The College of New Jersey Logo

Apply     Visit     Give     |     Alumni     Parents     Offices     TCNJ Today     Three Bar Menu

Detecting Cross-Site Scripting Attacks

Detecting Cross-Site Scripting Attacks

Cross-site scripting or XSS is a specially crafted URL that includes attack code that will cause information that a user enters into their web browser to be sent to the attacker.

In an identity theft based attack, an attacker will find a web server that is vulnerable to XSS and send a legitimate looking URL with XSS attack code appended to the end of the URL.  The malicious URL is often sent in a phishing email message.

The best defense is to log everything on your web servers and use resources such as the ha.ckers.org Cross Site Scripting cheat sheet for testing and detection methods (http://ha.ckers.org/xss.html).

Nothing replaces due diligence and frequent log scouring, however.  So what do you look for?  Anything out of the ordinary.   How do you know what is ordinary?  By checking your logs frequently.

Here is one sample web access log entry that is a sign of an XSS attack.

192.168.0.252 – – [05/Aug/2009:15:16:42 -0400] “GET /%27%27;!–%22%3CXSS%3E=&{()
} HTTP/1.1″ 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12)
Gecko/2009070812 Ubuntu/8.04 (hardy) Firefox/3.0.12″

The part to look for is the GET /%27%27 command (there are several variants).

reference: ha.ckers.org and BeginLinux.com blog
Top