TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
889
command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome
context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using
Microsoft Internet Explorer.
Signature ID: 35132
Bindings and behavior injections
Threat Level: Severe
Signature Description: This rule hits when uri consists of binding, moz-binding, behavior, style sheet with minus
symbols. These three functions or html contructs are vulnerable to Cross site scripting. Attacker make use of these
constructs to inject his code on the vulnerable system.
Signature ID: 35133
XSS Concatenation patterns
Threat Level: Severe
Bugtraq: 29574
Signature Description: This rule hits when an attribute value consists of sql or html concatenation. Attackers uses this
technique to close the embedded tag on the victim's machine.
Signature ID: 35134
XSS Concatenation patterns
Threat Level: Severe
Bugtraq: 29571
Signature Description: This rule hits when an attribute value consists of sql or html concatenation. Attackers uses this
technique to close the embedded tag in normal format or with HTML encoded format on the victim's machine.This rule
detects when a postfield value has the embedded html patterns.
Signature ID: 35135
Event Handlers Injection
Threat Level: Severe
Bugtraq: 29571
Signature Description: Javascript event handlers are used to create dynamic page, which can change its properties
whenever user do something on the page. For example if user clicks page color may change. All the events starts with
“on” like onclick(). Attackers pass these events through http attribute values to active their script.
Signature ID: 35136
Chunked data and Possible script injection
Threat Level: Severe
Bugtraq: 29571,29025,29191
Signature Description: Script tag is used to insert user defined scripts in the webpage. Attackers pass script tag as
chunked data to evade IPS detection system. This rule hits when an attribute of http request consists of closing tags or
chunked script tag as greater than symbol followed with “scri” found.
Signature ID: 35137
Http request line with closing tags
Threat Level: Severe
Signature Description: Cross-site-scripting is possible when page is created based on user input. Server accepts user
input and creates web-pages dynamically. If proper validations are not there at server side script while merging user
input with web-page cross site scripting is possible. For example user input is “abc” string and if server
is responding welcome to abc page, attacker may send closing tag with his own code possible code injection.