search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.92k stars 492 forks source link

[New Rule] Potential Cross Site Scripting ( XSS ) #2820

Closed shashank-elastic closed 1 year ago

shashank-elastic commented 1 year ago

Description

Cross-Site Scripting (XSS) attacks are a type in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script.

The detection rule identifies the potential malicious executions of such browser-side scripts. The potential damage is seen when the malicious script tries to access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

Sample Payload Reference: https://github.com/payloadbox/xss-payload-list

Required Info

Target indexes

"apm--transaction", "traces-apm*"

Additional requirements

The below are Mandatory Requirements

Target Operating Systems

Cross Platform. The Rules are Tied to an Integration Setup and Testing done on Linux

Platforms

NA

Tested ECS Version

8.6.0-dev

Optional Info

Query

any where processor.name == "transaction" and url.fragment : ("*iframe*", "*prompt*", "*script*", "*svg*", "*onerror=*", "*javascript*alert*", "*eval*", "*onclick*", "*document.cookie*", "*document.domain*","*onresize=*","*onload=*","*onmouseover=*", "*${alert*")

Example Data

``` { "_index": ".ds-traces-apm.rum-default-2023.05.24-000001", "_id": "POW6WIgBeOKQ9uc9EwiR", "_score": 1, "fields": { "transaction.name.text": [ "GET http://34.29.232.211:3000/socket.io/" ], "transaction.representative_count": [ 1 ], "user_agent.original.text": [ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" ], "client.geo.country_iso_code": [ "IN" ], "url.original.text": [ "http://34.29.232.211:3000/#/search?q=%3Ciframe%20src%3D%22javascript:alert(%60xss%60)%22%3E" ], "user_agent.os.version": [ "10.15.7" ], "service.language.name": [ "javascript" ], "transaction.id": [ "a0774ffc5ee10b88" ], "processor.event": [ "transaction" ], "source.ip": [ "101.0.62.128" ], "agent.name": [ "rum-js" ], "user_agent.version": [ "113.0.0.0" ], "event.agent_id_status": [ "missing" ], "client.geo.country_name": [ "India" ], "url.fragment": [ "/search?q=