[Snort-users] Vulnerable to Cross Site Scripting (XSS) or not?

Jesper Skou Jensen jesper.skou.jensen at ...1273...
Tue Aug 5 04:36:02 EDT 2008


Hi there,

Our snort quite often trigger the following rule

rules/web-misc.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
cross site scripting attempt"; flow:to_server,established; 
content:"<SCRIPT"; nocase; classtype:web-application-attack; sid:1497; 
rev:7;)

and the syslog messages looks like this:

Aug  5 06:25:53 snort: [1:1497:7] WEB-MISC cross site scripting attempt 
[Classification: Web Application Attack] [Priority: 1]: {TCP} 
1.1.1.1:24628 -> 2.2.2.2:80

1.1.1.1 = the outside attacker
2.2.2.2 = our webserver


I'm trying to understand why that is, and what exactly it is that is 
triggering it, and I hope you guys can help me doing that.

1. As far as I understand it, 1.1.1.1 is trying to send "<SCRIPT" in eg. 
a webform on 2.2.2.2. Is that correct?

2. It's triggered because there should be no "<SCRIPT" coming from the 
outside to our server, correct?

3. Is there an easy way to work out if the webserver/application is 
vulnerable or not?


-- 
Jesper S. Jensen





More information about the Snort-users mailing list