FullStory examines the patterns of text input on your site to identify values that appear to be a SQL injection or cross-site scripting (XSS) attack instead of expected user text input. We then tag these sessions as containing "suspicious activity". Running a search for these tagged sessions allows you to monitor your site for possible attacks and raise security awareness within your team.
NOTE: FullStory is NOT stopping attacks on your site nor promising 100% identification for all activity. The Suspicious Activity filter is provided as a way for you to find possible attacks within your user sessions and view the user's attack attempt so that you can follow up with your security team to close out vulnerabilities.
FullStory will bubble up a Highlight when Suspicious Activity passes a "normalcy" threshold. This will be determined by a sudden spike in sessions tagged as suspicious or a general increase in activity over time.
Use the FullStory Search UI to find sessions with suspected Suspicious Activity.
Your options are:
Once you've surfaced sessions with suspicious activity, you can jump into the playback to see what is going on.
For URL attacks, you can see the URL anomaly at the top of the screen. For both URL and text input anomalies, click into the event on the events bar to see a full display of the URL or Text in question:
If you're not getting any results in the Suspicious Activity search, congratulations! We haven't found any potential exploits. We recommend you keep an eye on the search weekly or monthly to ensure suspicious activity stays low.
These two cases may also result in false positives:
FullStory identifies patterns within text input or URL parameters that appear to contain SQL commands rather than expected text input or URLs. We then tag those sessions so that you can later search on them later to find sessions with possible SQL injection attacks.
SQL injection attacks are an attempt to find vulnerabilities within your code that allow user input fields or URL parameters to access your backend database. With the assumption that your backend database is SQL (or SQL-like) and that you run queries that contain user input, unsavory characters may try to find input fields where they can subvert the query and feed arbitrary SQL into your database. A successful SQL injection exploit can allow the user to read sensitive data from the database, modify data (Insert/Update/Delete) or execute administration operations on the database. (Read more specifics on SQL injection attacks here)
FullStory identifies patterns within text input or URL parameters that appear to contain scripting commands rather than expected text input or URLs. We then tag those sessions so that you can later search on them later to find sessions with possible cross-scripting attacks.
XSS attacks are attempting to inject malicious <script> tags into your page. These attacks are targeted toward an input from a user that generates a dependent output. For example, when a site asks you to input your name and then uses that input to generate a custom message like, "Hello Jaclyn!". A successful XSS attack can embed a browser side script within the "Hello Jaclyn!" message that can execute on the end user's browser. These malicious scripts may be used to access cookies, tokens, or other sensitive information. (Read more specifics on XSS attacks here)
The FullStory team awaits your every question.Contact Us