activity_dashboard_bad_request_countactivity_dashboard_error_countactivity_dashboard_redirect_countactivity_dashboard_requests_by_dayactivity_dashboard_requests_by_errorsactivity_dashboard_requests_by_http_methodactivity_dashboard_requests_by_status_codeactivity_dashboard_requests_by_successful_requestsactivity_dashboard_requests_by_user_agentactivity_dashboard_success_countactivity_dashboard_top_10_clientsactivity_dashboard_top_10_urlsactivity_dashboard_total_logscross_site_scripting_angular_templatecross_site_scripting_attribute_injectioncross_site_scripting_common_patternscross_site_scripting_dom_basedcross_site_scripting_encodingcross_site_scripting_html_injectioncross_site_scripting_javascript_methodscross_site_scripting_javascript_uricross_site_scripting_script_tagencoded_path_traversalheader_based_local_file_inclusionhidden_file_accesslog4shell_vulnerabilityos_file_accesspath_traversalrestricted_file_accessspring4shell_vulnerabilitysql_injection_blind_basedsql_injection_common_patternssql_injection_error_basedsql_injection_time_basedsql_injection_union_basedsql_injection_user_agent_based
Query: cross_site_scripting_html_injection
Usage
powerpipe query apache_access_log_detections.query.cross_site_scripting_html_injectionTailpipe Tables
SQL
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere ( request_uri is not null and ( -- Common HTML tags that can be used for XSS request_uri ilike '%<iframe%src=%' or request_uri ilike '%<img%src=%' and ( request_uri ilike '%onerror=%' or request_uri ilike '%onload=%' ) or request_uri ilike '%<svg%on%=' -- SVG with event handlers or request_uri ilike '%<svg><script%' -- SVG containing script or request_uri ilike '%<object%data=%' and request_uri not ilike '%application/pdf%' or request_uri ilike '%<embed%src=%' and request_uri not ilike '%application/pdf%' or request_uri ilike '%<video%src=%' and ( request_uri ilike '%onerror=%' or request_uri ilike '%onload=%' ) or request_uri ilike '%<audio%src=%' and ( request_uri ilike '%onerror=%' or request_uri ilike '%onload=%' ) ) ) or ( http_user_agent is not null and ( -- HTML tags with dangerous attributes (reduces false positives) http_user_agent ilike '%<iframe%src=%' or http_user_agent ilike '%<iframe%srcdoc=%' or http_user_agent ilike '%<img%src=%' and ( http_user_agent ilike '%onerror=%' or http_user_agent ilike '%onload=%' ) or http_user_agent ilike '%<svg%on%=' -- SVG with event handlers or http_user_agent ilike '%<svg><script%' -- SVG containing script or http_user_agent ilike '%<object%data=%' and http_user_agent not ilike '%application/pdf%' or http_user_agent ilike '%<embed%src=%' and http_user_agent not ilike '%application/pdf%' or http_user_agent ilike '%<video%src=%' and ( http_user_agent ilike '%onerror=%' or http_user_agent ilike '%onload=%' ) or http_user_agent ilike '%<audio%src=%' and ( http_user_agent ilike '%onerror=%' or http_user_agent ilike '%onload=%' ) ) )order by tp_timestamp desc;
Detections
The query is being used by the following detections: