This type of attack exploits the trust relationship between a user and the web sites they visit.
Attack type | Attack description |
---|---|
Content Spoofing | Tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source. |
Cross-site Scripting (XSS) | Allows an attacker to execute scripts in the
victim's web browser, which can be used to intercept user sessions,
deface web sites, insert hostile content, conduct phishing attacks,
and take over the user's browser using scripting malware. All web application frameworks are vulnerable to this exploit. The exploit typically uses HTML or JavaScript, but any scripting language, including VBScript, ActiveX, Java™, or Flash, supported by the victim's browser is a potential target for this attack. The types of Cross-site
Scripting attacks include:
|
Signature name | Description | More information |
---|---|---|
Cross_Site_Scripting | Detects well known forms of the <SCRIPT> tag
in URL or CGI data. This signature replaces HTTP_GETargscript, HTTP_POST_Script, and HTTP_Cross_Site_Scripting events. |
IBM® X-Force: HTTP cross-site scripting attempt detected |
HTTP_Apache_Expect_XSS | Detects a specially-crafted Expect header that might be used to embed a malicious script and be executed in the victim's web browser. | IBM X-Force: Apache and IBM HTTP Server Expect header cross-site scripting |
HTTP_Apache_OnError_XSS | Detects cross-site scripting attempts to older
versions of Apache web servers. In such cases, the Apache ONERROR/404 redirect must be enabled and specially configured for the cross-site scripting attempt to work. |
IBM X-Force: Apache HTTP Server Host: header cross-site scripting |
HTTP_Cross_Site_Scripting | Detects HTTP URLs that contain the strings <script> or </script>. | IBM X-Force: Microsoft IIS Cross-Site Scripting |
HTTP_GETargscript | Detects an HTTP GET request that contains JavaScript code. Because of
the unusual nature of this exploit, this signature cannot report the
true intruder. During this exploit, the victim communicates with an HTTP server that the intruder has chosen. However, this HTTP server is a "means to an end" and plays no role in the actual attack. The damage is done when Internet Explorer saves the JavaScript in its cache (index.dat) while processing the request. The real intruder is likely indicated by other events reported corresponding with this one. |
IBM X-Force: Microsoft Internet Explorer 5.5 index.dat file can be used to remotely execute code |
HTTP_Html_In_Ref | Detects an HTTP REFERER field that contains HTML tags, which might indicate a cross-site scripting attack. | IBM X-Force: HTTP Referer Header tag detected |
HTTP_HTML_Tag_Injection | Detects well known HTML tag injection attacks
and probing activity. This signature does not necessarily indicate an attack, however, many scripting attacks have been used in conjunction with various HTML tags that this signature will trigger on, such as TABLE, TD, or META. |
IBM X-Force: HTTP HTML tag injection attempt detected |
HTTP_IFRAME_Tag_Injection | Detects an HTML <IFRAME> tag
injection attempt. This signature does not necessarily indicate an attack, however, many successful scripting and browser hijacking attacks have been used in conjunction with IFRAME tag injections. |
IBM X-Force: HTTP IFRAME tag injection attempt detected |
HTTP_MCMS_CrossSiteScripting | Detects a specially-crafted HTTP URL that can cause a client-side script to be injected into the user's browser. | IBM X-Force: Microsoft Content Management Server (MCMS) HTTP request cross-site scripting |
HTTP_MSIS_Script | Checks argument data for cross-site scripting in the Microsoft Indexing Services. | IBM X-Force: Microsoft IIS .htw cross scripting |
HTTP_Nfuse_Script | Checks for a specially-crafted URL containing launch.asp or launch.jsp. | IBM X-Force: Citrix NFuse launch.* cross-site scripting |
HTTP_POST_Script | Detects if an HTTP POST command contains a <script> tag. | IBM X-Force: HTTP POST contains malicious script |
HTTP_Share_Point_XSS | Detects an URL ending in .aspx, followed by the string /");}. | IBM X-Force: Microsoft SharePoint Server default.aspx PATH_INFO cross-site scripting |