Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Detecting cross-site scripting attacks

RE: Detecting cross-site scripting attacks

From: Vinny Bedus <vbedus_at_bitchangers.com>
Date: Wed, 14 May 2003 12:00:24 -0400

Cedar,
The problem that you would have with checking for the HTML is that you
might have a text area where you allow the user to enter in text
content. You would then be blocking the users from doing that.

Also, depending on how you are checking, XML posts might be a problem.

If you don't allow this type of access on your site, then it should not
be a problem.

Vinny
http://www.BitChangers.com/

-----Original Message-----
From: Cedar Moore [mailto:cedar1420_at_yahoo.com]
Sent: Wednesday, May 14, 2003 10:32 AM
To: webappsec_at_securityfocus.com
Subject: Re: Detecting cross-site scripting attacks

In-Reply-To: <97FD849ABD38514A9E4233C77E6DDD29322AFB_at_cerberus.dns.co.uk>

Thanks for all the responses.

If you look at one of the possible cross sire scripting attack.

http://legitimatesite.com/modules.php?username=bla&lt;script&gt;alert

(document.cookie)&lt;/script&gt;

Is it fine if we look at only the REQ portion of the packet to determine

if it is a cross-site scripting attack (By checking the &lt;script&gt;
tags. I
guess any valid HTTP REQUEST should not have &lt;script&gt; or any other
HTML

tags in GET or POST request messages.

If that is the case can I write a signature in SNORT to look for <HTML
Tags> on port 80 in REQ direction and conclude that it is a invalid
request? Would be there any false positives?
Received on May 14 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos