|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Detecting cross-site scripting attacks
From: Cedar Moore (cedar1420
yahoo.com)
Date: Wed May 14 2003 - 09:31:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <97FD849ABD38514A9E4233C77E6DDD29322AFBcerberus.dns.co.uk>
Thanks for all the responses.
If you look at one of the possible cross sire scripting attack.
http://legitimatesite.com/modules.php?username=bla<script>alert
(document.cookie)</script>
Is it fine if we look at only the REQ portion of the packet to determine
if it is a cross-site scripting attack (By checking the <script> tags. I
guess any valid HTTP REQUEST should not have <script> or any other HTML
tags in GET or POST request messages.
If that is the case can I write a signature in SNORT to look for <HTML
Tags> on port 80 in REQ direction and conclude that it is a invalid
request? Would be there any false positives?
>Received: (qmail 12017 invoked from network); 14 May 2003 12:06:19 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 14 May 2003 12:06:19 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 24E6CA30E3; Wed, 14 May 2003 06:13:21 -0600 (MDT)
>Mailing-List: contact webappsec-helpsecurityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <webappsec.list-id.securityfocus.com>
>List-Post: <mailto:webappsecsecurityfocus.com>
>List-Help: <mailto:webappsec-helpsecurityfocus.com>
>List-Unsubscribe: <mailto:webappsec-unsubscribesecurityfocus.com>
>List-Subscribe: <mailto:webappsec-subscribesecurityfocus.com>
>Delivered-To: mailing list webappsecsecurityfocus.com
>Delivered-To: moderator for webappsecsecurityfocus.com
>Received: (qmail 3635 invoked from network); 14 May 2003 08:34:05 -0000
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>content-class: urn:content-classes:message
>Subject: RE: Detecting cross-site scripting attacks
>MIME-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>Date: Wed, 14 May 2003 09:57:59 +0100
>Message-ID: <97FD849ABD38514A9E4233C77E6DDD29322AFBcerberus.dns.co.uk>
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>Thread-Topic: Detecting cross-site scripting attacks
>Thread-Index: AcMZnCNathFQPk3iRvi7HA6l97TVrAAWsbJw
>From: "Harbar, Spencer" <spencer.harbardns.co.uk>
>To: "Cedar Moore" <cedar1420yahoo.com>,
> <webappsecsecurityfocus.com>
>
>The majority of application firewall products only detect and block what
>'could' be an attack.
>=20
>They do so by examining the HTTP request for dangerous constructs, such
>as <SCRIPT> tags etc.
>This is also simple to do within an application itself by using regular
>expressions or even something as nasty as an InStr function in VB.=20
>Also, application platforms, such as ASP.NET v1.1 have this
>functionality built in (Request Validation).
>=20
>However, the problem lies in the fact that these 'solutions' require an
>exception list of some form.
>=20
>It is very common, even if bad form, for an application to allow the
>posting of HTML tags (say a bulletin board).
>In the ASP.NET request validation scenario, the server will throw an
>exception.
>To get the desired application functionality, the request validation
>needs disabled.
>=20
>The better Application Firewalls enable a fine granularity of control
>(e.g. which form fields to validate, and to what extent) with a few
>allowing additions/exceptions to the block list.
>=20
>The bottom line is even with an application firewall, you should protect
>against XSS in the application itself by implementing robust validation
>techniques.
>=20
>The hands down best treatment of XSS is in Writing Secure Code Second
>Edition by Michael Howard and David LeBlanc.
>=20
>hth
>spence=20
>
>
>-----Original Message-----
>From: Cedar Moore [mailto:cedar1420yahoo.com]=20
>Sent: 13 May 2003 18:32
>To: webappsecsecurityfocus.com
>
>
>
>I am new to web application security, a lot of layer 7 application=20
>
>security products detect cross-site scripting attacks (ex: sanctum=20
>
>appshield). How these products do? There is lot of information about
>cross-
>
>site scripting attacks but I did not came across how these web
>application=20
>
>attacks can be detected. Is there any white paper there out explaining
>the=20
>
>generic detection methods?=20
>
>
>
>
>
>
>
>
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the sender immediately and then delete from your system. =20
>
>This footnote also confirms that this email message has been swept=20
>for the presence of known computer viruses.
>
>**********************************************************************
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]