Secure Coding mailing list archives
Re: Security Test Cases for Testing
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Thu, 18 Dec 2003 02:31:00 +0000
Crispin wrote:
Detecting XSS is a different process, which I am less familiar with. Check out various web application, CGI application, etc. vulnerability scanners. Even nessus (a general vulnerability scanner) has some capability here. But I'm a curmudgeon, who thinks that XSS issues are really client-side issues in the form of browser vulnerabilities (IE's lame willingness to execute code) or a problem between the chair and the keyboard (IE users :-)
Imagine a web application vulnerable to XSS. There's really no way for a
browser to tell whether a script is a legit part of that site, or something
injected by an attacker. I'll agree that IE shouldn't allow scripts to
access session cookies, but the web application ain't innocent here. If your
site is accepting scripts in input and sending them back to users, it's
broken.
The simple test for XSS is to find fields that accept input that is later
sent back to users. You'll find them in registration pages, message boards,
transaction forms, error pages, search results, and almost everywhere you
can imagine. We found one in an HTML comment. We even found one in a cookie!
The site sent back an error message that contained the text of the invalid
cookie. Note that if special characters like <>{}&; are translated to their
HTML entity equivalents (like < & and so on) then it's much harder to
inject a script successfully. But you'd be surprised at the different ways
you can encode a script and get it to execute (unicode, hex encode, in a
style tag, and many more -- and note particularly that <> are NOT required.
You'll want to test for both 'stored' and 'reflected' XSS. Stored XSS flaws
put the input into a database or other storage and send it back to another
user sometime later. Reflected XSS flaws send the malicious content back to
the user who entered it. So who cares about reflected, right? Well, it's
trivial to get users to click on links (on the web or in email), and then
they reflect a bad script back to themselves -- where it can disclose the
user's session cookie.
--Jeff
Jeff Williams
Aspect Security
http://www.aspectsecurity.com
Current thread:
- Security Test Cases for Testing Giri, Sandeep (Dec 17)
- Re: Security Test Cases for Testing ljknews (Dec 17)
- Re: Security Test Cases for Testing Gene Spafford (Dec 17)
- Re: Security Test Cases for Testing ljknews (Dec 18)
- Re: Security Test Cases for Testing Gene Spafford (Dec 19)
- Re: Is Open Source Software "more" secure? Jared W. Robinson (Dec 20)
- Re: Security Test Cases for Testing Gene Spafford (Dec 17)
- Re: Security Test Cases for Testing Kenneth R. van Wyk (Dec 19)
- Re: Security Test Cases for Testing Dana Epp (Dec 19)
- Re: Security Test Cases for Testing Gene Spafford (Dec 20)
- Re: Security Test Cases for Testing ljknews (Dec 17)
- Re: Security Test Cases for Testing Jeff Williams @ Aspect (Dec 17)