Re: how to avoid false positive in generic cross site scripting attack ids signature
- From: "Sanjay R" <2sanjayr@xxxxxxxxx>
- Date: Fri, 2 Feb 2007 09:45:26 +0530
On 1 Feb 2007 12:48:54 -0000, singhamit4me@xxxxxxxxx
<singhamit4me@xxxxxxxxx> wrote:
Hi guys,sanjay>> XXS is not confined to HTTP URI only. in fact, it is a very
I am trying to catch cross site scripting attack, by a geneic ids signature which catch "javascript:" attck vector in http uri.
trivial method. what happens in the case of http forms and POST
method?
In most of the cases it is working fine.sanjay>> in the view of above, i think u r not exposing your signature
to many attack instances, otherwise u may see lot of FN.
sanjay>> this question is more on specific policy rather a general
but it gives false positive in case of visiting/viewing flash files in yahoo site.
packet capture of uri string is :-
10:59:06.000000 0:f:20:8d:13:c0 0:0:5e:0:1:64 0800 1049: IP (tos 0x0, ttl 127, id 1304, len 1035) 172.16.4.131.3040 > 66.186.196.17.80: P [tcp sum ok] 837942285:837943280(995) ack 841946832 win 65070 (DF)
Now I have two quiries: 1st is, whether executing javascript on clients browser context in http req. is permissible.
rule. Seeing the prolifiration of web based services and applications,
I doubt you can simply get rid of javascript or any such script.
2nd as yahoo is one of the most visted sit, how can avoid cjances of false postive, and is there any way to harden this signature.sanjay>> first of all, i dont see your signature in the list. i assume
u r looking for javascript: in the uri portion of the http packet. if
it is correct, the signature is very BAD (as u also observed this).
one thing that needed to be understood is that client side
vulnerabilities are hard to detect by using a generic rule. there can
be ten ways to write same thing. i suggest to include some more
patterns, for example "<img src=" (this is just a example, nothing to
do with real detection).
thanks
-sanjay
guys I realy need your help, looking forward to get your responses soon.
Regards
Amit Singh
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
--
PhD
Intoto Softwares, Hyderabad, India
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
- References:
- Prev by Date: how to avoid false positive in generic cross site scripting attack ids signature
- Next by Date: IPS and Trunking
- Previous by thread: how to avoid false positive in generic cross site scripting attack ids signature
- Next by thread: Re: Re: how to avoid false positive in generic cross site scripting attack ids signature
- Index(es):
Relevant Pages
|
