[Snort-users] Vulnerable to Cross Site Scripting (XSS) or not?

Jesper Skou Jensen jesper.skou.jensen at ...1273...
Tue Aug 5 07:12:57 EDT 2008


Jesper Skou Jensen wrote:
> 1. As far as I understand it, 1.1.1.1 is trying to send "<SCRIPT" in eg. 
> a webform on 2.2.2.2. Is that correct?

I've been digging a bit in our BARNYARD dumps, and I would expect 
"SCRIPT" to appear in them, but as far as i can see it doesn't.

Here is an example of one of the dumps. Note that headers and HEX has 
been stripped out, and url's have been annonymized.


GET 
/Infoweb/Thumb.asp?image=/Faelles/Fotoalbum/145/2008_0526_20402aa.jpg&x=130&y=130 
HTTP/1.1..Accept: */*..Referer: 
http://www.ANNONYMIZED.dk/Infoweb/DynamiskeSider/Skolens%20fotoalbum.asp?Id=0..Accept-Language: 
da..UA-CPU: x86..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 
(compatible; MSIE 7.0; Windows NT 6.0; 
AFB4417C-B44C-CEB7-A40B-FF0D26815D0C; SLCC1; .NET CLR 2.0.50727; .NET 
CLR 3.0.04506; InfoPath.2)..Host: www.ANNONYMIZED.dk..Connection: 
Keep-Alive..Cookie: pk_uuid=AFE63412237042A78C5A613E3F21D7; 
pk_sid=0BCCE1C998B3C686EEC103AC23C4B7; 
ASPSESSIONIDCQAABDDD=CIFPGIIHGMNBCOMJBKGLKJ....OMJBKGLKJ....


Am I looking at this in a wrong way, or isn't our Snort behaving?


-- 
Jesper S. Jensen




More information about the Snort-users mailing list