Testing for Cross site scripting - Revision history

Dan Wallis at 22:07, 6 August 2017

2017-08-06T22:07:42Z

Jmanico: removed old, dead link

2017-06-23T22:10:32Z

removed old, dead link

Jmanico: old, dead link removed

2017-06-23T22:07:59Z

old, dead link removed

Jason Haddix: /* Related Security Activities */

2015-06-24T21:39:35Z

‎Related Security Activities

Christina Schelin at 16:36, 10 March 2015

2015-03-10T16:36:15Z

Eduprey at 19:26, 27 July 2011

2011-07-27T19:26:05Z

D0ubl3 h3lix: /* References */

2010-09-16T06:31:58Z

‎References

D0ubl3 h3lix: /* References */

2010-08-15T17:26:32Z

‎References

Wichers: /* Description of the Issue */

2009-01-30T14:38:09Z

‎Description of the Issue

Wichers at 14:35, 30 January 2009

2009-01-30T14:35:00Z

← Older revision		Revision as of 22:07, 6 August 2017
Line 1:		Line 1:
−	[[~~http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC~~ Up]]<br>	+	[[Web Application Penetration Testing AoC\|Up]]<br>
	{{Template:OWASP Testing Guide v2}}		{{Template:OWASP Testing Guide v2}}

← Older revision		Revision as of 22:10, 23 June 2017
Line 106:		Line 106:

	'''Whitepapers'''<br>		'''Whitepapers'''<br>
−
−	* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html

	* Jeremiah Grossman: "Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf		* Jeremiah Grossman: "Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf

@@ Line 22: / Line 22: @@
 The [[XSS Filter Evasion Cheat Sheet]] is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.
 [[Category:Security Focus Area]]
@@ Line 123: / Line 121: @@
 '''Tools'''
 * '''PHP Charset Encoder(PCE)''' - http://yehg.net/encoding

@@ Line 18: / Line 18: @@
 See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for Cross-site scripting|Reviewing code for Cross-site scripting]] Vulnerabilities.
 [[Category:Security Focus Area]]
 __NOTOC__
 == Description of the Issue ==
 [[Category:FIXME|I think this whole section needs to be deleted]]

@@ Line 118: / Line 118: @@
 * '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
-CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. It's hosted at http://yehg.net/lab/pr0js/pentest/CAL9000/ .
+CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. It's hosted at: http://sec101.sourceforge.net/CAL9000/
 * '''PHP Charset Encoder(PCE)''' - http://yehg.net/encoding

@@ Line 73: / Line 73: @@
 '''Example 1:'''
-Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case rendering Cross Site Scripting useless. If this is the case, you may want to use VBScript since it is not a case sensative language.
+Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case, rendering Cross Site Scripting utilizing inline JavaScript useless.  If this is the case, you may want to use VBScript since it is not a case sensitive language.
 JavaScript:
@@ Line 82: / Line 82: @@
   <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script>
 '''Example 2:'''

@@ Line 118: / Line 118: @@
 CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. It's hosted at http://yehg.net/lab/pr0js/pentest/CAL9000/ .
-* '''PHP Charset Encoder(PCE)''' - http://h4k.in/encoding
+* '''PHP Charset Encoder(PCE)''' - http://yehg.net/encoding
-PCE helps you encode arbitrary texts to and from 65 kinds of charsets that you can use in your customized payloads.  It's mirrored at http://yehg.net/e .
+PCE helps you encode arbitrary texts to and from 65 kinds of charsets that you can use in your customized payloads.
 {{Category:OWASP Testing Project AoC}}

@@ Line 30: / Line 30: @@
 Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but they can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities. Cross Site Scripting is used in many Phishing attacks.
-'''Now we explain the three types of Cross Site Scripting: DOM-Based, Stored and Reflected.'''
+'''Now we explain the three types of Cross Site Scripting: Stored, Reflected, and DOM-Based.'''
-The '''DOM-based Cross-Site Scripting''' problem exists within a page's client-side script itself. If the JavaScript accesses a URL request parameter (an example would be an RSS feed) and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS vulnerability will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.
+The '''Stored Cross Site Scripting''' vulnerability is the most powerful kind of XSS attack. A Stored XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entity encoding. A real life example of this would be the Samy MySpace Worm, which exploited an XSS vulnerability found on MySpace in October of 2005.
-Exploiting such a hole would be very similar to the exploitation of Reflected XSS vulnerabilities, except in one very important situation.
-For example, if an attacker hosts a malicious website which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits.
+<center>[[Image:XSSStored2.PNG]]</center>
 The '''Reflected Cross-Site Scripting''' vulnerability is by far the most common and well-known type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.
@@ Line 46: / Line 55: @@
 This makes a refresh request roughly about every .3 seconds to particular page. It then acts like an infinite loop of refresh requests, potentially bringing down the web and database server by flooding it with requests. The more browser sessions that are open, the more intense the attack becomes.
-The '''Stored Cross Site Scripting''' vulnerability is the most powerful kind of  XSS attack. A Stored XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. A real life example of this would be SAMY, the XSS vulnerability found on MySpace in October of 2005.
+The '''DOM-based Cross-Site Scripting''' problem exists within a page's client-side script itself. If the JavaScript accesses a URL request parameter (an example would be an RSS feed) and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS vulnerability will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.
-These vulnerabilities are more significant than other types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for social engineering, or the web application could even be infected by a cross-site scripting virus.
+Exploiting such a hole would be very similar to the exploitation of Reflected XSS vulnerabilities, except in one very important situation.
-'''Example'''
+For example, if an attacker hosts a malicious website which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits.
 The methods of injection can vary a great deal. A perfect example of how this type of an attack could impact an organization, instead of an individual, was demonstrated by Jeremiah Grossman @ BlackHat USA 2006. The demonstration gave an example of how posting a stored XSS script to a popular blog, newspaper, or page comments section of a website can cause all the visitors of that page to have their internal networks scanned and logged for a particular type of vulnerability.

@@ Line 9: / Line 9: @@
 ===Description of Cross-site scripting Vulnerabilities===
-See the OWASP article on [[Cross-site Scripting (XSS)]] Vulnerabilities.
+See the OWASP articles on [[Cross-site Scripting (XSS)]] Vulnerabilities and [[DOM Based XSS]].
 ===How to Avoid Cross-site scripting Vulnerabilities===
@@ Line 21: / Line 21: @@
 [[Category:Security Focus Area]]
 __NOTOC__
 == Description of the Issue ==
 [[Category:FIXME|I think this whole section needs to be deleted]]
-XSS attacks are essentially code injection attacks into the various interpreters in the browser. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases, Cross Site Scripting vulnerabilities can perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.
+[[XSS]] attacks are essentially code injection attacks into the various interpreters in the browser. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases, Cross Site Scripting vulnerabilities can perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.
 Cross Site Scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties (the attacker and the web site, or the attacker and the victim client) the XSS attack involves three parties -- the attacker, a client and the web site. The goal of the XSS attack is to steal the client cookies or any other sensitive information which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site, impersonating the user - Identity theft!
-Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but they can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.
+Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but they can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities. Cross Site Scripting is used in many Phishing attacks.
 Cross Site Scripting is used in many Phishing attacks.
-Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities: DOM-Based, Stored and Reflected.
+If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script insted of a message in the following way:
 ==Black Box testing and example==
@@ Line 66: / Line 93: @@
 You can find more examples of XSS Injection here: http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors
 == References ==