Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Cross Site Scripting Strings

Detects XSS attempts injected via GET requests in access logs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)Created Sun Aug 15Updated Tue Jun 1465354b83-a2ea-4ea6-8414-3ab38be0d409web
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic
Detection Logic3 selectors
detection:
    select_method:
        cs-method: 'GET'
    keywords:
        - '=<script>'
        - '=%3Cscript%3E'
        - '=%253Cscript%253E'
        - '<iframe '
        - '%3Ciframe '
        - '<svg '
        - '%3Csvg '
        - 'document.cookie'
        - 'document.domain'
        - ' onerror='
        - ' onresize='
        - ' onload="'
        - 'onmouseover='
        - '${alert'
        - 'javascript:alert'
        - 'javascript%3Aalert'
    filter:
        sc-status: 404
    condition: select_method and keywords and not filter
False Positives

JavaScripts,CSS Files and PNG files

User searches in search boxes of the respective website

Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes

References
1
Resolving title…
github.com
2
Resolving title…
portswigger.net
MITRE ATT&CK
Rule Metadata
Rule ID
65354b83-a2ea-4ea6-8414-3ab38be0d409
Status
test
Level
high
Type
Detection
Created
Sun Aug 15
Modified
Tue Jun 14
Author
Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)
Path
rules/web/webserver_generic/web_xss_in_access_logs.yml
Raw Tags
attack.initial-accessattack.t1189
View on GitHub