Preventing users/bots from trying to inject scripts on website
Good Morning,
This morning we awoke to either a bot or a human trying to inject scripts on to one of our websites. We were able to detect this as our site was throwing error emails to us from the login page.
Can the WatchGuard not detect this type of behavior to prevent it?
Thanks
0
This discussion has been closed.
Comments
I was told that the person/bot was using this:
https://github.com/LewisArdern/bXSS
There are many cross site scripting detections in the Intrusion Prevention detection database.
IPS detection is improved for HTTPS traffic if Inspect is being done.
From the docs:
"If you enable IPS for an HTTPS-proxy policy, you must also enable Content Inspection in the HTTPS-proxy action, in order for IPS to scan the HTTPS content."
Configure Intrusion Prevention
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/ips/ips_config_c.html
Thanks for the update!
When HTTPS content inspection is enabled, watchguard IPS can detect XSS like bXSS.
The payload won't be visible to IPS without SSL inspection. Verify that the HTTPS-proxy policy on your login page has content inspection and intrusion prevention system (IPS) enabled.
It also helps to incorporate app-layer inspections or rate constraints.
Yes, SSL inspection is crucial in this situation. If Watchguard IPS really sees the traffic, it can detect XSS attempts similar to those bXSS throws.
IPS is essentially blind if your login page is behind HTTPS and content inspection is disabled.
In order to reduce automated injection attempts before they ever reach your website, make sure your HTTPS-proxy policy has both content inspection and IPS enabled.
You might also think about implementing some app-layer checks or rate limitations.