Client-side attacks

Client-side attacks exploit the trust relationship between a user and the websites they visit.

Types of client-side attacks

The following types of attacks are considered client-side attacks:
Table 1. Client-side attacks
Attack type Attack description
Content Spoofing Tricks a user into believing that certain content that appears on a website is legitimate and not from an external source.
Cross-site Scripting (XSS) Allows an attacker to execute scripts in the victim's web browser. This attack is used to intercept user sessions, deface websites, insert hostile content, conduct phishing attacks, and take over the user's browser by using scripting malware.

All web application frameworks are vulnerable to this exploit. The exploit typically uses HTML or JavaScript, but any scripting language, including VBScript, ActiveX, Java™, or Flash, supported by the victim's browser is a potential target for this attack.

The types of Cross-site Scripting attacks include:
  • Non-persistent: Requires a user to visit a specially crafted link that contains malicious code. When the user accesses the link, the code that is embedded in the URL is executed within the user's web browser.
  • Persistent: Inflicts malicious code on a website where it is stored. Typical targets of persistent cross-site scripting for an attacker include message board posts, web mail messages, and web chat software.

Signatures triggered by this attack

The signatures that are triggered by client-side attacks include:
Table 2. Client-side attack signatures
Signature name Description More information
Cross_Site_Scripting Detects known forms of the <SCRIPT> tag in URL or CGI data.

This signature replaces HTTP_GETargscript, HTTP_POST_Script, and HTTP_Cross_Site_Scripting events.

IBM® X-Force®: HTTP cross-site scripting attempt detected
HTTP_Apache_Expect_XSS Detects a specially crafted Expect header that might be used to embed a malicious script and be executed in the victim's web browser. IBM X-Force: Apache and IBM HTTP Server Expect header cross-site scripting

CVE-2006-3918

HTTP_Apache_OnError_XSS Detects cross-site scripting attempts to older versions of Apache web servers.

In such cases, the Apache ONERROR/404 redirect must be enabled and specially configured for the cross-site scripting attempt to work.

IBM X-Force: Apache HTTP Server Host: header cross-site scripting

CVE-2002-0840

HTTP_Cross_Site_Scripting Detects HTTP URLs that contain the strings <script> or </script>. IBM X-Force: Microsoft IIS Cross-Site Scripting

CVE-2000-1104
CVE-2005-2379
CVE-2006-0032

HTTP_GETargscript Detects an HTTP GET request that contains JavaScript code. Because of the unusual nature of this exploit, this signature cannot report the true intruder.

During this exploit, the victim communicates with an HTTP server that the intruder uses. However, this HTTP server is a """means to an end""" and plays no role in the actual attack.

The damage is done when Internet Explorer saves the JavaScript in its cache (index.dat) while it is processing the request. The real intruder is likely indicated by other events reported corresponding with this one.

IBM X-Force: Microsoft Internet Explorer 5.5 index.dat file can be used to remotely execute code

CVE-2007-1499

HTTP_Html_In_Ref Detects an HTTP REFERER field that contains HTML tags, which might indicate a cross-site scripting attack. IBM X-Force: HTTP Referer Header tag detected
HTTP_HTML_Tag_Injection Detects known HTML tag injection attacks and probing activity.

This signature does not necessarily indicate an attack, however, many scripting attacks are used with various HTML tags that this signature triggers on, such as TABLE, TD, or META.

IBM X-Force: HTTP HTML tag injection attempt detected
HTTP_IFRAME_Tag_Injection Detects an HTML <IFRAME> tag injection attempt.

This signature does not necessarily indicate an attack, however, many successful scripting and browser hijacking attacks are used with IFRAME tag injections.

IBM X-Force: HTTP IFRAME tag injection attempt detected
HTTP_MCMS_CrossSiteScripting Detects a specially crafted HTTP URL that can cause a client-side script to be injected into the user's browser. IBM X-Force: Microsoft Content Management Server (MCMS) HTTP request cross-site scripting

CVE-2007-0939

HTTP_MSIS_Script Checks argument data for cross-site scripting in the Microsoft Indexing Services. IBM X-Force: Microsoft IIS .htw cross scripting

CVE-2000-0942

HTTP_Nfuse_Script Checks for a specially crafted URL containing launch.asp or launch.jsp. IBM X-Force: Citrix NFuse launch.* cross-site scripting

CVE-2002-0504

HTTP_POST_Script Detects if an HTTP POST command contains a <script> tag. IBM X-Force: HTTP POST contains malicious script
HTTP_Share_Point_XSS Detects a URL that ends in .aspx, followed by the string /""");}. IBM X-Force: Microsoft SharePoint Server default.aspx PATH_INFO cross-site scripting

CVE-2007-2581