Bots probing for XSS vulnerabilities

I’ve just noticed a large bunch of interesting requests in our logs. Basically they’re looking like this:

• http://somedomain.com/
• http://somedomain.com/mail/?MLS=LN-*;Uid=ea6e667f56e49c5fc52c!1200448126;UDm=1942;MSignal=VerifyAccount-*
• http://somedomain.com/mail/?MLS=http%3A%2F%2Fwww.otherdomain1.com%2path1%2F;Uid=ea6e667f56e49c5fc52c!1200448126;UDm=1942;MSignal=VerifyAccount-*
• http://somedomain.com/mail/?MLS=LN-*;Uid=http%3A%2F%2Fwww.otherdomain2.com%2Fpath1%2Fpath2%2Fpath3%2F;UDm=1942;MSignal=VerifyAccount-*
• http://somedomain.com/mail/?MLS=LN-*;Uid=ea6e667f56e49c5fc52c!1200448126;UDm=1942;MSignal=http%3A%2F%2Fwww.otherdomain3.com%2Fpath1%2Fpath2%2F

Our URL structure is a bit weird, and I’ve sanitized all the URLs to remove the malicious domains, but what’s happening is pretty clear. A bot is going to our home page, and then finding all the URLs on that page. Then it picks a URL and goes to that URL. Then for each parameter in the URL query string, it replaces the value with some a URI encoded domain & path part, and retries the URL again. Obviously it then looks in the generated HTML to see if that domain appears in the output.

Clearly this is some bot scraping through websites looking for any possible XSS attacks on that site.

These requests are coming from many different IPs, so it looks like it’s one of the botnets out there doing this.