Detection: Cross-Site Scripting Common Patterns
Overview
Cross-Site Scripting Common Patterns detection identifies fundamental Cross-Site Scripting (XSS) patterns in HTTP requests and User-Agent headers. Cross-Site Scripting is one of the most prevalent web application security flaws that allows attackers to inject client-side scripts into web pages viewed by other users.
This detection focuses on identifying the most common and widespread XSS attack patterns, including script tags, JavaScript functions like alert(), prompt(), and eval(), as well as document object manipulation attempts. These attacks typically target vulnerable input fields in web applications that fail to properly sanitize or encode user input.
When XSS attacks are successful, attackers can steal cookies, session tokens, or other sensitive information; redirect users to malicious websites; or perform actions on behalf of the victim. Common targets include search fields, comment sections, form inputs, and URL parameters that are reflected back to users without proper sanitization.
The detection helps identify reconnaissance attempts and actual exploitation by monitoring for script tags and common JavaScript functions in both request URIs and User-Agent headers. This comprehensive approach catches attackers attempting to evade detection by placing malicious payloads in HTTP headers rather than request parameters. While many of these patterns may represent false positives in legitimate use cases, their presence in log records often indicates scanning or active exploitation attempts.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_common_patternsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.cross_site_scripting_common_patterns --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere ( request_uri is not null and ( -- Common XSS patterns request_uri ilike '%alert(%' or request_uri ilike '%prompt(%' or request_uri ilike '%confirm(%' or request_uri ilike '%eval(%' or request_uri ilike '%document.cookie%' or request_uri ilike '%document.domain%' or request_uri ilike '%document.write%' -- URL encoded variants or request_uri ilike '%<script%' or request_uri ilike '%\\x3Cscript%' ) ) OR ( http_user_agent is not null and ( -- Common XSS patterns http_user_agent ilike '%alert(%' or http_user_agent ilike '%prompt(%' or http_user_agent ilike '%confirm(%' or http_user_agent ilike '%eval(%' or http_user_agent ilike '%document.cookie%' or http_user_agent ilike '%document.domain%' or http_user_agent ilike '%document.write%' -- URL encoded variants or http_user_agent ilike '%<script%' or http_user_agent ilike '%\\x3Cscript%' ) )order by tp_timestamp desc;