#$Revision: 1.2 $ $Date: 2007/10/02 20:29:53 $

#Rules to detect cross site scripting attacks


####Created by Thomas Kilgore

# javascript: uri schemes in GET requests
alert(url_content:"javascript:"; nocase; msg:"javascript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"mocha:"; nocase; msg:"mocha: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"livescript:"; nocase;  msg:"livescript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

# normalish html tags using %3C and %3E in GET requests
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CIMG"; nocase; msg:"<img> tags GET request cross site scripting attempt"; url_re:"/%3Cimg.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"malformed <iframe< tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3C/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbody"; nocase; msg:"<body> tags GET request cross site scripting attempt"; url_re:"/%3Cbody.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CINPUT"; nocase; msg:"<input> tags GET request cross site scripting attempt"; url_re:"/%3CINPUT.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBGSOUND"; nocase; msg:"<bgsound> tags GET request cross site scripting attempt"; url_re:"/%3CBGSOUND.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBR"; nocase; msg:"<br> tags GET request cross site scripting attempt"; url_re:"/%3Cbr.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clayer"; nocase; msg:"<layer> tags GET request cross site scripting attempt"; url_re:"/%3Clayer.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clink"; nocase; msg:"<link> tags GET request cross site scripting attempt"; url_re:"/%3Clink.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cstyle"; nocase; msg:"<style> tags GET request cross site scripting attempt"; url_re:"/%3Cstyle.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cmeta"; nocase; msg:"<meta> tags GET request cross site scripting attempt"; url_re:"/%3Cmeta.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cframe"; nocase; msg:"<frame> tags GET request cross site scripting attempt"; url_re:"/%3Cframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctable"; nocase; msg:"<table> tags GET request cross site scripting attempt"; url_re:"/%3Ctable.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cdiv"; nocase; msg:"<div> tags GET request cross site scripting attempt"; url_re:"/%3Cdiv.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctd"; nocase; msg:"<td> tags GET request cross site scripting attempt"; url_re:"/%3Ctd.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ca"; nocase; msg:"<a> tags GET request cross site scripting attempt"; url_re:"/%3Ca.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbase"; nocase; msg:"<base> tags GET request cross site scripting attempt"; url_re:"/%3Cbase.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cobject"; nocase; msg:"<object> tags GET request cross site scripting attempt"; url_re:"/%3Cobject.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Capplet"; nocase; msg:"<applet> tags GET request cross site scripting attempt"; url_re:"/%3Capplet.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cembed"; nocase; msg:"<embed> tags GET request cross site scripting attempt"; url_re:"/%3Cembed.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cxml"; nocase; msg:"<xml> tags GET request cross site scripting attempt"; url_re:"/%3Cxml.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cspan"; nocase; msg:"<span> tags GET request cross site scripting attempt"; url_re:"/%3Cspan.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Chtml"; nocase; msg:"<html> tags GET request cross site scripting attempt"; url_re:"/%3Chtml*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ct:set"; nocase; msg:"<t:set> tags GET request cross site scripting attempt"; url_re:"/%3Ct:set*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

# suspicious HTML-looking input.
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"%2F"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"'"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and '. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

# IE hax.
alert (msg:"smuggling Javascript inside an image"; headers_content:"image"; nocase; headers_re:"/^Content-Type.*image/mi"; body_re:"/<script/i";)

####