continued...
There are two detection methods: rule based with static rules and anomaly-based with dynamic rules.
Rule based - for pre-known values, e.g. certain input characters and a limit amount of transfer.
Sub-methods for positive security and negative security. The negative model is known as blacklisting, it is easily implemented and less fp-prone. Can be used for known attacks (string, behavior).
The positive model is deny-all, policy of allowed, traffic, whitelist could be banned, manually defined, only legit traffic, FP's will improve whitelisting, a FW will work in this way.
Anomaly-based, the rules are established through a learning phase, through verified clean traffic, all that does not come with the ruleset here is flagged!
XSS flaw detection - Cross Site-Scripting.
embedding script tags in URLs/HTTP requests enticing unaware users to click on them to execute malicious javascript to be executed on the victim's machine (client) through lacks of imput/output validation of the server to rejct active code/javascript/or code characters.
List of possible HTML tags/script inclusions:
javascript, vb script, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, title, base.
The regex to detect keywords goes like /(javascript \ vbscript |expression|applet|script|embed|object|iframe|frame|frameset)/i
but XSS can be hidden inside a javascript code part as infection, it is just inserted js code!
Code injection flaws could be in any type of code: SQL, LDAP, XPath, XSLT, HTML, OS commands.
will be continued....
polonus