views:

77

answers:

3

Does anyone know of any script injection scanners that are able to detect if your website has been compromised (i.e. javascript that has been injected that should just not be there)?

+1  A: 

You can't. Because a bad script will always be able to rewrite/neutralize your scanner function when it arrives on the browser.
And your server doesn't have any control of what happens in your page anymore.

There is a simple way to protect your page from injection: place all the untrusted content using an iframe pointing on a different subdomain or port on your server.
You get the Same Origin Policy that sandbox the iframe and prevent the access to ressources of the parent page.

Then you may want to communicate safely between the iframes and the main page.
If you target modern browsers or mobiles you can use window.postMessage to send string messages.
For older browsers, there are some tricks here is a blog post with a solution

This does not protect you against cross site scripting, but this is another issue you can solve with a secret token in the parent page.

Mic
+1  A: 

It is difficult: you need to test every URL of your application and check if specific patterns are present in the reply (and it is very difficult to have a good algorithm which can understand which is good and bad javascript, or you need to configure this scanner which can be long and tricky).

There is a realtime open source solution called mod security on the server side. It is a web application firewall: it can detect specific patterns in requests and / or responses. It works on apache as a module. This is mainly a production solution, and does not detect injection during development. Furthermore, you need some experiences to tune it (what is good and wrong in the data exchanges with our clients) which can be tricky and does not protect against new attacks or more intelligent attacks (re-encoding characters for instance).

By the way, another solution is to use Content Security Policy but it is not available in all browsers (well, no one at the present time, wait for Firefox 4 ;-).

Kartoch
A: 

The StopBadware group offers a free scanning service. Google and Mozilla rely on this service for their "this site may harm your computer" warnings.

The scanning service is available here: http://www.stopbadware.org/home/reportsearch

Details on protecting your website are here: http://www.stopbadware.org/home/security

Ben Walther