Form of cross site scripting....or normal code?
Posted: Tue Aug 10, 2010 8:02 pm
Hi forum friends,
Consider this piece of code:
If I give that in as a search query, it gets flagged as a cross site scripting attempt by firekeeper and Netcraft toolbar:
Why it is flagged as it is normal link external code to count clicks to an external link? Asynchronous gaq.push( cross domain tracking!
Look here: http://www.google.nl/search?q=%3Ca+href ... utf-8&aq=t
and the direct link there: http://www.mojoportal.com/tracking-outb ... licks.aspx
luntrus
Consider this piece of code:
Code: Select all
<a href="http://www.google.com" onclick="_gaq.push(['_trackPageview', '/outbound/google']);window.open(this.href,'_self');return false;">google</a> === Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://api.search.yahoo.com/WebSearchSe ... fr&fr=flo2The page you are trying to visit is suspected to be using Cross-Site Scripting (XSS).
This is a technique commonly used in phishing attacks.
URL: http://www.google.nl/search%3fq=%253Ca% ... f-8%26aq=t
Do you still want to go there?
Why it is flagged as it is normal link external code to count clicks to an external link? Asynchronous gaq.push( cross domain tracking!
Look here: http://www.google.nl/search?q=%3Ca+href ... utf-8&aq=t
and the direct link there: http://www.mojoportal.com/tracking-outb ... licks.aspx
luntrus