Filter
Top Products
Fortinet 408 FortiWeb 5.0 Patch 6 Administration Guide
command-and-control server. To avoid detection, he attacker has even bought a DNS name
that looks like one of example.com’s legitimate servers: www.example.co.
The incident response team has also found two other classes of XSS that evades the forum’s
own XSS sani
tizers (which only look for injection of <script> and <object> tags). The first
one exploits a web browser’s parser by tricking it with additional quotes in an unexpected
place:
<img """><script>alert("XSS")</script>">
Th
e second one exploits the nature of all web pages with images and other external files. Other
than t
he web page itself, all images, scripts, styles, media, and objects cause the web browser
to make secondary HTTP requests: one for each component of the web page. Here, the <img>
tag causes the client’s web browser to make a request that is actually an injection attempt on
another web site.
<img src="http://other.example.com/command.php?variable=attackcode">
The
incident response team has written 3 regular expressions to detect each of the above XSS
attack
classes, as well as similar permutations that use HTML tags other than <img>:
• <(.*)src(\s)*=(\s)*[‘’‘”](\s)*(.*)(\s)*[‘’‘”](\
s)*onError
• <(.*)[‘’‘”][‘’‘”]*(.*)>(\s)*<script>
• <(\s)*[^(<script)](\s)*src(\s)*=(\s)*(http|https|ftp|\\\\|\/\/)(.*)\?