Solution
ISA Server can block cross site scripting by inspecting the HTTP requests and identifying commands and tags that are common in server responses but are not common in client requests. For example, you can expect a server to run a command in response to a client request. However, that same command in a client request may be suspect, and could be the result of the client unintentionally running code that is hidden in a Web page. By blocking requests containing those commands and tags, the attack can be stopped.
Continuing the example of using <SCRIPT> in a posting, <SCRIPT> would be a valid tag for a server response, but not for client requests. By adding a signature to detect <SCRIPT> in the requests passing through ISA Server, the attack will be blocked.
However, the attacker can use the encoded string %3C%73%63%72%69%70%74%3E, which can be decoded as <SCRIPT>, and the filter will not block the attack. To ensure that the <SCRIPT> signature is blocked, use the encoded version of the command as well as the text version. If you want to detect characters such as angle brackets (< or >), use the encoded versions in the filter also (%3C and %3E).
For further protection against complex cross site scripting attacks, detect and block keywords commonly used in cross site scripting attacks using ISA Server signatures. The following is a list of common script tags or commands found in cross site scripting attacks sent through requests:
- ActiveXObject
- applet
- cookie
- CopyFile
- copyparentfolder
- CreateObject
- CreateTextRange
- DeleteFile
- DriveType
- EMBED
- FileExist
- GetFile
- GetFolder
- GetParentFolder
- GetSpecialFolder
- javascript
- livescript
- mocha
- object
- OnAbort
- OnBlur
- OnChange
- OnClick
- OnDragDrop
- OnFocus
- OnKeyDown
- OnKeyPress
- OnKeyUp
- OnLoad
- OnMouseDown
- OnMouseMove
- OnMouseOut
- OnMouseOver
- OnMouseUp
- OnMove
- OnResize
- OnSelect
- OnSubmit
- OnUnload
- OpenAsTextStream
- OpenTextFile
- RegWrite
- Replace
- SCRIPT
- vbscript