Re: Apache Host Header Cross Site Scripting

alexbwood · ‎02-27-2003

The signature Apache Host Header Cross Site Scripting was released in the S37 update. In the readme and when implemented the default level is 5. If you read the definition in the NSDB it says:

This signature triggers when an HTTP Host: header is received containing a percent or less-than character. NOTE: Due to implementation restrictions, this signature will impact performance of the sensor and is disabled by default.

And it also suggests a level of 4. I have several questions. First, what is the reccommended default level? 5? 4? 0? Second, what implementation restrictions make this signautre effect performance? If it does effect performance why would I want it enabled and why is it enabled by default in the first place? Third, what does this signature actually look for? It says a % or < in the host header but I am seeing this false positive greatly on long requests.

Thanks.

mcerha · ‎02-27-2003

This signature should be off by default. The performance impact of this signature is because it uses a .* operator in the regex, which is looking for a %

or < character in to Host: field of a HTTP request. These characters shouldn't be in a hostname and may indicate a cross-site scripting attack if present. I'm not sure how this is causing false positives, but if you can capture any traffic traces or iplogs I would be happy to look at them. You can email them to me at mcerha@cisco.com. In regards to performance, this signature would only really affect your sensors if they are overburdoned. The warning is just a reminder that this is an "expensive" signature. I guess this could be more clear in the NSDB. I'll fix this for signature update S41.