This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Cross site scripting"
| Line 1: | Line 1: | ||
| + | [[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br> | ||
{{Template:OWASP Testing Guide v2}} | {{Template:OWASP Testing Guide v2}} | ||
| + | == Brief Summary == | ||
| + | Cross site scripting is an attack on a client (yes you) which uses vulnerablities in websites a user may visit. | ||
| + | It is commonly used in Phishing and identity theft attacks. The key to a vulnerable cross-site script is such that (in a nutshell): | ||
| + | The web site or web application redisplays text inputted by the user without any/proper data validation. When script (javascript normally) is entered as a | ||
| + | |||
| + | parameter value it is redisplayed to the user or to anyone that activates a link to redisplay the inputted data. | ||
| + | |||
| + | == Description of the Issue == | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
===How to Test=== | ===How to Test=== | ||
| Line 14: | Line 18: | ||
---- | ---- | ||
| + | |||
| + | '''Testing for Topic X vulnerabilities:''' <br> | ||
| + | ...<br> | ||
| + | '''Result Expected:'''<br> | ||
| + | ...<br><br> | ||
'''Example:''' | '''Example:''' | ||
| + | |||
A search function on a web application: | A search function on a web application: | ||
| − | When the "Search" button is pressed | + | When the "Search" button is pressed an HTTP request is sent: |
| − | + | <nowiki>GET http://www.weaksite.com/page.jsp?id=09586&searchparam=my%20favorite%20colour</nowiki> | |
This request is a typical GET request with a search parameter "searchparam". searchparam contains the search criteria/payload for the search. | This request is a typical GET request with a search parameter "searchparam". searchparam contains the search criteria/payload for the search. | ||
| Line 25: | Line 35: | ||
The HTML returned by the server after performing a search (acting on the http request includes: | The HTML returned by the server after performing a search (acting on the http request includes: | ||
| − | + | <nowiki><h1>Could not find: </h1>my%20favorite%20colour</nowiki> | |
| + | |||
| + | You can see that the user input passed via the ''searchparam'' query string parameter was probably placed in a string variable on the server and inserted by | ||
| − | + | the Web application into a customised <nowiki><h1></nowiki> tag. | |
If the application is not validating input server-side (forget client-side validation, thats not security!!), an attacker could abuse this in many ways: | If the application is not validating input server-side (forget client-side validation, thats not security!!), an attacker could abuse this in many ways: | ||
| + | one can make the ''searchparam'' value to be interpreted as part of the page markup (ie Javascript) rather than it being simply a value inputted by the user. | ||
| − | + | Let's try: | |
| − | + | <nowiki>GET http://www.weaksite.com/page.jsp?id=09568&searchparam=</h1><textarea></textarea></nowiki> | |
| − | '''<nowiki> | + | Here ''searchparam'' terminates the <nowiki><h1></nowiki> tag with <nowiki></h1></nowiki> this effectivley breaks out of a line of HTML. |
| + | Then the addition on the string <nowiki><textarea></textarea></nowiki> is actually interprited as a piece of HTML markup and a text area field shall be | ||
| − | + | displayed. | |
| − | |||
Taking this a step further: | Taking this a step further: | ||
| Line 44: | Line 57: | ||
again, breaking out of the <nowiki><h1></nowiki> tag: | again, breaking out of the <nowiki><h1></nowiki> tag: | ||
| − | + | <nowiki>GET http://www.weaksite.com/page.jsp?id=10&lang=en&searchparam=</h1><script>alert(‘Hello’)</script></nowiki> | |
The HTML output from this last request would look like: | The HTML output from this last request would look like: | ||
| − | + | <nowiki><h1>Could not find: </h1><script>alert(‘Hello’)</script></nowiki> | |
The browser would interpret the java script as part of the page as opposed to user input and execute and alert box with the word 'Hello' in it. | The browser would interpret the java script as part of the page as opposed to user input and execute and alert box with the word 'Hello' in it. | ||
| − | + | <nowiki><h1>Could not find: </h1><script>alert(‘Hello’)</script></nowiki> | |
=== Gray Box testing and example === | === Gray Box testing and example === | ||
Revision as of 08:28, 13 November 2006
[Up]
OWASP Testing Guide v2 Table of Contents
Brief Summary
Cross site scripting is an attack on a client (yes you) which uses vulnerablities in websites a user may visit. It is commonly used in Phishing and identity theft attacks. The key to a vulnerable cross-site script is such that (in a nutshell): The web site or web application redisplays text inputted by the user without any/proper data validation. When script (javascript normally) is entered as a
parameter value it is redisplayed to the user or to anyone that activates a link to redisplay the inputted data.
Description of the Issue
How to Test
Black Box testing and example
Testing for Topic X vulnerabilities:
...
Result Expected:
...
Example:
A search function on a web application: When the "Search" button is pressed an HTTP request is sent:
GET http://www.weaksite.com/page.jsp?id=09586&searchparam=my%20favorite%20colour
This request is a typical GET request with a search parameter "searchparam". searchparam contains the search criteria/payload for the search.
The result of the search is returned to the user, redisplaying the search criteria entered: The HTML returned by the server after performing a search (acting on the http request includes:
<h1>Could not find: </h1>my%20favorite%20colour
You can see that the user input passed via the searchparam query string parameter was probably placed in a string variable on the server and inserted by
the Web application into a customised <h1> tag.
If the application is not validating input server-side (forget client-side validation, thats not security!!), an attacker could abuse this in many ways: one can make the searchparam value to be interpreted as part of the page markup (ie Javascript) rather than it being simply a value inputted by the user.
Let's try:
GET http://www.weaksite.com/page.jsp?id=09568&searchparam=</h1><textarea></textarea>
Here searchparam terminates the <h1> tag with </h1> this effectivley breaks out of a line of HTML. Then the addition on the string <textarea></textarea> is actually interprited as a piece of HTML markup and a text area field shall be
displayed.
Taking this a step further:
again, breaking out of the <h1> tag:
GET http://www.weaksite.com/page.jsp?id=10&lang=en&searchparam=</h1><script>alert(‘Hello’)</script>
The HTML output from this last request would look like:
<h1>Could not find: </h1><script>alert(‘Hello’)</script>
The browser would interpret the java script as part of the page as opposed to user input and execute and alert box with the word 'Hello' in it.
<h1>Could not find: </h1><script>alert(‘Hello’)</script>
Gray Box testing and example
References
Whitepapers
Tools
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents
