SOC166 โ Javascript Code Detected in Requested URL (XSS Scanning Attempt)
by
๐ง Summary
This investigation began with a SOC166 โ Javascript Code Detected in Requested URL alert.
Initial analysis showed an external IP attempting to inject multiple JavaScript payloads into the /search endpoint of a web server.
Further log analysis across web logs, server logs, network logs, and CLI activity confirmed that the attack was unsuccessful and no compromise occurred.
The activity was identified as an automated reflected XSS scanning attempt.
๐จ Alert Overview
- Event ID: 116
- Rule: SOC166 โ Javascript Code Detected in Requested URL
- Severity: Medium
- Hostname: WebServer1002
- Destination IP: 172.16.17.17
- Source IP: 112.85.42.13
- HTTP Method: GET
- Device Action: Allowed
๐ Initial Suspicious Request
The alert was triggered due to the following request:
https://172.16.17.17/search/?q=<$script>javascript:$alert(1)<$/script>
This indicates an attempt to inject JavaScript into the search parameter.
๐งช Investigation Steps
1๏ธโฃ Reviewed Web Logs
Filtered logs by source IP:
112.85.42.13
Multiple payload variations were observed targeting the /search endpoint.
2๏ธโฃ Observed Payload Variations
The attacker tested several XSS techniques:
Script Tag Injection
/search/?q=<$script>javascript:$alert(1)<$/script>
Image Event Handler Injection
/search/?q=<$img src=0=q onerror=prompt(8)$>
SVG + Script Injection
/search/?q=<$svg><$script>$alert(1)
Obfuscated Dynamic Execution
/search/?q=<$script>$for(i in(self))eval(i)(i)<$/script>
Simple JavaScript Execution Test
/search/?q=prompt(8)
๐ HTTP Response Comparison
| Request Category | HTTP Status | Response Size (Bytes) | Interpretation |
|---|---|---|---|
| Normal Homepage | 200 OK | 885 | Legitimate page served successfully |
| About Page | 200 OK | 3531 | Legitimate content delivered normally |
| XSS Payload Attempts | 302 Redirect | 0 | Malicious input redirected / blocked |
All malicious payload attempts returned:
- HTTP Status: 302 (Redirect)
- Response Size: 0 bytes
This strongly indicates:
- The application redirected malicious input
- The payload was not reflected
- No JavaScript was executed
4๏ธโฃ Server Log Review
- Checked application logs
- Checked server-side logs
- Checked CLI activity
No evidence of:
- Code execution
- File modification
- Unauthorized commands
- Persistence mechanisms
5๏ธโฃ Network Log Review
- No outbound suspicious connections
- No callback traffic
- No C2 communication observed
6๏ธโฃ Email Review
- No campaign emails related to this activity
- No internal user interaction involved
๐ฏ Attack Classification
This activity is classified as:
Reflected Cross-Site Scripting (XSS) Scanning Attempt
The attacker used:
- Script tag injection
- Event handler injection
- SVG-based injection
- Obfuscation techniques using
$ - Dynamic
eval()attempts
The behavior strongly resembles:
- Automated vulnerability scanning
- Filter evasion testing
- Web application reconnaissance
๐ก Was the Attack Successful?
No.
Reasons:
- All malicious payloads returned HTTP 302
- Response size was 0 bytes
- No HTTP 200 response containing injected code
- No evidence of script execution
- No system compromise indicators
- No persistence or lateral movement detected
๐งพ Artifacts Identified
๐น Source IP
- 112.85.42.13
- External public IP
- Conducted multiple XSS payload attempts
๐น Target Server
- WebServer1002
- 172.16.17.17
- HTTPS (Port 443)
๐น Malicious Endpoints
/search/?q=<script>.../search/?q=<img ... onerror=...>/search/?q=<svg>.../search/?q=eval(...)
๐ง MITRE ATT&CK Mapping
- T1595 โ Active Scanning
- T1189 โ Drive-by Compromise (Attempted)
- Reconnaissance Phase
๐ Final Verdict
| Assessment Category | Determination |
|---|---|
| Attack Type | Reflected Cross-Site Scripting (XSS) |
| Activity Nature | Automated Web Application Scanning |
| Source Classification | External Public IP |
| Exploitation Status | Unsuccessful |
| Payload Execution | Not Observed |
| Host Compromise | No Evidence Detected |
| Alert Classification | True Positive |
| Overall Incident Severity | Medium (Reconnaissance / Attempt Only) |
๐ Conclusion
The alert was a legitimate detection of malicious JavaScript injection attempts. However, the application successfully prevented exploitation by redirecting malicious requests.
The activity is classified as a True Positive โ Unsuccessful XSS Scanning Attempt.
No compromise occurred.
๐ Recommendations
- Continue monitoring repeated attempts from source IP 112.85.42.13
- Ensure proper input validation and output encoding
- Implement or fine-tune WAF rules
- Log and alert on repeated scanning patterns
This case demonstrates how proper log correlation across web, server, network, and email sources helps determine whether an alert represents an actual compromise or merely reconnaissance activity.
tags: