Adversaries may inject malicious XSS payloads via GET requests to exploit user sessions and steal sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential XSS attacks before they cause real-world damage.
Detection Rule
title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: test
description: Detects XSS attempts injected via GET requests in access logs
references:
- https://github.com/payloadbox/xss-payload-list
- https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021-08-15
modified: 2022-06-14
tags:
- attack.initial-access
- attack.t1189
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '=<script>'
- '=%3Cscript%3E'
- '=%253Cscript%253E'
- '<iframe '
- '%3Ciframe '
- '<svg '
- '%3Csvg '
- 'document.cookie'
- 'document.domain'
- ' onerror='
- ' onresize='
- ' onload="'
- 'onmouseover='
- '${alert'
- 'javascript:alert'
- 'javascript%3Aalert'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- JavaScripts,CSS Files and PNG files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
imWebSession
| where HttpRequestMethod =~ "GET" and ("=<script>" or "=%3Cscript%3E" or "=%253Cscript%253E" or "<iframe " or "%3Ciframe " or "<svg " or "%3Csvg " or "document.cookie" or "document.domain" or " onerror=" or " onresize=" or " onload=\"" or "onmouseover=" or "${alert" or "javascript:alert" or "javascript%3Aalert") and (not(HttpStatusCode == 404))Scenario: A system administrator is testing XSS protections by injecting a known payload into a GET request using curl or Postman.
Filter/Exclusion: Exclude requests originating from known internal testing tools or IP ranges used for security testing (e.g., src_ip = 10.0.0.0/8).
Scenario: A scheduled job runs a script that dynamically generates URLs with encoded parameters for internal reporting, which may include characters resembling XSS payloads.
Filter/Exclusion: Exclude requests with request_uri containing known internal job names or paths (e.g., /reporting/job123).
Scenario: A user is using a browser extension that injects scripts for debugging or monitoring purposes, which may include script tags in URL parameters.
Filter/Exclusion: Exclude requests with user_agent containing known browser extensions or debugging tools (e.g., user_agent LIKE '%Chrome DevTools%').
Scenario: A legitimate application uses URL encoding to pass data between pages, which may include characters like &, =, or ? that resemble XSS patterns.
Filter/Exclusion: Exclude requests where the request_uri contains URL-encoded data (e.g., request_uri LIKE '%%26%' or request_uri LIKE '%%3D%').
Scenario: An internal admin task uses a script to generate a CSV file with special characters in the query string for data export, which may be flagged as suspicious.
Filter/Exclusion: Exclude requests with request_uri containing known export or data processing endpoints (e.g., /export/data.csv or /api/export).