Part of my responsibilities at Zscaler is to look through our log files in order to spot strange and unusual requests (new malware, botnets, etc.), questionable surfing trends, and other sorts of data-mining security goodness. And unfortunately, I routinely come across requests such as these:
But XSS is just the tip of the iceberg; check out these requests:
Are those full and partial SQL queries/clauses in the URL parameter fields? Why, yes they are! These sites actually pass the SQL query strings in as request parameters. Now, perhaps these sites have absolutely perfect database security, the web scripts use a read-only account DB account, and SQL access is restricted to a limited view of the table...meaning the web script isn't exploitable to do much beyond just read the already-public read-only data from a single table. But my bet is that isn't the case.
There are lots of other pretty scary requests out there, but it's hard to tell whether they are really exploitable or not by just looking at the URL (and I'm not about to go and perform an unauthorized security assessment on these public web sites). Here are some of the suspicious ones, for your entertainment:
I'm sure I'll be posting more in the weeks to come. There doesn't appear to be a shortage of new examples...
Until next time,