Client-side attacks exploit the trust relationship between a user and the websites they visit.
Attack type | Attack description |
---|---|
Content Spoofing | Tricks a user into believing that certain content that appears on a website is legitimate and not from an external source. |
Cross-site Scripting (XSS) | Allows an attacker to execute scripts in the
victim's web browser. This attack is used to intercept user sessions,
deface websites, insert hostile content, conduct phishing attacks,
and take over the user's browser by using scripting malware. All web application frameworks are vulnerable to this exploit. The exploit typically uses HTML or JavaScript, but any scripting language, including VBScript, ActiveX, Java™, or Flash, supported by the victim's browser is a potential target for this attack. The types of Cross-site
Scripting attacks include:
|
Signature name | Description | More information |
---|---|---|
Cross_Site_Scripting | Detects known forms
of the <SCRIPT> tag
in URL or CGI data. This signature replaces HTTP_GETargscript, HTTP_POST_Script, and HTTP_Cross_Site_Scripting events. |
IBM® X-Force®: HTTP cross-site scripting attempt detected |
HTTP_Apache_Expect_XSS | Detects a specially crafted Expect header that might be used to embed a malicious script and be executed in the victim's web browser. | IBM X-Force: Apache and IBM HTTP Server Expect header cross-site scripting |
HTTP_Apache_OnError_XSS | Detects cross-site scripting attempts to older
versions of Apache web servers. In such cases, the Apache ONERROR/404 redirect must be enabled and specially configured for the cross-site scripting attempt to work. |
IBM X-Force: Apache HTTP Server Host: header cross-site scripting |
HTTP_Cross_Site_Scripting | Detects HTTP URLs that contain the strings <script> or </script>. | IBM X-Force: Microsoft IIS Cross-Site Scripting |
HTTP_GETargscript | Detects an HTTP GET request that contains JavaScript code. Because of
the unusual nature of this exploit, this signature cannot report the
true intruder. During this exploit, the victim communicates with an HTTP server that the intruder uses. However, this HTTP server is a """means to an end""" and plays no role in the actual attack. The damage is done when Internet Explorer saves the JavaScript in its cache (index.dat) while it is processing the request. The real intruder is likely indicated by other events reported corresponding with this one. |
IBM X-Force: Microsoft Internet Explorer 5.5 index.dat file can be used to remotely execute code |
HTTP_Html_In_Ref | Detects an HTTP REFERER field that contains HTML tags, which might indicate a cross-site scripting attack. | IBM X-Force: HTTP Referer Header tag detected |
HTTP_HTML_Tag_Injection | Detects known HTML tag injection attacks and
probing activity. This signature does not necessarily indicate an attack, however, many scripting attacks are used with various HTML tags that this signature triggers on, such as TABLE, TD, or META. |
IBM X-Force: HTTP HTML tag injection attempt detected |
HTTP_IFRAME_Tag_Injection | Detects an HTML <IFRAME> tag
injection attempt. This signature does not necessarily indicate an attack, however, many successful scripting and browser hijacking attacks are used with IFRAME tag injections. |
IBM X-Force: HTTP IFRAME tag injection attempt detected |
HTTP_MCMS_CrossSiteScripting | Detects a specially crafted HTTP URL that can cause a client-side script to be injected into the user's browser. | IBM X-Force: Microsoft Content Management Server (MCMS) HTTP request cross-site scripting |
HTTP_MSIS_Script | Checks argument data for cross-site scripting in the Microsoft Indexing Services. | IBM X-Force: Microsoft IIS .htw cross scripting |
HTTP_Nfuse_Script | Checks for a specially crafted URL containing launch.asp or launch.jsp. | IBM X-Force: Citrix NFuse launch.* cross-site scripting |
HTTP_POST_Script | Detects if an HTTP POST command contains a <script> tag. | IBM X-Force: HTTP POST contains malicious script |
HTTP_Share_Point_XSS | Detects a URL that ends in .aspx, followed by the string /""");}. | IBM X-Force: Microsoft SharePoint Server default.aspx PATH_INFO cross-site scripting |