Fortinet 408 FortiWeb 5.0 Patch 6 Administration Guide
command-and-control server. To avoid detection, he attacker has even bought a DNS name
that looks like one of example.com’s legitimate servers: www.example.co.
The incident response team has also found two other classes of XSS that evades the forum’s
own XSS sanitizers (which only look for injection of <script> and <object> tags). The first
one exploits a web browser’s parser by tricking it with additional quotes in an unexpected
place:
<img """><script>alert("XSS")</script>">
The second one exploits the nature of all web pages with images and other external files. Other
than the web page itself, all images, scripts, styles, media, and objects cause the web browser
to make secondary HTTP requests: one for each component of the web page. Here, the <img>
tag causes the client’s web browser to make a request that is actually an injection attempt on
another web site.
<img src="http://other.example.com/command.php?variable=attackcode">
The incident response team has written 3 regular expressions to detect each of the above XSS
attack classes, as well as similar permutations that use HTML tags other than <img>:
•<(.*)src(\s)*=(\s)*[‘’‘”](\s)*(.*)(\s)*[‘’‘”](\s)*onError
•<(.*)[‘’‘”][‘’‘”]*(.*)>(\s)*<script>
•<(\s)*[^(<script)](\s)*src(\s)*=(\s)*(http|https|ftp|\\\\|\/\/)(.*)\?