Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-apache-access-log-detections
Overview
4Dashboards
23Benchmarks
36Queries
1Variables
GitHub

Detection: Cross-Site Scripting JavaScript URI

Overview

The XSS JavaScript URI Vector detection identifies Cross-Site Scripting (XSS) attacks that specifically leverage JavaScript URI schemes to execute malicious code. This attack vector is particularly dangerous as it can be used within various HTML attributes to trigger script execution.

This detection analyzes both HTTP requests and User-Agent headers for the presence of JavaScript URI schemes (javascript:) and their obfuscated variants. Attackers often use these URI schemes in attributes like href, src, action, and others to execute arbitrary JavaScript code when a user interacts with the element containing the malicious attribute.

JavaScript URI-based XSS attacks can be especially deceptive as they can be hidden in legitimate-looking links or redirects. When users click on links containing these URI schemes, the browser will execute the JavaScript code in the context of the current page, potentially leading to session hijacking, credential theft, or other malicious actions.

Attackers frequently employ obfuscation techniques to bypass security filters, including character splitting (e.g., j%0Aa%0Avascript), URL encoding, and various combinations of characters to spell out "javascript" in ways that may bypass simple pattern matching but are still interpreted by browsers as the JavaScript protocol.

By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by placing their payloads in HTTP headers rather than request parameters. This approach helps security teams identify potential vulnerability exploitation attempts targeting their web applications through this specific XSS vector.

References:

Usage

Run the detection in your terminal:

powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_javascript_uri

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_javascript_uri --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
timestamp as timestamp_src,
*
exclude (status, timestamp)


from
  apache_access_log
where
  (
    request_uri is not null
    and (
      -- JavaScript URI schemes
      request_uri ilike '%javascript:%'
      or request_uri ilike '%vbscript:%'
      -- Obfuscated javascript: URIs
      or request_uri ilike '%jav
ascript:%'
      or request_uri ilike '%javascript:url(%'
    )
  )
  or
  (
    http_user_agent is not null
    and (
      -- JavaScript URI schemes
      http_user_agent ilike '%javascript:%'
      or http_user_agent ilike '%vbscript:%'
      -- Obfuscated javascript: URIs
      or http_user_agent ilike '%jav
ascript:%'
      or http_user_agent ilike '%javascript:url(%'
    )
  )
order by
  tp_timestamp desc;

Tags

category = Cross-Site Scripting
mitre_attack_ids = TA0002:T1059.007
owasp_top_10 = A03:2021-Injection
plugin = apache
service = Apache/AccessLog