Quality Testing

Quality is delighting customers

Hello everybody,

I have a question regarding xss injection which i couldn't find it with Google. So after reading about xss injection and done some test on my web app project i identified some vulnerable spots. The behavior is the following: 
-if i input a code similar to this one <script>alert(document.cookie)</script>"> on a form, the customized page error appears.

My question is: this means that the app is vulnerable and an advanced security user can pass customized page error and see the error code which can use it to sql injection for example.

Thanks in advanced,
Dan Claudiu Pop

Views: 116

Reply to This

Replies to This Discussion

Cross Site Scripting (XSS) is a code injection vulnerability found in web applications and is generally used by malicious hackers to hijack a legitimate user's session with the website. XSS vulnerabilities are caused because of improper validation of user input by the Server and then sending this invalidated input back to the user in some exploitable form. Go through following page for more information
Hey Dan,

You can use Microsoft AntiXSS library to prevent XSS attacks

Some details are as follows
Anti-Cross Site Scripting Library

AntiXSS helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. Working with customer and partner feedback, AntiXSS incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack. AntiXSS gives you:

Improved Performance. AntiXSS has been completely rewritten with performance in mind, and yet retains the fundamental protection from XSS attacks that you have come to rely on for your applications.
Secure Globalization. The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
Standards Compliance. AntiXSS is written to comply with modern web standards. You can protect your web application without adversely affecting its UI.

For more details please visit http://msdn.microsoft.com/en-us/security/aa973814.aspx
There is plenty of ways to get around XSS protection. I usually use onmouseover- or onerror-eventhandler to avoid script-tag. It's also good idea to use alert(1); instead of alert(document.cookie) while testing. It is shorter. My smoketests usually contains following patterns:
"'><div onmouseover=alert(1)>iiiik</div>

After I've started with those, I can start to look from sources, what kind of mis-handling exists.

I have worked around many XSS filters different ways. So don't trust to them. Applications must be solid.


TTWT Magazine





© 2021   Created by Quality Testing.   Powered by

Badges  |  Report an Issue  |  Terms of Service