How about UTF-7 XSS attack?
False positive will be there, you need to reduce it as much as
possible. But just checking for javascript: is not a good idea.
Keeping an eye on no. of occurrence of particular patterns might help.
On 6 Feb 2007 11:44:45 -0000, rathnach@gmail.com <rathnach@gmail.com> wrote:
1st is, whether executing javascript on clients browser context in http req. is
permissible.
>>>>>> we don't have any control to implement policy to restrict developers
using such feature.
2nd as yahoo is one of the most visted sit, how can avoid cjances of false
postive, and is there any way to harden this signature.
>>>>>>IDS detection is most effective only when it is configured properly and
signatures are specific to attack.
Generic signatures are only good to identify unknown attacks,Provided you have
good logging capability. but problem is false positives.
My would suggest is to find some vulnerable file path + XXS pattern to be more
effective.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
