TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

881

882

883

884

885

886

887

888

889

890

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

888

Signature ID: 35125

Advanced Cross-Site-Scripting with script and constructors

Threat Level: Severe

Signature Description: Script and constructor functions are used to provide facility to add user defined functions.

Attacker uses these functions to inject cross site script.

Signature ID: 35126

Location or document property access

Threat Level: Severe

Signature Description: This rule hits when suspicious activity to steal environment variables of the victim’s

machine using location like statements of javascript. document and location constructs are vulnerable to the Cross site

scripting attack.

Signature ID: 35127

Suspicious JavaScript injections

Threat Level: Severe

Bugtraq: 28075,29025,29071,29574

Signature Description: This rule hits when uncommon javascript structures found in the uri request line. Attacker

embeds javascript code in the vulnerable postfields. Successful attacker can gain sensitve information from the affected

system and he can execute his own script in the context of the server.

Signature ID: 35128

Uncommon javascript structures in the http reuqest line

Threat Level: Severe

Signature Description: This rule hits when uncommon javascript structures found in the uri request line. For example

in the image tag of http response, a valid user wont use absolute path in the src field. But attacker puts absolute path

including the web domain address in the src path. This rule hits for the uncommon javascript stuctures.

Signature ID: 35129

JavaScript cookie stealing and redirection attempt

Threat Level: Severe

Signature Description: This rule hits when uncommon javascript functions like pathname, protocol, cookie, hash, port,

href functions present in the urirequest. Attackers uses these functions to steal cookie information of the victim.

Signature ID: 35130

URL Injections and URI schemes

Threat Level: Severe

Bugtraq: 28075

Signature Description: This rule hits when any argument contain https, data, jar, words. Mostly attacker uses these

words to redirect from one site to other site. Attacker passes the absolute URLs in the postfield values to inject and to

execute their scripts on the vulnerable system.

Signature ID: 35131

Internet Explorer URI Registration attack using firefoxurl, cache poisoning and local file

execution attempts

Threat Level: Severe

Signature Description: Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary