UDF to identify XSS attacks via regex rules

[hmstepanek]

In order to identify reflected and stored Cross Site Scripting (XSS) attacks inside HTTP requests and SQL queries we need to implement a UDF that returns whether or not the input string contains a XSS attack.

Describe the solution you'd like Implement a UDF that takes a string as input. It should test this string against a list of regular expressions and return on the first match, a string indicating what regex rule matched that identifies it as a XSS attack. If none of the regular expressions match, it should return an empty string indicating it was not a XSS attack. This function would be called as part of a PxL script that passes it both HTTP request and response data as well as SQL query data.

Regular expression rules:

"img_tag": "(?i).*(<|%3C)\s*img.*"
"iframe_tag": "(?i).*(<|%3C)\s*iframe.*"
"object_tag": "(?i).*(<|%3C)\s*object.*"
"embed_tag": "(?i).*(<|%3C)\s*embed.*"
"script_tag": "(?i).*(<|%3C)\s*script.*"
"alert_event": "(?i).*[\s\"\'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]alert(.*"
"href_property": "(?i).*[\s\"\'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]href[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=].*"
"src_property": "(?i).*[\s\"\'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]src[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=].*"
"flash_command_event": "(?i).*i[\s\"\'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]fscommand[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=].*"
# Pulled from https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf.
"event": "(?i).*[\s\"\'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=].*"
"attribute_vector": "(?i).*[\s\S](?:\b(?:x(?:link:href|html|mlns)|data:text\/html|pattern\b.*?=|formaction)|!ENTITY\s+(?:\S+|%\s+\S+)\s+(?:PUBLIC|SYSTEM)|;base64|@import)\b.*"
"javascript_uri_and_tags": "(?i).*[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript.*"

Sudo code:

def matches_xss_rule(string):
    for rule, regex in regular_expression_rules.items():
        if regex.match(string):
            return rule
    return ""

Describe alternatives you've considered One alternative is to use a generic UDF that takes in a list of regular expression rules as opposed to making this function XSS specific and hard coding the regex rules inside it.

[srinathkp]

Hi @hmstepanek , I'm new to pixie and I wanna work on this issue. The requirement looks clear to me, can you point me to the source files that handle http requests and sql queries, also where can we have the UDF - regex filter ?

[srinathkp]

Is this a valid issue ? If so, can you help me on this @htroisi

Hi @hmstepanek , I'm new to pixie and I wanna work on this issue. The requirement looks clear to me, can you point me to the source files that handle http requests and sql queries, also where can we have the UDF - regex filter ?

[htroisi]

Hey @srinathkp - This is still a valid issue. It looks like there was a previous pull request to implement this feature, but I don't have the context on why that PR was closed. If you're interested in working on it we'd be happy to review a PR. Before contributing, be sure to checkout our guidelines in CONTRIBUTING.md.