Detection: Cross-Site Scripting Encoding
Overview
The XSS Encoded Attack detection identifies Cross-Site Scripting (XSS) attacks that use various encoding techniques to bypass security filters. This is a sophisticated attack vector where attackers encode malicious JavaScript using HTML entities, URL encoding, Unicode encoding, or other obfuscation methods to evade detection.
This detection examines both HTTP requests and User-Agent headers for patterns indicating encoded XSS payloads. It focuses on identifying HTML entity encoding (e.g., <script>), Base64 encoding, URL encoding, and other encoding schemas that might be used to disguise malicious JavaScript.
Encoded XSS attacks are particularly dangerous because they can bypass many security filters and Web Application Firewalls (WAFs) that only check for literal script tags or JavaScript keywords. By encoding these elements, attackers can create payloads that will be decoded by the browser at runtime but may pass through server-side security controls undetected.
For example, an attacker might encode a script tag as <script>alert(1)</script>, which appears harmless to basic security filters but will be interpreted as <script>alert(1)</script> when rendered by the browser. Similarly, Base64 encoding can be used to completely obscure the contents of a payload until it's decoded and executed.
By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their encoded payloads in HTTP headers rather than request parameters. This comprehensive approach helps security teams identify sophisticated XSS attempts that specifically aim to bypass traditional security controls through encoding techniques.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_encodingSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.cross_site_scripting_encoding --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere ( request_uri is not null and ( -- HTML entity encoding request_uri ilike '%<script%' -- Hex entity encoded <script or request_uri ilike '%<script%' -- Decimal entity encoded <script or request_uri ilike '%<%/script>%' -- Hex encoded </script> or request_uri ilike '%<img%onerror%' -- Hex encoded <img and onerror -- Base64 encoding or request_uri ilike '%data:text/html;base64,%' -- URL encoding or request_uri ilike '%\\u00%' or request_uri ilike '%\\x%' -- UTF-7 encoding (IE specific) or request_uri ilike '%+ADw-%' ) ) or ( http_user_agent is not null and ( -- HTML entity encoding http_user_agent ilike '%<script%' -- Hex entity encoded <script or http_user_agent ilike '%<script%' -- Decimal entity encoded <script or http_user_agent ilike '%<%/script>%' -- Hex encoded </script> or http_user_agent ilike '%<img%onerror%' -- Hex encoded <img and onerror -- Base64 encoding or http_user_agent ilike '%data:text/html;base64,%' -- URL encoding or http_user_agent ilike '%\\u00%' or http_user_agent ilike '%\\x%' -- UTF-7 encoding (IE specific) or http_user_agent ilike '%+ADw-%' ) )order by tp_timestamp desc;