A Quick Look at the Expl:Win/HTTP.URL.XSS!0000-0000 signature from Forefront TMG 2010 NIS

As you may know, to Forefront TMG 2010's NIS were added signatures to help detect commonly used exploitations against XSS and SQLi vulnerabilities.
In this article we're going to take a quick look at the XSS one.

The Expl:Win/HTTP.URL.XSS!0000-0000 signature is an Exploit type signature.
This should imply that the signature is rather focused on detecting specific exploit(s)(Forefront TMG NIS currently has three types of signatures, we're going to disect them in a future article).
This type of signature falls into the negative security model or blacklisting, which means that such a signature is in general "bypassable by design"(a specific issue with the blacklisting approach), especially when it comes down to web applications.
It might be of no use in a targeted attack(when the attacker is aware there is a TMG NIS on the path), but might help in "mass attacks". One cannot rely on such a signature type, it's just useful for defense in depth.

Now the questions that arise from here:
 - what patterns of attacks can this signature detect ?
 - is this signature too specific and thus easily bypassable by various techniques(including simple ones) ?
 - what real world value does this signature has ?
 - it worths setting it to block mode ?

Since there is little information about what this signature can detect and we do not necessarily have access to a readable version of this signature, I decided to conduct some simple tests and note the results.
After brief tests, it appears that currently this signature has low real world value.
Let's take a look.


Comments are closed