Query: cross_site_scripting_encoding

select
  tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
timestamp as timestamp_src,
*
exclude (status, timestamp)

from
  apache_access_log
where
  (
    request_uri is not null
    and (
      -- HTML entity encoding
      request_uri ilike '%&#x3C;script%' -- Hex entity encoded <script
      or request_uri ilike '%&#60;script%' -- Decimal entity encoded <script
      or request_uri ilike '%&#x3c;%&#x2f;script&#x3e;%' -- Hex encoded </script>
      or request_uri ilike '%&#x3c;img%&#x6f;nerror%' -- Hex encoded <img and onerror
      -- Base64 encoding
      or request_uri ilike '%data:text/html;base64,%'
      -- URL encoding
      or request_uri ilike '%\\u00%'
      or request_uri ilike '%\\x%'
      -- UTF-7 encoding (IE specific)
      or request_uri ilike '%+ADw-%'
    )
  )
  or
  (
    http_user_agent is not null
    and (
      -- HTML entity encoding
      http_user_agent ilike '%&#x3C;script%' -- Hex entity encoded <script
      or http_user_agent ilike '%&#60;script%' -- Decimal entity encoded <script
      or http_user_agent ilike '%&#x3c;%&#x2f;script&#x3e;%' -- Hex encoded </script>
      or http_user_agent ilike '%&#x3c;img%&#x6f;nerror%' -- Hex encoded <img and onerror
      -- Base64 encoding
      or http_user_agent ilike '%data:text/html;base64,%'
      -- URL encoding
      or http_user_agent ilike '%\\u00%'
      or http_user_agent ilike '%\\x%'
      -- UTF-7 encoding (IE specific)
      or http_user_agent ilike '%+ADw-%'
    )
  )
order by
  tp_timestamp desc;