XSS Attack
by Nicholas Coleman
Log Alert
Investigation
Source IP: 112.85.42.13
- Country: CN
- City: Nanjing
- ISP: China Unicom Jiangsu province network
- E-Mail:
zhaoyz3@chinaunicom.cn
A poorly rated IP address. This adds to the suspicion that this is an attack.
Decoded Requested URL:
https://172.16.17.17/search/?q=<$script>javascript:$alert(1)<$/script>
Using my Log Management tool, I queried for any logs relating to the Source IP.
Timeline:
06:34 PM: https://172.16.17.17/
06:35 PM: https://172.16.17.17/about-us/
06:45 PM: https://172.16.17.17/search/?q=test
06:46 PM: https://172.16.17.17/search/?q=<$img src =q onerror=prompt(8)$>
06:46 PM: https://172.16.17.17/search/?q=prompt(8)
06:50 PM: https://172.16.17.17/search/?q=<$script>$for((i)in(self))eval(i)(1)<$/script>
06:53 PM: https://172.16.17.17/search/?q=<$svg><$script ?>$alert(1)
06:56 PM: https://172.16.17.17/search/?q=<$script>javascript:$alert(1)
- 06:34 PM - 06:35 PM:
- The attacker starts by accessing the main page and then the “About Us” page.
- Alone this obviously does not cause any alarms, but this also could be part of the Reconnaissance stage.
- 06:45 PM:
- The attacker tests the search functionality using a benign query (
?q=test). - This is often done to inspect how search parameters are handled.
- The attackers are looking for whether or not the input is reflected in the response.
- The attacker tests the search functionality using a benign query (
- 06:46 PM:
- The first XSS attempt:
?q=<$img src=q onerror=prompt(8)$>- This uses an
<img>tag with aonerrorattribute to execute JavaScript (prompt(8)). - This is a common XSS test to see if the input is reflected without proper sanitization.
- This uses an
- Second XSS attempt:
?q=prompt(8)- If the previous payload was successful, the attacker may be checking to see if the input directly triggered a
prompt()function. - This is most likely a confirmation attempt.
- If the previous payload was successful, the attacker may be checking to see if the input directly triggered a
- The first XSS attempt:
- 06:50 PM:
- Third XSS attempt:
?q=<$script>$for((i)in(self))eval(i)(1)<$/script>- The third attempt is more aggressive, using the
eval()function, which can execute arbitrary JavaScript. - This indicates the attacker is most likely probing for severe XSS vulnerabilities.
- The third attempt is more aggressive, using the
- Third XSS attempt:
- 06:53 PM:
- Fourth XSS attempt:
?q=<$svg><$script ?>$alert(1)- Here, the attacker is attempting to exploit XSS using an SVG tag.
- Some insecure sites may assume SVG tags are safe, but they can contain embedded scripts (like this one).
- Fourth XSS attempt:
- 06:56 PM:
- Fifth XSS attempt:
?q=<$script>javascript:$alert(1)- This is a direct JavaScript execution using an
alert()function. - It’s a simple yet effective payload to test if script tags are blocked or sanitized.
- This is a direct JavaScript execution using an
- Fifth XSS attempt:
Endpoint Information
Looks like the WebServer that was targeted’s last login was 24 days before the XSS attack.
Double checking either way, there is nothing that raises the alarm. This means that the XSS attack was unsuccessful!
Final Report
This XSS attack coming out of China ultimately was unsuccessful in its attempt to breach our WebServer1002. They tried multiple times with various techniques.
The attack was not successful, and WebServer1002 was not breached. The attack was staged by a threat actor operating out of Nanjing, China.
The ISP of the IP was ‘China Unicom Jiangsu province network’.
This alert was a True Positive.
Extracted Artifacts
| Value | Comment | Type |
|---|---|---|
| 112.85.42.13 | Attacker IP | IP Address |
| https://172.16.17.17/search/?q=<$script>javascript:$alert(1) | Decoded URL | E-mail Domain |