WebApp Sec mailing list archives
Re: Detecting cross-site scripting attacks
From: Cedar Moore <cedar1420 () yahoo com>
Date: 14 May 2003 14:31:36 -0000
In-Reply-To: <97FD849ABD38514A9E4233C77E6DDD29322AFB () cerberus dns co uk> Thanks for all the responses. If you look at one of the possible cross sire scripting attack. http://legitimatesite.com/modules.php?username=bla<script>alert (document.cookie)</script> Is it fine if we look at only the REQ portion of the packet to determine if it is a cross-site scripting attack (By checking the <script> tags. I guess any valid HTTP REQUEST should not have <script> or any other HTML tags in GET or POST request messages. If that is the case can I write a signature in SNORT to look for <HTML Tags> on port 80 in REQ direction and conclude that it is a invalid request? Would be there any false positives?
Received: (qmail 12017 invoked from network); 14 May 2003 12:06:19 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 14 May 2003 12:06:19 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 24E6CA30E3; Wed, 14 May 2003 06:13:21 -0600 (MDT)
Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <webappsec.list-id.securityfocus.com>
List-Post: <mailto:webappsec () securityfocus com>
List-Help: <mailto:webappsec-help () securityfocus com>
List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
Delivered-To: mailing list webappsec () securityfocus com
Delivered-To: moderator for webappsec () securityfocus com
Received: (qmail 3635 invoked from network); 14 May 2003 08:34:05 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
content-class: urn:content-classes:message
Subject: RE: Detecting cross-site scripting attacks
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 14 May 2003 09:57:59 +0100
Message-ID: <97FD849ABD38514A9E4233C77E6DDD29322AFB () cerberus dns co uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Detecting cross-site scripting attacks
Thread-Index: AcMZnCNathFQPk3iRvi7HA6l97TVrAAWsbJw
From: "Harbar, Spencer" <spencer.harbar () dns co uk>
To: "Cedar Moore" <cedar1420 () yahoo com>,
<webappsec () securityfocus com>
The majority of application firewall products only detect and block what
'could' be an attack.
=20
They do so by examining the HTTP request for dangerous constructs, such
as <SCRIPT> tags etc.
This is also simple to do within an application itself by using regular
expressions or even something as nasty as an InStr function in VB.=20
Also, application platforms, such as ASP.NET v1.1 have this
functionality built in (Request Validation).
=20
However, the problem lies in the fact that these 'solutions' require an
exception list of some form.
=20
It is very common, even if bad form, for an application to allow the
posting of HTML tags (say a bulletin board).
In the ASP.NET request validation scenario, the server will throw an
exception.
To get the desired application functionality, the request validation
needs disabled.
=20
The better Application Firewalls enable a fine granularity of control
(e.g. which form fields to validate, and to what extent) with a few
allowing additions/exceptions to the block list.
=20
The bottom line is even with an application firewall, you should protect
against XSS in the application itself by implementing robust validation
techniques.
=20
The hands down best treatment of XSS is in Writing Secure Code Second
Edition by Michael Howard and David LeBlanc.
=20
hth
spence=20
-----Original Message-----
From: Cedar Moore [mailto:cedar1420 () yahoo com]=20
Sent: 13 May 2003 18:32
To: webappsec () securityfocus com
I am new to web application security, a lot of layer 7 application=20
security products detect cross-site scripting attacks (ex: sanctum=20
appshield). How these products do? There is lot of information about
cross-
site scripting attacks but I did not came across how these web
application=20
attacks can be detected. Is there any white paper there out explaining
the=20
generic detection methods?=20
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system. =20
This footnote also confirms that this email message has been swept=20
for the presence of known computer viruses.
**********************************************************************
Current thread:
- Detecting cross-site scripting attacks Cedar Moore (May 13)
- RE: Detecting cross-site scripting attacks roshen.chandran (May 14)
- <Possible follow-ups>
- RE: Detecting cross-site scripting attacks Harbar, Spencer (May 14)
- Re: Detecting cross-site scripting attacks Cedar Moore (May 14)
- RE: Detecting cross-site scripting attacks Vinny Bedus (May 14)
- RE: Detecting cross-site scripting attacks Calderon, Juan C (CORP, DDEMESIS) (May 14)