Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Cisco ASA cross site scripting attempt

Rule Explanation

This rule is looking for cross-site scripting against a Cisco ASA.

What To Look For

This rule alerts on initial exploit traffic.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Execution

Technique: Exploitation for Client Execution

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

Cross Site Scripting (XSS)

Cross Site Scripting (XSS) attackers send malicious input to a site that does not validate the input, usually in the form of a script. The application sends the malicious code to the browsers of other users, which will execute the script unknowingly. The malicious code uses the trust of the host website to access cookies, session tokens, or other sensitive information. There are multiple types of XSS, including Stored, Reflected, and DOM based.

CVE Additional Information

CVE-2020-3580
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
Details
Severity Base Score6.1
Impact Score2.7 Exploit Score2.8
Confidentiality ImpactLOW Integrity ImpactLOW
Availability ImpactNONE Attack VectorNETWORK
ScopeCHANGED User InteractionREQUIRED
Authentication Ease of AccessLOW
Privileges RequiredNONE