InfoSec: Detect cross-site scripting attempts on your Apache web-server

If you are running an Apache web-server (or renting a Linux-based hosting package), and have some open-source, or custom PHP applications - you may expose yourself to malicious cross-site scripting attempts. If successful, they may allow the attacker to add their code (ads, viruses, key-loggers) to your web-pages, compromising your applications and breaking your users' trust.

While there are many methods in which cross-site scripting and alike attacks can be executed, the most wide-spread methods used by worms can easily be detected in the Apache server access logs. If you do not have access to your Apache logs, you will need to contact your system administrator or hosting provider for the next step. If you run your own server - the logs are most likely located under /var/log or you could find them using 'locate access.log' command from the command line (or SSH session).

Once you find the location of the log files, navigate to that directory and execute the following command to see if they an "=http" - pattern (which, as per above example, signifies and attempt to hijack POST request on your website in a cross-side scripting attempt):

For a single log file:

'grep "=http" access.log less' or

For multiple log files:

'grep "=http" access.* less'

Some hosting companies (like 1&1 Internet Inc.) will archive old log files to save space, in which case you can use a 'zgrep' command to look through them for the "=http" pattern:

'zgrep "=http" access.log.* less'

Additional information about cross-site scripting techniques and detection/prevention methods:

Cross-site Scripting (XSS)
Reverse Cross-site Scripting (CSRF or XSRF)
HTTP Header Injection

No comments: