cscli scenarios install crowdsecurity/http-xss-probingThe http XSS probing scenario aims at detecting, with very little false positive chances, XSS probing attempts.
XSS probing attempts will be characterized by the presence of specific XSS related patterns in uri/GET arguments (if and when this is where the injected parameter is), and this is what this scenario detects.
The word list is picked specifically to limit false positives.
Furthermore, a distinct directive is present on the get parameters themselves to reduce false positive chances.
WARNING This scenario is not a WAF, and this scenario does not aims at replacing a WAF. A motivated attacker with knowledge of crowdsec will be able to bypass it. It is mostly meant to be a way to detect generic XSS probing.
1type: leaky2#requires at least 2.0 because it's using the 'data' section and the 'Upper' expr helper3format: 2.04name: crowdsecurity/http-xss-probbing5data:6 - source_url: https://hub-data.crowdsec.net/web/xss_probe_patterns.txt7 dest_file: xss_probe_patterns.txt8 type: string9description: "A scenario that detects XSS probing with minimal false positives"10filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('xss_probe_patterns.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"11groupby: evt.Meta.source_ip12capacity: 513leakspeed: 1s14blackhole: 5m15#low false positives approach : we require distinct payloads to avoid false positives16distinct: evt.Parsed.http_args17labels:18 remediation: true19 classification:20 - attack.T1595.00221 behavior: "http:exploit"22 label: "XSS Attempt"23 spoofable: 024 service: http25 confidence: 326