Hi,
Many IDS and WAF products support detection (and prevention) of both persistent
and reflective XSS injection attemtps.
XSS injection detection by IDS/WAF installed infront of web server can be done
by monitoring GET and POST variables. IDS or WAF can look for javascript and VB
script related words in these variables to detect any injection. There are many
bleeding threat (www.bleedingthreats.net) rules available to detect the
injection.
My question is related to user access to injected XSS in the web sites. How do
we write rules to protect innocent users while accessing the websites having
injected XSS? In this case IDS installation would be at the HTTP Client side.
To detect reflective XSS, I guess same rules that are used at the IDS at web
server level can be used. What about persistent XSS? Rules looking for java
script in HTTP response (HTML pages) is one solution, but it could have many
false positives (as many web pages have genuine java script and vb scripting in
their pages) and also many false negatives as HTMP page can come in multiple
packets, compressed, encoded etc..
Is there any simple way?
Thanks
Surya
____________________________________________________________________________________
Check out the hottest 2008 models today at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
