Testing for Cross site scripting

[Up]

Brief Summary
Cross Site Scripting (CSS for short, but sometimes abbreviated as XSS) is one of the most common application level attacks that hackers use to sneak into web applications today.

Description of the Issue
Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – theattacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or anyother sensitive information, which can identify the client with the web site. With the token of thelegitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user.

Black Box testing and example
A search function on a web application: When the "Search" button is pressed an HTTP request is sent:

GET http://www.weaksite.com/page.jsp?id=09586&searchparam=my%20favorite%20colour

This request is a typical GET request with a search parameter "searchparam". searchparam contains the search criteria/payload for the search.

The result of the search is returned to the user, redisplaying the search criteria entered: The HTML returned by the server after performing a search (acting on the http request includes:

Could not find: my%20favorite%20colour

You can see that the user input passed via the searchparam query string parameter was probably placed in a string variable on the server and inserted by

the Web application into a customised tag.

If the application is not validating input server-side (forget client-side validation, thats not security!!), an attacker could abuse this in many ways: one can make the searchparam value to be interpreted as part of the page markup (ie Javascript) rather than it being simply a value inputted by the user.

Let's try:

GET http://www.weaksite.com/page.jsp?id=09568&searchparam=

Here searchparam terminates the tag with this effectivley breaks out of a line of HTML. Then the addition on the string is actually interprited as a piece of HTML markup and a text area field shall be

displayed.

Taking this a step further:

again, breaking out of the tag:

GET http://www.weaksite.com/page.jsp?id=10&lang=en&searchparam= alert(‘Hello’)

The HTML output from this last request would look like:

Could not find: alert(‘Hello’)

The browser would interpret the java script as part of the page as opposed to user input and execute and alert box with the word 'Hello' in it.

Could not find: alert(‘Hello’)