My website is throwing up large batches of "Broken link" messages. I assume I'm being probed for a specific vulnerability.
I want to know what the perp is looking for, how they hope it will work, is it coming directly, or from an unwitting victim... all that kind of thing. Anything at all you might be able to tell me about it.
One concern is that there is a spot on the site where users can enter their own HTML which is then presented by our webserver; could this be related to that?
There is about two dozen variations of these:
Referrer: http://210.11.22.33/<script>cross_site_scripting.nasl</script>.jspa
Requested URL: /<script>cross_site_scripting.nasl</script>.jspa
Referrer: http://210.11.22.33/<IMG%20SRC="javascript:alert(cross_site_scripting.nasl);">.jspa
Requested URL: /<IMG SRC="javascript:alert(cross_site_scripting.nasl);">.jspa
Referrer: http://210.11.22.33/<meta%20http-equiv=Set-Cookie%20content=%22testbvny=9424%22>
Requested URL: /<meta http-equiv=Set-Cookie content="testbvny=9424">
Referrer: http://210.11.22.33/<IMG%20SRC="javascript:alert(cross_site_scripting.nasl);">.idc
Requested URL: /<IMG SRC="javascript:alert(cross_site_scripting.nasl);">.idc
Based upon the URI's requested, this is not related to that.
The attacker appears to be probing your 404 doc to see if he can execute an XSS attack - if you saw this activity on your "return HTML to visitor" URI then you would want to start there, but in this case it doesn't appear as though a valid URI is the target.
Ensure that your 404 page escapes whatever URI is provided and does not allow unescaped HTML through, then take a look at securing your HTML feature if you have not done so already (i.e. by requiring a one-time-use token be posted whenever the feature is used).