Testing for Stored Cross site scripting (OTG-INPVAL-002)
This is a draft of a section of the new Testing Guide v3
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
Stored Cross Site Scripting (XSS) is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. This chapter illustrates examples of stored cross site scripting injection and relative exploitation scenario.
Description of the Issue
Stored XSS occurs when a web application gathers malicious input from a user and then stores that input in a data store for later viewing. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application.
This vulnerability can be used to conduct a number of browser-based attacks including:
- Hijacking another users browser
- Capturing sensitive information viewed by application users
- Pseudo defacement of the application
- Port scanning of internal hosts
- Directed delivery of browser-based exploits
- Other malicious activities
Stored XSS does not need a malicious link to be exploited. A successful exploitation occurs when a user visits a page with a stored XSS. The following phases relate to a typical stored XSS attack scenario:
- Attacker stores malicious code into the vulnerable page
- User authenticates in the application
- User visits vulnerable page
- Malicious code is executed by the browser’s user
Stored XSS is particularly dangerous in application area where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by its browser. This might expose sensitive information such as session authorisation tokens.
Black Box testing and example
The first step is to identify of all points where user input is stored into the back-end and then displayed by the application. Typical examples of stored user input can be found in:
- User/Profiles page: the application allows user to edit/change profile details such as first name, last name, nickname, avatar, picture, address, etc
- Shopping cart: the application allows user to store items into the shopping cart which can then be reviewed later
- File Manager: application that allows upload of files
- Application settings/preferences: application that allows user to set preferences
Analyse page source code
Example: Email stored data in index2.php
The HTML source code of index2.php where the email value is located:
<input class="inputbox" type="text" name="email" size="40" value="email@example.com" />
In this case, the pen-tester needs to find a way to inject code outside the <input> tag as below:
<input class="inputbox" type="text" name="email" size="40" value="firstname.lastname@example.org"> MALICIOUS CODE <!-- />
Testing Stored XSS
This involves testing the input validation/filtering controls of the application. Basic injection examples in our case:
The HTML source code following the injection:
<input class="inputbox" type="text" name="email" size="40" value="email@example.com"><script>alert(document.cookie)</script>
The input is stored and the XSS payload is executed by the browser when reloading the page.
In case the input is escaped by the application, it is suggested to test the application for XSS filters. For instance, if the string "SCRIPT" is replaced by a space or by a NULL character then this could be a potential sign of XSS filter in action. Many techniques exist in order to evade input filters. It is strongly recommended to refer to RSnake and Mario XSS Cheat pages which provide an extensive list of XSS attacks and filtering bypasses. Refer to the whitepapers/tools section for more detailed information.
Leverage Stored XSS with BeEF
- Waiting for the application user to view the vulnerable page where the stored input is displayed
- Control the application user’s browser via the BeEF console
Example: BeEF Injection in index2.php:
When the user loads the page index2.php, the script beefmagic.js.php is executed by the browser. It is then possible to access cookies, user screenshot, user clipboard and launch complex XSS attacks.
This attack is particularly effective in vulnerable pages that are viewed by many users with different privileges.
In case the application allows file upload, it is important to check if it is possible to upload HTML content. For instance, if HTML or TXT files are allowed, XSS payload can be injected in the file uploaded. The pen-tester should also verify if the file upload allows setting arbitrary MIME types.
Consider the following HTTP POST request for file upload:
POST /fileupload.aspx HTTP/1.1 […] Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.txt" Content-Type: text/plain test
This design flaw can be exploited in browser MIME mishandling attacks. For instance, innocuous-looking files like JPG, GIF can contain a XSS payload that is executed when they are loaded by the browser. This is possible due to the MIME type for an image such as image/gif can be set to text/html instead. In this case the file will be treated by the client browser as HTML.
HTTP POST Request forged:
Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.gif" Content-Type: text/html <script>alert(document.cookie)</script>
Also consider that Internet Explorer does not handle MIME types in the same way as Mozilla Firefox or other browsers do. For instance, Internet Explorer handles TXT file with HTML content as HTML content. For further information about MIME handling, refer to the whitepapers section at the bottom of this chapter.
Gray Box testing and example
Testing for Topic X vulnerabilities: