I’m often asked if the ISA Firewall can help block cross site scripting attacks. Blocking this types of attacks can be challenging, because often when you configure a security device to help protect you against these attacks, you run the risk of blocking accept to legitimate sites. However, with that said, you can use the ISA Firewall to help block cross site scripting attacks and then monitor for the effects your changes have made for legitimate Web site access.

What you need to do is block keywords common used in cross site scripting attacks. You can do this with the HTTP Security Filter included with the ISA Firewall. Examples of the keywords include:

ActiveXObject

applet

cookie

CopyFile

copyparentfolder

CreateObject

CreateTextRange

DeleteFile

DriveType

EMBED

FileExist

GetFile

GetFolder

GetParentFolder

GetSpecialFolder

javascript

livescript

mocha

object

OnAbort

OnBlur

OnChange

OnClick

OnDragDrop

OnFocus

OnKeyDown

OnKeyPress

OnKeyUp

OnLoad

OnMouseDown

OnMouseMove

OnMouseOut

OnMouseOver

OnMouseUp

OnMove

OnResize

OnSelect

OnSubmit

OnUnload

OpenAsTextStream

OpenTextFile

RegWrite

Replace

SCRIPT

vbscript

For more information on using the ISA Firewall to block Cross Site Scripting attacks, check out:

http://www.microsoft.com/technet/isa/2006/http_fil...#8230;

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)