Scribd
Upload
41 views25 pages

Testing For Reflected XSS

Uploaded by

Vigneshwar DK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views25 pages

Testing For Reflected XSS

Uploaded by

Vigneshwar DK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Testing for

reflected XSS
BY UNCLE RAT
Agenda

 What is it
 Test objectives
 How to test
 Blackbox testing
 Bypass XSS filters
 Gray box testing
 Tools
 References
What is it
What is it - Requirements

 Attacker injections browser executeable code


within a single HTTP reponse
 Not stored within the application
 Not persistent
 Only affects user who clicks on malicious link
 Attack vector belongs to the URI or http params
 Not processed properly and returned to victim
What is it

 Most common type of XSS


 Referred to as first-order or type 1 XSS by
OWASP
 Application will pass unsanitized input to victim
What is it – Modus operandi

 Design step
 Attacker creates and tests an offending URI
 Social engineering step
 Attacker convinces victim to load this URI
 Execution step
 Eventual execution of payload on victim browser
What is it – Challenges

 Proper character encoding


 Sometimes <script> might be filtered
 But %3cscript%3e not
 %3c =<
 %3e =>
Test objectives
Test objectives

 Identify where a value is reflected into the


response
 Assess the input they accept and see if we
can't pass around any filters
 See filter evasion techniques
How to test –
black box
How to test – black box

 Detect input vectors


 Tester must
define all user controller variables
and parameters
 Includes non obvious ones such as
 HTTP parameters

 POST parameters
 POST data
 Hidden fields
 Predefined radio or selection values
How to test – black box

 Analysing input vectors


 Tester will
try specially crafted input vectors for
every parameters
 Example HTML tag attribute context
 "> <script> alert()</script>
 HTML Context
 <img src=x onerror=submit()>
 https://owasp.org/www-community/xss-filter-
evasion-cheatsheet
How to test – black box

 Check Impact
 If attack vector catches from previous attempts
 Tester will analyse the impact REALISTICLY
 Looking for where value is reflected in xss
 Tester
defines special characters that are not
properly encoded, replaced or filtered
 Often filters work on blacklist principles
 The
set of characters you should for depends on the
context
How to test – black box

 Check Impact
 HTML context
 Test for key HTML entities
> (greater than)
 < (less than)
 & (ampersand)
 ' (apostrophe or single quote)
 " (double quote)
 Full
list: https://en.wikipedia.org/wiki/List_of_XML_and_HTML_
character_entity_references
How to test – black box

 Check Impact
 Javascript context
 \n (new line)
 \r (carriage return)
 ' (apostrophe or single quote)
 " (double quote)
 \ (backslash)
 \uXXXX (unicode values)
 Full list: https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Guide/Values,_variables,_and_liter
als#Using_special_characters_in_strings
How to test –
Bypass XSS
filtering
How to test – Bypass XSS filtering

 Separate chapter in the course


 Try variations according to owasp testing guide
 https://owasp.org/www-community/xss-filter-
evasion-cheatsheet
How to test –
Gray box testing
How to test – Gray box testing

 Similar to black box testing


 Pen tester has partial knowledge of the
application
 Tester can better craft a payload in this case
 If the Javascript source file is available the tester
should test it fully and analyse it statically
Tools
Tools

 PHP Charset Encoder(PCE) - helps you encode


arbitrary texts to and from 65 kinds of character
sets that you can use in your customized
payloads.
 Hackvertor is an online tool which allows many
types of encoding and obfuscation of
JavaScript (or any string input).
Tools

 XSS-Proxy - is an advanced Cross-Site-Scripting


(XSS) attack tool.
 ratproxy is a semi-automated, largely passive
web application security audit tool, optimized
for an accurate and sensitive detection, and
automatic annotation, of potential problems
and security-relevant design patterns based on
the observation of existing, user-initiated traffic
in complex web 2.0 environments.
Tools

 Burp Proxy is an interactive HTTP/S proxy server


for attacking and testing web applications.
 OWASP Zed Attack Proxy (ZAP) is an interactive
HTTP/S proxy server for attacking and testing
web applications with a built-in scanner
References
References

 https://owasp.org/www-community/xss-filter-
evasion-cheatsheet
 https://github.com/OWASP/wstg/releases/downloa
d/v4.2/wstg-v4.2.pdf
 https://resources.sei.cmu.edu/asset_files/WhitePap
er/2000_019_001_496188.pdf
 https://www.cgisecurity.com/xss-faq.html
 http://www.technicalinfo.net/papers/CSS.html
 https://www.techzoom.net/Publications/Insecurity-
Iceberg

You might also like