I’m often asked if the ISA Firewall can help block cross site scripting attacks. Blocking this types of attacks can be challenging, because often when you configure a security device to help protect you against these attacks, you run the risk of blocking accept to legitimate sites. However, with that said, you can use the ISA Firewall to help block cross site scripting attacks and then monitor for the effects your changes have made for legitimate Web site access.
What you need to do is block keywords common used in cross site scripting attacks. You can do this with the HTTP Security Filter included with the ISA Firewall. Examples of the keywords include:
ActiveXObject
applet
cookie
CopyFile
copyparentfolder
CreateObject
CreateTextRange
DeleteFile
DriveType
EMBED
FileExist
GetFile
GetFolder
GetParentFolder
GetSpecialFolder
javascript
livescript
mocha
object
OnAbort
OnBlur
OnChange
OnClick
OnDragDrop
OnFocus
OnKeyDown
OnKeyPress
OnKeyUp
OnLoad
OnMouseDown
OnMouseMove
OnMouseOut
OnMouseOver
OnMouseUp
OnMove
OnResize
OnSelect
OnSubmit
OnUnload
OpenAsTextStream
OpenTextFile
RegWrite
Replace
SCRIPT
vbscript
For more information on using the ISA Firewall to block Cross Site Scripting attacks, check out:
http://www.microsoft.com/technet/isa/2006/http_fil…
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)