This node requires a normalization context in order to work which must be provided by a Normalization node placed higher in the Workflow.
When XSS Engine detects an attack, it creates a Security Event, which is added to the table http.request.security.events. A security event is divided in two parts : information about the request, and a set of Security Tokens (see Security Logs).
Attacks detected by the engine can be logged using the Log Alert node.
Display name: name of the node displayed in the Workflow. Replaces the default name "Adv. Detection Engine - XSS".
Normalization attribute: Normalization profile containing the decoding rules applied to the request. For more details, see Normalization Engine.
Path: defines if the engine must check the path of the request (from attribute http.request.path).
Headers: defines if the engine must check the headers of the request (from attribute http.request.headers).
Cookies: defines if the engine must check the cookies of the request (from attribute http.request.cookies).
GET Vars: defines if the engine must check the query vars of the request (from attribute http.request.query.vars).
POST Vars: defines if the engine must check the body vars of the request (from attribute http.request.body.vars).
Since the engine is based on whitelists and blacklists of HTML tags and attributes, it is also possible to adjust the behavior:
Block Script events: blacklists events attributes such as 'onclick', 'onload', 'onmouser' ...
Block HTML4 Tags: blacklists some HTML tags known as potential threats such as '<script>' or '<frame>'...
Block HTML5 Tags: blacklists some HTML 5 tags known as potential threats such as '<embed>' or '<param>'...
http.request.security.events: Workflow Internal Attribute containing information about detected security events. When an attack is detected by the engine, an event is created and added to this attribute. It allows to manage exceptions with the Security Exception Management node and log events through the Log Alert node.
xss.request.blocked: boolean set to true if at least one attack have been found in the request.
Basic filtering Workflow
The first node "Normalization Engine" is used to normalize the request. The node provides a normalized context of the incoming request that will be used by the "Adv. Detection Engine - XSS" node.
The "Adv. Detection Engine - XSS" checks the request and returns the result in the provided attributes of the node. -If an attack is detected, an event is created and added in the http.request.security.events table attribute. The xss.request.blockedattribute is set to "true".
A condition on the xss.request.blocked attribute decides if the request must be blocked or not: -If equals to "true" (an attack is detected), the "Log Alert" node will send events from the http.request.security.events table in the database. Then the request will be blocked by a HTTP code 403. -If equals to "false" (no attack detected), the request will be sent to the backend server.