Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
Sigma rule (View on GitHub)
1title: Cross Site Scripting Strings
2id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
3status: test
4description: Detects XSS attempts injected via GET requests in access logs
5references:
6 - https://github.com/payloadbox/xss-payload-list
7 - https://portswigger.net/web-security/cross-site-scripting/contexts
8author: Saw Win Naung, Nasreddine Bencherchali
9date: 2021/08/15
10modified: 2022/06/14
11tags:
12 - attack.initial_access
13 - attack.t1189
14logsource:
15 category: webserver
16detection:
17 select_method:
18 cs-method: 'GET'
19 keywords:
20 - '=<script>'
21 - '=%3Cscript%3E'
22 - '=%253Cscript%253E'
23 - '<iframe '
24 - '%3Ciframe '
25 - '<svg '
26 - '%3Csvg '
27 - 'document.cookie'
28 - 'document.domain'
29 - ' onerror='
30 - ' onresize='
31 - ' onload="'
32 - 'onmouseover='
33 - '${alert'
34 - 'javascript:alert'
35 - 'javascript%3Aalert'
36 filter:
37 sc-status: 404
38 condition: select_method and keywords and not filter
39fields:
40 - client_ip
41 - vhost
42 - url
43 - response
44falsepositives:
45 - JavaScripts,CSS Files and PNG files
46 - User searches in search boxes of the respective website
47 - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
48level: high
References
-
-
When testing for reflected and stored XSS, a key task is to identify the XSS context: The location within the response where attacker-controllable data ...
Read More
Related rules
- Possible DNS Rebinding
- Flash Player Update from Suspicious Location
- Account Disabled or Blocked for Sign in Attempts
- Account Tampering - Suspicious Failed Logon Reasons
- Apache Spark Shell Command Injection - ProcessCreation