 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 14 May 2003 12:06:19 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id 24E6CA30E3; Wed, 14 May 2003 06:13:21 -0600 (MDT) Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <webappsec.list-id.securityfocus.com> List-Post: <mailto:webappsec () securityfocus com> List-Help: <mailto:webappsec-help () securityfocus com> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com> Delivered-To: mailing list webappsec () securityfocus com Delivered-To: moderator for webappsec () securityfocus com Received: (qmail 3635 invoked from network); 14 May 2003 08:34:05 -0000 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message Subject: RE: Detecting cross-site scripting attacks MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 14 May 2003 09:57:59 +0100 Message-ID: <97FD849ABD38514A9E4233C77E6DDD29322AFB () cerberus dns co uk> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Detecting cross-site scripting attacks Thread-Index: AcMZnCNathFQPk3iRvi7HA6l97TVrAAWsbJw From: "Harbar, Spencer" <spencer.harbar () dns co uk> To: "Cedar Moore" <cedar1420 () yahoo com>, <webappsec () securityfocus com> The majority of application firewall products only detect and block what 'could' be an attack. =20 They do so by examining the HTTP request for dangerous constructs, such as <SCRIPT> tags etc. This is also simple to do within an application itself by using regular expressions or even something as nasty as an InStr function in VB.=20 Also, application platforms, such as ASP.NET v1.1 have this functionality built in (Request Validation). =20 However, the problem lies in the fact that these 'solutions' require an exception list of some form. =20 It is very common, even if bad form, for an application to allow the posting of HTML tags (say a bulletin board). In the ASP.NET request validation scenario, the server will throw an exception. To get the desired application functionality, the request validation needs disabled. =20 The better Application Firewalls enable a fine granularity of control (e.g. which form fields to validate, and to what extent) with a few allowing additions/exceptions to the block list. =20 The bottom line is even with an application firewall, you should protect against XSS in the application itself by implementing robust validation techniques. =20 The hands down best treatment of XSS is in Writing Secure Code Second Edition by Michael Howard and David LeBlanc. =20 hth spence=20 -----Original Message----- From: Cedar Moore [mailto:cedar1420 () yahoo com]=20 Sent: 13 May 2003 18:32 To: webappsec () securityfocus com I am new to web application security, a lot of layer 7 application=20 security products detect cross-site scripting attacks (ex: sanctum=20 appshield). How these products do? There is lot of information about cross- site scripting attacks but I did not came across how these web application=20 attacks can be detected. Is there any white paper there out explaining the=20 generic detection methods?=20 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately and then delete from your system. =20 This footnote also confirms that this email message has been swept=20 for the presence of known computer viruses. **********************************************************************
Current thread:
- Detecting cross-site scripting attacks Cedar Moore (May 13)
- RE: Detecting cross-site scripting attacks roshen.chandran (May 14)
- <Possible follow-ups>
- RE: Detecting cross-site scripting attacks Harbar, Spencer (May 14)
- Re: Detecting cross-site scripting attacks Cedar Moore (May 14)
- RE: Detecting cross-site scripting attacks Vinny Bedus (May 14)
- RE: Detecting cross-site scripting attacks Calderon, Juan C (CORP, DDEMESIS) (May 14)