Knowledgebase
Error messages re Potential Cross Site Scripting Attack
| Posted by Jeffr2014, 05-03-2015, 06:30 PM | | I noticed quite a few messages like the one below in the error log... should I be concerned? Any suggestions on how to deal with this?
[Sat May 02 16:12:03.642230 2015] [:error] [pid 8196] [client 175.136.18.56] ModSecurity: Warning. Pattern match "(?:< ?i?frame ?src ?= ?(?gg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\\\\.add|\\\\@)import |asfunction\\\\:|background-image\\\\:|e(?:cma|xec)script|\\\\.fromcharcode|get(?:parentfolder|specialfolder)|\\\\.innerhtml|\\\\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s| ..." at ARGS_NAMES:e.innerHTML. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "302"] [id "340149"] [rev "152"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potential Cross Site Scripting Attack"] [data ".innerhtml"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/js/===n"] [unique_id "VUUvk8BjmNIAACAE6LIAAAAG"]
There were about 20 messages like this one from 10 different IPs over the weekend...
|
| Posted by Andei, 05-03-2015, 06:59 PM | | If modsecurity caught this then it means it didn't go through to your application.
But in any case you should make sure if your web application is a third party software that everything is up to date, if it's a custom built application make sure it cannot be exploited.
|
| Posted by Jeffr2014, 05-04-2015, 07:12 AM | | Thanks Andrei. I do keep everything on auto-update but I was just puzzled as I've never seen these messages in the log before and last weekend I got 20 of these...
|
|
 Add to Favourites
 Print this Article
|
Also Read
