FullStory examines the patterns of text input on your site to identify values that appear to be a SQL injection or cross-site scripting (XSS) attack instead of expected user text input. We then tag these sessions as containing "suspicious activity". Running a search for these tagged sessions allows you to monitor your site for possible attacks and raise security awareness within your team.
NOTE: FullStory is NOT stopping attacks on your site nor promising 100% identification for all activity. The Suspicious Activity filter is provided as a way for you to find possible attacks within your user sessions and view the user's attack attempt so that you can follow up with your security team to close out vulnerabilities.
Finding Suspicious Activity Using FullStory
FullStory will bubble up a Helpbot Note when Suspicious Activity passes a "normalcy" threshold. This will be determined by a sudden spike in sessions tagged as suspicious or a general increase in activity over time.
Use the FullStory Search UI to find sessions with suspected Suspicious Activity.
Your options are:
- Suspicious Activity on Anything - Search will return all sessions within the time frame specified that have been tagged as suspicious, including possible attacks using URL parameters or URL hash fragments
- Suspicious Activity Text is exactly [insert text here]: Specify a particular string of text that you believe may have been entered on your site to search for suspicious activities using a changed DOM element with that specific text string
- Suspicious Activity on CSS Selector [insert selector here]: Specify a particular input field by CSS selector to search for suspicious activities using a changed DOM element matching that selector
Once you've surfaced sessions with suspicious activity, you can jump into the playback to see what is going on.
For URL attacks, you can see the URL anomaly at the top of the screen. For both URL and text input anomalies, click into the event on the events bar to see a full display of the URL or Text in question:
Why might Suspicious Activity not work for my site?
If you're not getting any results in the Suspicious Activity search, congratulations! We haven't found any potential exploits. We recommend you keep an eye on the search weekly or monthly to ensure suspicious activity stays low.
These two cases may also result in false positives:
- If you use any of several fuzzing tools to deliberately "attack" your site to test it, FullStory will see that as suspicious activity. But if you do so regularly, it will become part of our "normal" baseline and shouldn't generate Notes.
Types of Activity Detected
FullStory identifies patterns within text input or URL parameters that appear to contain SQL commands rather than expected text input or URLs. We then tag those sessions so that you can later search on them later to find sessions with possible SQL injection attacks.
SQL injection attacks are an attempt to find vulnerabilities within your code that allow user input fields or URL parameters to access your backend database. With the assumption that your backend database is SQL (or SQL-like) and that you run queries that contain user input, unsavory characters may try to find input fields where they can subvert the query and feed arbitrary SQL into your database. A successful SQL injection exploit can allow the user to read sensitive data from the database, modify data (Insert/Update/Delete) or execute administration operations on the database. (Read more specifics on SQL injection attacks here)
Cross-Site Scripting (XSS)
FullStory identifies patterns within text input or URL parameters that appear to contain scripting commands rather than expected text input or URLs. We then tag those sessions so that you can later search on them later to find sessions with possible cross-scripting attacks.
XSS attacks are attempting to inject malicious <script> tags into your page. These attacks are targeted toward an input from a user that generates a dependent output. For example, when a site asks you to input your name and then uses that input to generate a custom message like, "Hello Jaclyn!". A successful XSS attack can embed a browser side script within the "Hello Jaclyn!" message that can execute on the end user's browser. These malicious scripts may be used to access cookies, tokens, or other sensitive information. (Read more specifics on XSS attacks here)