You probably have noticed that Microsoft released a generic Exploit-based signature for Cross-site scripting attacks last year (btw I wrote about it as well, see http://blogs.ecreation.ch/2010/05/02/tmgs-network-inspection-system-nis-helps-to-protect-against-sql-injection-and-cross-site-scripting/).
Now, based on a specific customer project I did some research about this generic Exploit-based signature and I found the following blog article from Adrian F. Dimcev: http://carbonwind.net/Forefront_TMG/NIS_XSS_Sig/NIS_XSS_Sig.htm.
A really great article with very detailed information about the capabilities and limitations of the generic detection approach, but NOT up-to-date!!!
What does this mean not up-to-date? First of all, Microsoft changed the name and type of the signature. It’s no longer an Exploit-based signature, it’s now a Policy-based signature according to the description on http://blogs.technet.com/b/isablog/archive/2010/11/30/nis-signature-types-or-why-some-signatures-are-disabled-by-default.aspx:
1. Vulnerability-based: These signatures will detect most variants of exploits against a given vulnerability.
2. Exploit-based: These signatures will detect a specific exploit of a given vulnerability.
3. Policy-based: These signatures that are generally used for auditing purposes and are developed when neither vulnerability nor an exploit-based signature can be written.
Therefore the new name of that signature is Plcy:Win/HTTP.URL.XSS!0000-0000 and is disabled out of the box (more details can be found on http://www.microsoft.com/security/portal/Threat/Encyclopedia/NIS.aspx?threat=Plcy-Win-HTTP-URL-XSS-0000-0000).
Secondly, and that is more important, Microsoft has updated the signature to support canonicalization (or called encoded requests in Adrian’s blog). Based on that improvement, TMG NIS is now able to detect such requests. Let’s see an example:
Figure 1: Forefront TMG 2010 NIS Logs: XSS detected
As you can see in the figure 1 above, the NIS is able to detect an encoded XSS attack. And the same result with an double-encoded request:
Figure 2: Forefront TMG 2010 NIS Logs: XSS detected