Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Test Threat Prevention Using a Web Browser - Knowledge Base - Palo Alto Networks

How to Test Threat Prevention Using a Web Browser

151461
Created On 09/26/18 13:48 PM - Last Modified 06/01/23 17:37 PM


Resolution


Overview

This document describes a test to generate a "Generic Cross Site Scripting" event in the threat log.

 

Details

  1. Create a policy that allows the web-browsing and SSL applications.
  2. Apply the DEFAULT Vulnerability Protection security profile associated with the policy.
  3. Go to any web page and look for an entry box that allows any typed entries.
  4. Enter the following text into the entry box: <script>alert(XSS Test)</script>
    For example, the following image shows the amazon.com website with the given text entered into the "Search" box:
    XSS_Test.png
    In the example above, when Enter is pressed after entering the text, the browser was busy for a while before displaying a message that the connection was reset.
  5. Another option is to go to input this into the browser:  http://example.com/?<script>alert(XSS Test)</script>
  6. Go to Monitor > Threat on the PAN-OS Web GUI, and an alert appears in the threat log. The action shows that a TCP RESET was sent to the server.
    Threat_log.png

The global counters can also be viewed to confirm that the firewall has sent TCP reset packets:

> show counter global | match RST

flow_action_close      4       0 drop      flow      pktproc   TCP sessions closed via injecting RST

NOTE:
On this test the site in example amazon.com was being allowed to run over http.
You will not notice the same behaviour when going to https sites but not having SSL Decryption enabled.
To have the Cross Site Scripting Attempt threat log generated either enable SSL Decryption or find an http site with search bar in the contents.

See Also

For additional examples: XSS Filter Evasion Cheat Sheet - OWASP

Threat Prevention Deployment Tech Note

 

owner: skrall



Additional Information


Please see internal notes for example website.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpPCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language