Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 050736.html (Request Expert securityfocus.com Support)

RE: Detecting cross-site scripting attacks

From: Vinny Bedus <vbedus(at)bitchangers.com>
Date: Wed May 14 2003 - 12:00:24 EDT


Cedar,
The problem that you would have with checking for the HTML is that you might have a text area where you allow the user to enter in text content. You would then be blocking the users from doing that.

Also, depending on how you are checking, XML posts might be a problem.

If you don't allow this type of access on your site, then it should not be a problem.

Vinny
http://www.BitChangers.com/

-----Original Message-----
From: Cedar Moore [mailto:cedar1420@yahoo.com] Sent: Wednesday, May 14, 2003 10:32 AM
To: webappsec@securityfocus.com
Subject: Re: Detecting cross-site scripting attacks

In-Reply-To: <97FD849ABD38514A9E4233C77E6DDD29322AFB@cerberus.dns.co.uk>

Thanks for all the responses.

If you look at one of the possible cross sire scripting attack.

Do you need help?X

http://legitimatesite.com/modules.php?username=bla&lt;script&gt;alert

(document.cookie)&lt;/script&gt;

Is it fine if we look at only the REQ portion of the packet to determine

if it is a cross-site scripting attack (By checking the &lt;script&gt; tags. I
guess any valid HTTP REQUEST should not have &lt;script&gt; or any other HTML tags in GET or POST request messages.

If that is the case can I write a signature in SNORT to look for <HTML Tags> on port 80 in REQ direction and conclude that it is a invalid request? Would be there any false positives? Received on Wed May 14 12:13:09 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:51 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library