SPL
IIS: Indicators of XSS and SQLi attacks
Description
The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include "OR javascript", followed by ":alert".
1 2
index=* sourcetype="ms:iis:default" NOT ("cookie.js" OR "script.js" OR "cookie-min.js" OR "RESET-COOKIE" OR "form.user-info-from-cookie") AND (“&#” OR "script>" OR "script%3E" OR "`" OR "cookie" OR alert\( OR "</" OR "@@" OR "%40%40" OR "<scr" OR "%3Cscr" OR "<" OR "%3C%2F" OR "..%2F" OR ".." OR "%2E%2E") uri_query!="-" uri_query!="utm_*"| table _time, clientip, status, uri_query | sort by _time desc
Comments
1 total
Hey <a href='https://gosplunk.com/members/rkingma/'>@rkingma</a>\r\n\r\nit's not detecting SQLi.
Leave a comment
You must log in to post a comment.