[Snort-sigs] SID 1667 documentation
kevin.peuhkurinen at ...1555...
Fri Jun 6 08:18:20 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
classtype:web-application-attack; sid:1667; rev:4;)
vulnerability is being attempted, or a potential attacker is testing
your site to determine if it is vulnerable.
Successful cross-site scripting attacks generally target the users of
your web site. Attackers can potentially gain access to your users'
cookies or session ids, allowing the attacker to impersonate your
user. They could also set up elaborate fake logon screens to steal
user names and passwords.
Whenever a web application accepts input and then uses that input as
part of the HTML of a new page without filtering, the application is
vulnerable to cross-site scripting. The traditional means of exploiting
this is to embed a "<SCRIPT>" tag into the input. However, as many
applications now look for this attack vector, exploitation of the
script tag is becoming more common.
The most common avenue of attack is for the attacker to send an HTML
formatted email to the victim. The email will contain a link to a
specially crafted URL which contains the exploit. When the victim
clicks on the link, they are directed to the vulnerable web site and the
attack code is executed by their browser.
Ease of Attack:
Moderately Easy. Exploit code exists to automate attacks against users
of some widely deployed web applications which are known to be
vulnerable. Finding vulnerabilities in other, including proprietary,
web applications is fairly trivial and existing exploit code could
easily be modified to take advantage of newly discovered vulnerabilities.
could trigger this alert under certain circumstances.
None known, although it is theoretically possible to obfuscate the
exploit code in a manner that Snort cannot decode.
Determine if your web application is actually vulnerable to this
attack. If it is and the application is not of your own design,
contact the authors or vendor and see if there is a patch or newer
version. If the application is proprietary to you or your company,
ensure that it properly validates input.
More information about the Snort-sigs