Support

Admin Tools

#10175 Detecting and logging XSS attacks

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 27 December 2011 02:19 CST

Monday, 26 December 2011 17:50 CST

user53904
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? All
Joomla! version: 1.5.25
PHP version: 5.2.10
MySQL version: 5.0.77
Host: (optional, but it helps us help you)
Admin Tools version: 2.1.14


Description of my issue:

Most of the forum posts I've found suggest staying away from the XSSshield and Bad Behaviour options. Is there another way to configure Admin Tools to log XSS attempts as security exceptions?

Thanks!

Tuesday, 27 December 2011 02:19 CST

nicholas
The sort answer is no.

The long answer is that the main issue is being able to detect XSS attacks in the first place. Doing so means that you have to scan incoming data which you don't know how it's going to be used for the presence of Javascript. The former makes it extremely hard to figure out what should be called XSS and what not (e.g. this forum's posts which undergo severe sanitisation before being sent to the database and before rendered do not have much to fear from most common cases of injected Javascript). The latter is a major issue all by itself. Thanks to browsers tolerating with totally crappy Javascript constructs (not just non-standard, but outright broken!!) for almost two decades and the fuzzy nature of the language itself (anyone said "eval"?) detecting with certainty what is Javascript and what's not is a monumental task. Combined with the lack of knowledge as to where the data will be used makes it nigh impossible to have any degree of certainty.

The XSSShield is this kind of completely fuzzy filter. It could either be made very tolerant (offering no protection) or very strict (throwing a lot of false positives). Ultimately, it became very strict in order to be useful. But this also made it throw too many false positives, making it a hindrance on sites with a forum. This is why we suggest turning it off.

Since logging can only be performed for attacks being blocked, you can't log XSS attacks without blocking them. Moreover, even if you could, would you be certain they are XSS attacks and not some legitimate request throwing a false positive?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!