Testing for Cross site scripting

Short Description of the Issue
Cross site scripting is an attack on a client (yes you) which uses vulnerablities in websites a user may visit. It is commonly used in Phishing and identity theft attacks. The key to a vulnerable cross-site script is such that: (in a nutshell): The web site or web application redisplays text inputted by the user without any/proper data validation. When script (javascript normally) is entered as a parameter value it is redisplayed to the user or to anyone that activates a link to redisplay the inputted data.

Black Box testing and example
Example: A search function on a web application: When the "Search" button is pressed a HTTP request is sent:

 GET http://www.weaksite.com/page.jsp?id=09586&searchparam=my%20favorite%20colour 

This request is a typical GET request with a search parameter "searchparam". searchparam contains the search criteria/payload for the search.

The result of the search is returned to the user, redisplaying the search criteria entered: The HTML returned by the server after performing a search (acting on the http request includes:

 Could not find: my%20favorite%20colour 

You can see that the user input passed via the searchparam query string parameter was probably placed in a string variable on the server and inserted by the Web application into a customised tag.

If the application is not validating input server-side (forget client-side validation, thats not security!!), an attacker could abuse this in many ways:

One can make the searchparam value to be interprited at part of the page markup (ie Javascript) rather than it being simply a value inputted by the user.

Lets try:

 GET http://www.weaksite.com/page.jsp?id=09568&searchparam= 

Here searchparam terminates the tag with this effectivley breaks out of a line of HTML. Then the addition on the string is actually interprited as a piece of HTML markup and a text area field shall be displayed.

Taking this a step further:

again, breaking out of the tag:

 GET http://www.weaksite.com/page.jsp?id=10&lang=en&searchparam= alert(‘Hello’) 

The HTML output from this last request would look like:

 Could not find: alert(‘Hello’) 

The browser would interpret the java script as part of the page as opposed to user input and execute and alert box with the word 'Hello' in it.

 Could not find: alert(‘Hello’)