IPS blocking users due to XSS

M470
12.5.3
Hi All,
Recently I have experienced a large increase of users being blocked through IPS due to XSS attacks from websites they have visited. The sites visited aren't anything odd or suspicious, otherwise DNS Watch should have prevented them, but Pinterest does seem to be the most common.

Excerpts from Alarm Messages:
reason: signature_id: 1133451 severity: 4 signature_name: WEB Cross-site Scripting -36 signature_cat: Access Control host: ct.pinterest.com path: /md/

reason: signature_id: 1131464 severity: 4 signature_name: WEB Werkzeug Debug Shell Command Execution signature_cat: Web Attack host: www.pandora.com path: /ping.txt?f=159233019698096879

reason: signature_id: 1133451 severity: 4 signature_name: WEB Cross-site Scripting -36 signature_cat: Access Control host: ct.pinterest.com path: /user/?tid=2618424808130&pd=%7B%22em%22%3A%22%22%2C%22pin_unauth%22%3A%22dWlkPU1tVm1aREJpTVRrdE1Ua3pOUzAwWkdZMkxUZzNaalV0WWpjMllqY3pNVGd5TURVMQ%

My IPS settings are Critical, High, and Medium are blocked, Low and Informational are allowed.

Has anyone else noticed this?

Thanks,

  • Doug

It's usually something simple.

Comments

Sign In to comment.