Penetration Testing mailing list archives
Re: Cross Site Scripting Vulnerabilities - XSS
From: Bill Pennington <billp () boarder org>
Date: Tue, 06 Aug 2002 08:29:08 -0700
Cross posting to webappsec because I know other people will have comments and suggestions. I have done more XSS testing that I care to remember. There are no tool that I am aware of that can accurately test for XSS issues in a web application. Some scanners have pretty good test for web server and application server XSS issues (like request <SCRIPT>alert("foo")</SCRIPT>.jsp and exploit the 404 handler), Nessus and nikto come to mind. For XSS testing I use a browser and a cheat sheet, a list of XSS strings to inject. My testing goes something like this: Assuming I am looking at a URL based variable, VAR= 1. Determine if the variable is displayed on the screen. Change VAR=realcontent to VAR=foo. This should generate an error message but it might not. On the resulting page, view source and search for foo. Note, you might want to pick a less common string to make searching easier. If foo is not on the resulting page you can not perform a URL based XSS attack. The data might be stored and displayed latter though. Keep an eye out for it :-) 2. See how the application handles "<" and ">". Now change the variable to VAR=<foo>. Again view source on the returned page and look for <foo>. If <foo> is present you most likely have an XSS issue. If you see something like %ltfoo> then the variable is not vulnerable. 3, Now you just need to build an actual bit of client code and see if it gets gets executed. Change VAR= to VAR=<SCRIPT>alert("XSS");</SCRIPT> When you submit the page you should get a pop-up box that says XSS on your screen. If you do not get the pop-up, view source and find your string and make sure the proper syntax is in place. Some variables to put in strange places and you may need to format your injection string differently. If you are getting the full string returned to the browser without modification it is vulnerable, you just need to figure out the proper format. Most likely you need to close out another tag or a set of quotes before you XSS code is inserted. The above steps are a bit redundant but they are part of testing the application for all known issues, not just XSS. You could just do step 3 but you might miss a bit of important info along the way. Most automated tools will only catch the simple XSS attacks, the more difficult ones are passed over. Hope that helps! On 8/3/02 10:52 PM, "Jason binger" <cisspstudy () yahoo com> wrote:
Has anyone on the list done much with testing for XSS vulnerabilities? Has anyone written a simple work program to test for these vulnerabilities that they are happy to distribute so others can do basic testing for these vulnerabilities? There a few papers out on this topic, but none that I hve seen that really focus on the testing side of things. Thanks __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Cross Site Scripting Vulnerabilities - XSS Jason binger (Aug 06)
- Re: Cross Site Scripting Vulnerabilities - XSS Chad Loder (Aug 06)
- Re: Cross Site Scripting Vulnerabilities - XSS Bill Pennington (Aug 06)
- Message not available
- Re: Cross Site Scripting Vulnerabilities - XSS Jeremiah Grossman (Aug 07)
- Message not available
- RE: Cross Site Scripting Vulnerabilities - XSS Matt Andreko (Aug 07)
- Re: Cross Site Scripting Vulnerabilities - XSS Bill Pennington (Aug 07)
- Re: Cross Site Scripting Vulnerabilities - XSS Kevin Spett (Aug 09)
- RE: Cross Site Scripting Vulnerabilities - XSS Matt Andreko (Aug 12)
- Re: Cross Site Scripting Vulnerabilities - XSS Kevin Spett (Aug 12)
- <Possible follow-ups>
- RE: Cross Site Scripting Vulnerabilities - XSS Jeremy Junginger (Aug 12)