Re: Cross Site Scripting Vulnerabilities - XSS

From: Bill Pennington (billp@boarder.org)
Date: 08/07/02


Date: Tue, 06 Aug 2002 16:37:23 -0700
From: Bill Pennington <billp@boarder.org>
To: Matt Andreko <mandreko@ori.net>, pen-test <pen-test@securityfocus.com>

In order for that to be useful you need to get someone else to click on the
link. This is generally not to difficult depending on your target. Remember
e-mail is easily forged.

On 8/6/02 2:56 PM, "Matt Andreko" <mandreko@ori.net> wrote:

> I am kinda new to XSS, but am intrigued by how it works. I have found
> sometimes you can get javascript messages to pop up and such, but if
> it's not being stored in a database, what good is it?
>
> Take for example Iwillusa.com (a motherboard maker's website). They
> have a product page that I saw had some html in the URL:
> http://www.iwillusa.com/products/spec.asp?ModelName=DVD266>u</i>-RN&Su
> pportID=
> I edited it and it became:
>
http://www.iwillusa.com/products/spec.asp?ModelName=DVD266u-RN
> language=javascript>alert(document.cookie);</script>&SupportID=
>
> I'm fully able to get a javascript error. However, what good does this
> do, if it's not stored anywhere?
>
>
>
> -----Original Message-----
> From: Bill Pennington [mailto:
billp@boarder.org]
> Sent: Tuesday, August 06, 2002 10:29 AM
> To: Jason binger; pen-test; webappsec
> Subject: Re: Cross Site Scripting Vulnerabilities - XSS
>
> Cross posting to webappsec because I know other people will have
> comments
> and suggestions.
>
> I have done more XSS testing that I care to remember.
>
> There are no tool that I am aware of that can accurately test for XSS
> issues
> in a web application. Some scanners have pretty good test for web server
> and
> application server XSS issues (like request
> <SCRIPT>alert("foo")</SCRIPT>.jsp and exploit the 404 handler), Nessus
> and
> nikto come to mind.
>
> For XSS testing I use a browser and a cheat sheet, a list of XSS strings
> to
> inject. My testing goes something like this:
>
> Assuming I am looking at a URL based variable, VAR=
>
> 1. Determine if the variable is displayed on the screen. Change
> VAR=realcontent to VAR=foo. This should generate an error message but it
> might not. On the resulting page, view source and search for foo. Note,
> you
> might want to pick a less common string to make searching easier.
>
> If foo is not on the resulting page you can not perform a URL based XSS
> attack. The data might be stored and displayed latter though. Keep an
> eye
> out for it :-)
>
> 2. See how the application handles "<" and ">". Now change the variable
> to
> VAR=<foo>. Again view source on the returned page and look for <foo>. If
> <foo> is present you most likely have an XSS issue. If you see something
> like %ltfoo&gt then the variable is not vulnerable.
>
> 3, Now you just need to build an actual bit of client code and see if it
> gets gets executed. Change VAR= to VAR=<SCRIPT>alert("XSS");</SCRIPT>
> When
> you submit the page you should get a pop-up box that says XSS on your
> screen. If you do not get the pop-up, view source and find your string
> and
> make sure the proper syntax is in place. Some variables to put in
> strange
> places and you may need to format your injection string differently. If
> you
> are getting the full string returned to the browser without modification
> it
> is vulnerable, you just need to figure out the proper format. Most
> likely
> you need to close out another tag or a set of quotes before you XSS code
> is
> inserted.
>
> The above steps are a bit redundant but they are part of testing the
> application for all known issues, not just XSS. You could just do step 3
> but
> you might miss a bit of important info along the way. Most automated
> tools
> will only catch the simple XSS attacks, the more difficult ones are
> passed
> over.
>
> Hope that helps!
>
> On 8/3/02 10:52 PM, "Jason binger" <cisspstudy@yahoo.com> wrote:
>
>> Has anyone on the list done much with testing for XSS
>> vulnerabilities?
>>
>> Has anyone written a simple work program to test for
>> these vulnerabilities that they are happy to
>> distribute so others can do basic testing for these
>> vulnerabilities?
>>
>> There a few papers out on this topic, but none that I
>> hve seen that really focus on the testing side of
>> things.
>>
>> Thanks
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Yahoo! Health - Feel better, live better
>> http://health.yahoo.com
>>
>>
> ------------------------------------------------------------------------
> ----
>> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
>> Service. For more information on SecurityFocus' SIA service which
>> automatically alerts you to the latest security vulnerabilities please
> see:
>> https://alerts.securityfocus.com/
>>
>
>
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
> see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/