[Snort-users] Vulnerable to Cross Site Scripting (XSS) or not?

Valter Santos vsantola at ...13607...
Tue Aug 5 07:43:56 EDT 2008


Hi,

Check the packet with wireshark/snort/tcpdump.  If it has a
Reset-Cause in it with a bunch of html then is a false positive.

Check this out:
http://www.mail-archive.com/focus-ids@...35.../msg00493.html

cheers,
/valter

On Tue, Aug 5, 2008 at 12:12 PM, Jesper Skou Jensen
<jesper.skou.jensen at ...1273...> wrote:
> Jesper Skou Jensen wrote:
>> 1. As far as I understand it, 1.1.1.1 is trying to send "<SCRIPT" in eg.
>> a webform on 2.2.2.2. Is that correct?
>
> I've been digging a bit in our BARNYARD dumps, and I would expect
> "SCRIPT" to appear in them, but as far as i can see it doesn't.
>
> Here is an example of one of the dumps. Note that headers and HEX has
> been stripped out, and url's have been annonymized.
>
>
> GET
> /Infoweb/Thumb.asp?image=/Faelles/Fotoalbum/145/2008_0526_20402aa.jpg&x=130&y=130
> HTTP/1.1..Accept: */*..Referer:
> http://www.ANNONYMIZED.dk/Infoweb/DynamiskeSider/Skolens%20fotoalbum.asp?Id=0..Accept-Language:
> da..UA-CPU: x86..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0
> (compatible; MSIE 7.0; Windows NT 6.0;
> AFB4417C-B44C-CEB7-A40B-FF0D26815D0C; SLCC1; .NET CLR 2.0.50727; .NET
> CLR 3.0.04506; InfoPath.2)..Host: www.ANNONYMIZED.dk..Connection:
> Keep-Alive..Cookie: pk_uuid=AFE63412237042A78C5A613E3F21D7;
> pk_sid=0BCCE1C998B3C686EEC103AC23C4B7;
> ASPSESSIONIDCQAABDDD=CIFPGIIHGMNBCOMJBKGLKJ....OMJBKGLKJ....
>
>
> Am I looking at this in a wrong way, or isn't our Snort behaving?
>
>
> --
> Jesper S. Jensen
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list