Print Download Documentation Send Feedback

Previous

Next

IPS Protection - Cross-Site Scripting - Advanced

What can I do here?

Use this window to set the protection scope and block script commands.

Getting Here

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > IPS Protections > Cross-Site Scripting > Edit > General > Open profile > Advanced page

Cross-Site Scripting Attack Description

Cross-site scripting attacks place malicious code in locations where other users see it. The intention of the attack is to steal cookies that contain user identities and credentials, or to trick users into supplying their credentials to the attacker.

One kind of cross site scripting attack is intended to steal cookies that contain user identities and credentials. A hacker may want to steal cookies in order to impersonate another user. The client sends cookies to the Web site with every HTTP Request.

Many Web sites contain forms, which are used to post information such as names and addresses, or comments on bulletin boards. The hacker can inject scripting code into the attacked Web server by adding scripting code to these forms.

The Web server will send cookies only to the client that owns them. Since the hostile code runs in the client machine, the code can instruct the Web browser on the client machine to send its cookies to another location, such as another Web site (hence the name: Cross Site Scripting), where the hacker can see the cookies.

This attack is especially dangerous because neither the user nor the Web site administrator knows that the attack is taking place, unless they analyze the posted source code.

A second variety of Cross-site scripting attack does not steal cookies, but rather dupes the victim into supplying his or her credentials to the attacker. For example, an online auction site may allow users to post advertisement that will say something like:

For sale: Rolls Royce, 1995, Only $20,000, As new.

A hacker can post an advert that contains scripting code, for example:

For sale: Rolls Royce, 1995, <script>alert("Connection broken. Please re- enter username and password")</script>Only $20,000, As new.

When a user views the advert, the script causes a popup form to appear that asks the user to supply his or her details. The user viewing the second advert assumes the pop-up is from the auction site, and fills in his username and password. The script sends those details to the attacker.

Web Security Protections

To protect against Cross-Site Scripting attacks, Web Security rejects HTTP Requests sent using the POST command, that contain scripting code. Web Security also identifies encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected.