[Snort-sigs] SID 1497 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Mon Jun 9 06:38:13 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

cross site scripting attempt"; flow:to_server,established; 
content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; 
A cross-site scripting attack is being attempted, or a potential 
attacker is testing your site to determine if it is vulnerable.
Successful cross-site scripting attacks generally target the users of 
your web site.   Attackers can
potentially gain access to your users' cookies or session ids, allowing 
the attacker to impersonate your
user.   They could also set up elaborate fake logon screens to steal 
user names and passwords.
Detailed Information:
Whenever a web application accepts input (either via the URL or via the 
POST method) and then uses that input as part of the HTML of a new page 
without filtering, the application is vulnerable to cross-site 
scripting.  The traditional means of exploiting this is to embed a 
"<SCRIPT>" tag into the input.   The code following the tag is then 
executed by the victim's browser.
Affected Systems:
Many older versions of web server software are affected, as are numerous 
web applications.
Attack Scenarios:
The most common avenue of attack is for the attacker to send an HTML 
formatted email to the victim.  The
email will contain a link to a specially crafted URL which contains the 
exploit. When the victim clicks on
the link, they are directed to the vulnerable web site and the attack 
code is executed by their browser.
Ease of Attack:
Moderately Easy.  Exploit code exists to automate attacks against users 
of some widely deployed web
applications which are known to be vulnerable.   Finding vulnerabilities 
in other, including proprietary, web
applications is fairly trivial and existing exploit code could easily be 
modified to take advantage of newly
discovered vulnerabilities.
False Positives:
Web pages that legimately include the <SCRIPT> tag could trigger this 
alert under certain circumstances.
False Negatives:
None known, although it is theoretically possible to obfuscate the 
exploit code in a manner that Snort cannot
Corrective Action:
Determine if your web application is actually vulnerable to this 
attack.   If it is and the application is
not of your own design, contact the authors or vendor and see if there 
is a patch or newer version.   If the
application is proprietary to you or your company, ensure that it 
properly validates input.
Kevin Peuhkurinen
Additional References:

More information about the Snort-sigs mailing list