Detection: Cross-Site Scripting Attribute Injection
Overview
The XSS Attribute Injection detection identifies Cross-Site Scripting (XSS) attacks that exploit HTML attributes to execute malicious JavaScript. This is a sophisticated attack vector where attackers inject event handlers or other dangerous attributes into HTML elements.
This detection examines both HTTP requests and User-Agent headers for patterns indicating attribute-based XSS attempts. It focuses on identifying event handlers like onload, onerror, and onclick, as well as dangerous attributes such as formaction and custom attributes that could be used to trigger JavaScript execution.
Attribute-based XSS attacks can be particularly dangerous as they often bypass basic XSS filters that only look for script tags. By injecting event handlers into seemingly innocuous HTML elements, attackers can execute JavaScript when certain browser events are triggered. For example, injecting onerror=alert(1) into an image tag will execute the JavaScript when the image fails to load.
This detection looks for both common and less common event handlers, as well as attributes that can trigger script execution in modern browsers. By examining both request URIs and User-Agent headers, the detection can identify attackers who attempt to evade security controls by hiding malicious code in HTTP headers rather than request parameters. This comprehensive approach helps security teams identify potential vulnerabilities in their web applications and detect active exploitation attempts that target attribute-based XSS vectors.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_attribute_injectionSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.cross_site_scripting_attribute_injection --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere ( request_uri is not null and ( -- Attribute injection patterns request_uri ilike '%onerror=%' or request_uri ilike '%onload=%' or request_uri ilike '%onmouseover=%' or request_uri ilike '%onmouseout=%' or request_uri ilike '%onclick=%' or request_uri ilike '%onfocus=%' or request_uri ilike '%onblur=%' or request_uri ilike '%onchange=%' or request_uri ilike '%onsubmit=%' or request_uri ilike '%onkeypress=%' -- Less common event handlers or request_uri ilike '%onreadystatechange=%' or request_uri ilike '%onbeforeonload=%' or request_uri ilike '%onanimationstart=%' -- Dangerous attributes or request_uri ilike '%formaction=%' or request_uri ilike '%xlink:href=%' or request_uri ilike '%data:text/html%' or request_uri ilike '%pattern=%' ) ) OR ( http_user_agent is not null and ( -- Attribute injection patterns http_user_agent ilike '%onerror=%' or http_user_agent ilike '%onload=%' or http_user_agent ilike '%onmouseover=%' or http_user_agent ilike '%onmouseout=%' or http_user_agent ilike '%onclick=%' or http_user_agent ilike '%onfocus=%' or http_user_agent ilike '%onblur=%' or http_user_agent ilike '%onchange=%' or http_user_agent ilike '%onsubmit=%' or http_user_agent ilike '%onkeypress=%' -- Less common event handlers or http_user_agent ilike '%onreadystatechange=%' or http_user_agent ilike '%onbeforeonload=%' or http_user_agent ilike '%onanimationstart=%' -- Dangerous attributes or http_user_agent ilike '%formaction=%' or http_user_agent ilike '%xlink:href=%' or http_user_agent ilike '%data:text/html%' or http_user_agent ilike '%pattern=%' ) )order by tp_timestamp desc;