Detection: Cross-Site Scripting JavaScript Methods
Overview
The XSS JavaScript Methods detection identifies Cross-Site Scripting (XSS) attacks that specifically target dangerous JavaScript methods and functions. This type of attack focuses on injecting code that uses powerful JavaScript methods like eval(), setTimeout(), setInterval(), and Function() constructor calls to execute arbitrary code.
This detection examines both HTTP requests and User-Agent headers for patterns indicating the use of these high-risk JavaScript methods. It focuses on identifying attempts to use methods that can execute strings as code, manipulate the DOM, access cookies, or perform other sensitive operations that could lead to security breaches.
JavaScript method-based XSS attacks are particularly dangerous because they often involve direct code execution capabilities. The eval() function and similar methods can execute arbitrary JavaScript passed as strings, creating a powerful vector for attackers. Similarly, timing functions like setTimeout() and setInterval() can be abused to execute code with delayed timing or repeatedly.
These attacks typically target web applications with insufficient input validation or output encoding. Attackers may attempt to inject these method calls into URL parameters, form fields, or other user-controllable inputs. By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their payloads in HTTP headers rather than request parameters.
This comprehensive approach helps security teams identify both reconnaissance activities and actual exploitation attempts targeting their web applications through JavaScript method-based XSS vectors.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_javascript_methodsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.cross_site_scripting_javascript_methods --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere ( request_uri is not null and ( -- Dangerous JavaScript methods request_uri ilike '%eval(%' or request_uri ilike '%setTimeout(%' or request_uri ilike '%setInterval(%' or request_uri ilike '%Function(%' or request_uri ilike '%fetch(%' or request_uri ilike '%document.write(%' or request_uri ilike '%document.cookie%' ) ) or ( http_user_agent is not null and ( -- Dangerous JavaScript methods http_user_agent ilike '%eval(%' or http_user_agent ilike '%setTimeout(%' or http_user_agent ilike '%setInterval(%' or http_user_agent ilike '%Function(%' or http_user_agent ilike '%fetch(%' or http_user_agent ilike '%document.write(%' or http_user_agent ilike '%document.cookie%' ) )order by tp_timestamp desc;