Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Protect Yourself from Cross-Site Scripting Attacks

Subscribe

Check Point Reference: SBP-2010-18
Date Published:
Severity:
Source: IPS Research Center
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
InterSpect
  • NGX
Who is Vulnerable?
Web servers
Vulnerability Description
'Cross-site' refers to the security restrictions that the client browser usually places on data (i.e. cookies, dynamic content attributes, etc.) associated with a web site. By launching a cross site scripting attack, an attacker bypasses these security restrictions, which may result in anything from disclosure of user information to execution of malicious code within the context of the user's browser. 

A cross-site scripting (XSS) attack occurs when a Web-based application fails to validate user input before returning it to the client's browser. This enables attackers to inject malicious content into Web pages to be executed in the context of the user's browser. An attacker can take a variety of malicious actions including cookie theft, account hijacking, spreading of Web-based email worms, etc.
Vulnerability Details
To launch a cross-site scripting attack, an attacker could send a specially crafted email message to a victim containing a malicious link scripting (e.g <script>). When the user clicks on this link, the URL is sent to a legitimate site including the malicious code. If the legitimate server sends a page back to the user, the malicious code will be executed within the context of the user's browser.

Protection Overview
This protection will detect and block cross site scripting attacks.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
CPSA-2005-03

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > Application Layer.
2. In the right pane, double-click the Cross-Site Scripting protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. The protection can be applied either to all HTTP traffic or to selected web servers.

  • If you choose to apply the protection to all HTTP traffic, then the defense will protect users that surf to any web server, both ones in the selected web server list (if defined; typically internal servers) and non-designated web servers, that are typically external to the organization.
  • If you choose to apply the protection to selected web servers, the defense will only protect users that are surfing to these specific servers. To do so:
    I. Next to "Apply to selected web servers" click Customize.
    II. Choose the relevant web server and click Configure Default.
    III. Choose the Security Level and click OK. 

5. Install policy on all modules.

You’re advised to initially set the Security Level to Low, and to use the protection in Detect mode. After carefully monitoring the traffic, you will be able to adjust the security level to better fit your network, and change the protection’s action to Prevent.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Application Layer > Cross Site Scripting.
2. In the configuration pane, under Settings > Mode, check Active.
3. The protection can be applied either to all HTTP traffic or to selected web servers.
4. Choose the security level. If you choose to apply the protection to selected web servers:
I. Next to "Apply to selected web servers" click Customize.
II. Choose the relevant web server and click Edit.
III. Next to "Cross Site Scripting" click Advanced
IV. Choose the Security Level and click OK.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click Application Layer > and select Cross Site Scripting.
3. In the configuration pane, select the Security Level.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Cross Site Scripting
Attack Information: Cross site scripting detected in URL