Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

(Writeup) LetsDefend EventID: 116 - [SOC166 - Javascript Code Detected in Requested URL]

LetsDefend AbuseIPDB HTTP SIEM SOC Talos_Intelligence True_Positive Type_Web_Attack VirusTotal Writeup XSS
Table of Contents

Welcome
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup documents a SOC alert investigation involving an XSS attempt.

Alert Details
#

Key Value
EventID: 116
Event Time: Feb, 26, 2022, 06:56 PM
Rule: SOC166 - Javascript Code Detected in Requested URL
Level: Security Analyst
Hostname: WebServer1002
Destination IP Address: 172.16.17.17
Source IP Address: 112.85.42.13
HTTP Request Method: GET
Requested URL: https://172.16.17.17/search/?q=<$script>javascript:$alert(1)<$/script>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Alert Trigger Reason: Javascript code detected in URL
Device Action: Allowed

Initial Triage
#

Actions:
#

  • Copied alert details to notes
  • Created case
  • Began analysis

Thoughts:
#

“Obvious XSS attempt. Why was it allowed?”

Analysis
#

Tools Used:
#

Source IP
#

Key Value
VirusTotal: 0/93 (-14 Community Score)
Talos Intelligence: Neutral
AbuseIPDB: 45,324 Reports

Thoughts:
#

“…That’s a lot of AbuseIPDB reports. Looks like they’ve done a lot of SSH brute-forcing.”

SIEM Logs
#

(Logs simplified for writeup brevity)

Key Value
Request URL: https://172.16.17.17/
Request Method: GET
Device Action: Permitted
HTTP Response Size: 1024
HTTP Response Status: 200
Key Value
Request URL: https://172.16.17.17/about-us/
Request Method: GET
Device Action: Permitted
HTTP Response Size: 3531
HTTP Response Status: 200
Key Value
Request URL: https://172.16.17.17/search/?q=test
Request Method: GET
Device Action: Permitted
HTTP Response Size: 885
HTTP Response Status: 200
Key Value
Request URL: https://172.16.17.17/search/?q=<$img%20src%20=q%20onerror=prompt(8)$>
Request Method: GET
Device Action: Permitted
HTTP Response Size: 0
HTTP Response Status: 302
Key Value
Request URL: https://172.16.17.17/search/?q=prompt(8)
Request Method: GET
Device Action: Permitted
HTTP Response Size: 0
HTTP Response Status: 302
Key Value
Request URL: https://172.16.17.17/search/?q=<$script>$for((i)in(self))eval(i)(1)<$/script>
Request Method: GET
Device Action: Permitted
HTTP Response Size: 0
HTTP Response Status: 302
Key Value
Request URL: https://172.16.17.17/search/?q=<$svg><$script%20?>$alert(1)
Request Method: GET
Device Action: Permitted
HTTP Response Size: 0
HTTP Response Status: 302
Key Value
Request URL: https://172.16.17.17/search/?q=<$script>javascript:$alert(1)
Request Method: GET
Device Action: Permitted
HTTP Response Size: 0
HTTP Response Status: 302

Thoughts:
#

“We only got an alert for one… Gonna have to mention that. But yeah, this is obviously XSS attempts. Luckily, all those attempts ended in failure as the server responded with a HTTP 302 redirection code every XSS attempt. Normal queries respond in HTTP 200.”

Endpoint
#

Thoughts:
#

“XSS isn’t an attack type that gets code execution on the server. Maybe a stored XSS would be something to investigate, but the attacker failed.”

Email
#

Thoughts:
#

“No email stating this is an authorized penetration test. Didn’t think so with the IP reputation.”

Findings:
#

Key Value
Source Reputation: Malicious
Endpoint Exploitation: False
Confidence Level: High

Thoughts:
#

“Attacker threw basic XSS tests at the server to see if they reflected, but just got 302 redirect responses instead.”

Determination
#

Verdict:
#

  • True Positive
  • Close Case

Reasoning:
#

  • The attacker attempted to find an XSS vulnerability on the endpoint.
  • The attacker failed.
    • The server responded with 302 redirects in response to XSS attempts.
    • Regular activity responds with 200.

Playbook
#

Questions:
#

Question Answer
Is Traffic Malicious? Malicious
What Is The Attack Type? XSS
Check If It Is a Planned Test Not Planned
What Is the Direction of Traffic? Internet → Company Network
Was the Attack Successful? No

Artifacts:
#

Value Comment Type
112.85.42.13 Attacking IP IP Address

Notes:
#

Verdict: True Positive. Blocked.
Summary: Attacker attempted to inject XSS into the q parameter on /search/, but all attempts resulted in a HTTP 302 redirect. Normal activity results in HTTP 200.
Validated via: SIEM Logs
Actions taken: None.

Final Thoughts:
#

“It’s worrying that only a single alert came through for all of those XSS attempts. Also, WAF please.”

Reed Eggleston
Author
Reed Eggleston
B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+