frack113
46 lines
1.3 KiB
YAML
46 lines
1.3 KiB
YAML
title: Cross Site Scripting Strings
|
|
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
|
|
status: experimental
|
|
description: Detects XSS attempts injected via GET requests in access logs
|
|
references:
|
|
- https://github.com/payloadbox/xss-payload-list
|
|
- https://portswigger.net/web-security/cross-site-scripting/contexts
|
|
author: Saw Win Naung, Nasreddine Bencherchali
|
|
date: 2021/08/15
|
|
modified: 2022/06/14
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
select_method:
|
|
cs-method: 'GET'
|
|
keywords:
|
|
- '=<script>'
|
|
- '=%3Cscript%3E'
|
|
- '=%253Cscript%253E'
|
|
- '<iframe '
|
|
- '%3Ciframe '
|
|
- '<svg '
|
|
- '%3Csvg '
|
|
- 'document.cookie'
|
|
- 'document.domain'
|
|
- ' onerror='
|
|
- ' onresize='
|
|
- ' onload="'
|
|
- 'onmouseover='
|
|
- '${alert'
|
|
- 'javascript:alert'
|
|
- 'javascript%3Aalert'
|
|
filter:
|
|
sc-status: 404
|
|
condition: select_method and keywords and not filter
|
|
fields:
|
|
- client_ip
|
|
- vhost
|
|
- url
|
|
- response
|
|
falsepositives:
|
|
- JavaScripts,CSS Files and PNG files
|
|
- User searches in search boxes of the respective website
|
|
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
|
|
level: high
|