WebApp Sec mailing list archives
RE: Detecting cross-site scripting attacks
From: "Vinny Bedus" <vbedus () bitchangers com>
Date: Wed, 14 May 2003 12:00:24 -0400
Cedar, The problem that you would have with checking for the HTML is that you might have a text area where you allow the user to enter in text content. You would then be blocking the users from doing that. Also, depending on how you are checking, XML posts might be a problem. If you don't allow this type of access on your site, then it should not be a problem. Vinny http://www.BitChangers.com/ -----Original Message----- From: Cedar Moore [mailto:cedar1420 () yahoo com] Sent: Wednesday, May 14, 2003 10:32 AM To: webappsec () securityfocus com Subject: Re: Detecting cross-site scripting attacks In-Reply-To: <97FD849ABD38514A9E4233C77E6DDD29322AFB () cerberus dns co uk> Thanks for all the responses. If you look at one of the possible cross sire scripting attack. http://legitimatesite.com/modules.php?username=bla<script>alert (document.cookie)</script> Is it fine if we look at only the REQ portion of the packet to determine if it is a cross-site scripting attack (By checking the <script> tags. I guess any valid HTTP REQUEST should not have <script> or any other HTML tags in GET or POST request messages. If that is the case can I write a signature in SNORT to look for <HTML Tags> on port 80 in REQ direction and conclude that it is a invalid request? Would be there any false positives?
Current thread:
- Detecting cross-site scripting attacks Cedar Moore (May 13)
- RE: Detecting cross-site scripting attacks roshen.chandran (May 14)
- <Possible follow-ups>
- RE: Detecting cross-site scripting attacks Harbar, Spencer (May 14)
- Re: Detecting cross-site scripting attacks Cedar Moore (May 14)
- RE: Detecting cross-site scripting attacks Vinny Bedus (May 14)
- RE: Detecting cross-site scripting attacks Calderon, Juan C (CORP, DDEMESIS) (May 14)