← Back to Explore
sigmahighHunting
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
Detection Query
select_method:
cs-method: GET
keywords:
- =<script>
- =%3Cscript%3E
- =%253Cscript%253E
- "<iframe "
- "%3Ciframe "
- "<svg "
- "%3Csvg "
- document.cookie
- document.domain
- " onerror="
- " onresize="
- ' onload="'
- onmouseover=
- ${alert
- javascript:alert
- javascript%3Aalert
filter:
sc-status: 404
condition: select_method and keywords and not filter
Author
Saw Win Naung, Nasreddine Bencherchali
Created
2021-08-15
Data Sources
webserver
References
Tags
attack.initial-accessattack.t1189
Raw Content
title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: test
description: Detects XSS attempts injected via GET requests in access logs
references:
- https://github.com/payloadbox/xss-payload-list
- https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021-08-15
modified: 2022-06-14
tags:
- attack.initial-access
- attack.t1189
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '=<script>'
- '=%3Cscript%3E'
- '=%253Cscript%253E'
- '<iframe '
- '%3Ciframe '
- '<svg '
- '%3Csvg '
- 'document.cookie'
- 'document.domain'
- ' onerror='
- ' onresize='
- ' onload="'
- 'onmouseover='
- '${alert'
- 'javascript:alert'
- 'javascript%3Aalert'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- JavaScripts,CSS Files and PNG files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high