Detection: Cross-Site Scripting HTML Injection
Overview
The XSS HTML Injection detection identifies Cross-Site Scripting (XSS) attacks that use HTML tag injection to execute malicious JavaScript. Unlike direct script tag injection, this attack vector leverages various HTML elements with event handlers or specific attributes that can execute JavaScript code.
This detection examines both HTTP requests and User-Agent headers for HTML elements commonly used in XSS attacks, including <iframe>, <img>, <svg>, <object>, <embed>, as well as HTML5 elements like <video> and <audio>. These elements can be manipulated to execute JavaScript through event handlers or specialized attributes without requiring explicit script tags.
HTML injection XSS attacks are particularly dangerous because they can bypass many traditional XSS filters that focus primarily on script tags. For example, an attacker might inject an image tag with an onerror event handler: <img src="invalid" onerror="alert(document.cookie)">. When the image fails to load, the JavaScript in the event handler executes in the context of the web application.
Modern HTML5 specifications have introduced numerous additional elements and attributes that can be used for XSS attacks, substantially expanding the attack surface. By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their payloads in HTTP headers rather than request parameters.
This detection helps security teams identify both reconnaissance activities and active exploitation attempts targeting their web applications through HTML tag-based XSS vectors.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_html_injectionSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.cross_site_scripting_html_injection --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere ( request_uri is not null and ( -- Common HTML tags that can be used for XSS request_uri ilike '%<iframe%src=%' or request_uri ilike '%<img%src=%' and ( request_uri ilike '%onerror=%' or request_uri ilike '%onload=%' ) or request_uri ilike '%<svg%on%=' -- SVG with event handlers or request_uri ilike '%<svg><script%' -- SVG containing script or request_uri ilike '%<object%data=%' and request_uri not ilike '%application/pdf%' or request_uri ilike '%<embed%src=%' and request_uri not ilike '%application/pdf%' or request_uri ilike '%<video%src=%' and ( request_uri ilike '%onerror=%' or request_uri ilike '%onload=%' ) or request_uri ilike '%<audio%src=%' and ( request_uri ilike '%onerror=%' or request_uri ilike '%onload=%' ) ) ) or ( http_user_agent is not null and ( -- HTML tags with dangerous attributes (reduces false positives) http_user_agent ilike '%<iframe%src=%' or http_user_agent ilike '%<iframe%srcdoc=%' or http_user_agent ilike '%<img%src=%' and ( http_user_agent ilike '%onerror=%' or http_user_agent ilike '%onload=%' ) or http_user_agent ilike '%<svg%on%=' -- SVG with event handlers or http_user_agent ilike '%<svg><script%' -- SVG containing script or http_user_agent ilike '%<object%data=%' and http_user_agent not ilike '%application/pdf%' or http_user_agent ilike '%<embed%src=%' and http_user_agent not ilike '%application/pdf%' or http_user_agent ilike '%<video%src=%' and ( http_user_agent ilike '%onerror=%' or http_user_agent ilike '%onload=%' ) or http_user_agent ilike '%<audio%src=%' and ( http_user_agent ilike '%onerror=%' or http_user_agent ilike '%onload=%' ) ) )order by tp_timestamp desc;