-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
/
Copy pathweb_xss_in_access_logs.yml
48 lines (48 loc) · 1.39 KB
/
web_xss_in_access_logs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: experimental
description: Detects XSS attempts injected via GET requests in access logs
references:
- https://github.com/payloadbox/xss-payload-list
- https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021/08/15
modified: 2022/06/14
tags:
- attack.initial_access
- attack.t1189
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '=<script>'
- '=%3Cscript%3E'
- '=%253Cscript%253E'
- '<iframe '
- '%3Ciframe '
- '<svg '
- '%3Csvg '
- 'document.cookie'
- 'document.domain'
- ' onerror='
- ' onresize='
- ' onload="'
- 'onmouseover='
- '${alert'
- 'javascript:alert'
- 'javascript%3Aalert'
filter:
sc-status: 404
condition: select_method and keywords and not filter
fields:
- client_ip
- vhost
- url
- response
falsepositives:
- JavaScripts,CSS Files and PNG files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high