Detecting Cross Site Scripting Vulnerabilities

I have been asked to give a presentation about cross site scripting at a local OWASP chapter meeting. I am making my research and notes available in to a series of blog posts. The third – detecting cross site scripting vulnerabilities.

XSS Defined
History of XSS
Detecting XSS
OWASP Presentation (Abstract and Slides)

A lot of web application vulnerabilities can be discovered with just a browser and an astute attention to detail. With cross site scripting, often entering JavaScript into a form and viewing the results is enough to find the simple bugs. With a web proxy capable of intercepting and altering traffic, the most complex web vulnerabilities can be found. Luckily we can save time and effort by automating the process with tools such as browser extensions and web application vulnerability scanners. Let’s take a look at how some of these methods work.

For the following examples, I’ll be using known vulnerable web applications that are part of the OWASP Broken Web Applications virtual machine.

Manual Testing

You can easily find some of the low hanging XSS fruit by entering a bit of JavaScript in web forms and seeing what happens. The following script entered in the search form of The BodgeIt Store is reflected back and runs in the browser.

<SCRIPT>alert(‘XSS’)</SCRIPT>

As you do this, keep in mind the different types of XSS. The application could throw the JavaScript right back at you like a search form showing you what was searched for (reflected XSS), or it could store the input for use somewhere else like a profile page in a social network (persistent XSS).

There is a cross site scripting cheat sheet that is kept up-to-date, tested against different browsers, and employs filter evasion techniques. Trying these values in your web applications could be eye opening.

Browser Plugins

Browser extensions are particularly helpful because of their convenience – the tool is at your fingertips as you are browsing the web. Being built in to the browser gives them the ability to manipulate what you’re seeing in a UI that’s already familiar.

XSS Me by Security Compass is a Firefox extension that will run a series of tests against a web form. It opens in a side bar next to the web page you’re viewing and allows you to assess that page with the click of a button.

Tamper Data is a Firefox extension that acts as a built in proxy. It allows you to view and modify HTTP headers and post parameters. If you right click on a parameter, it gives you options to modify it with an XSS test.

 

 

Mantra is an OWASP project that created a browser with a variety of extensions built in and preconfigured. OWASP Mantra is a cross platform security framework with more than 50 browser extensions ready to use.

Web Application Vulnerability Scanners

Web application vulnerability scanners communicate with an application through the web front-end in order to identify potential security vulnerabilities and architectural weaknesses. First they spider the application to find each page and input. Then, they fuzz those inputs looking for responses that indicate security issues. This scan can detect issues including cross site scripting. I want to highlight a couple free, open source scanners you can start using now.

OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. It acts as a web proxy that you point your browser to so it can see the traffic going to a site and allows you to spider, scan, fuzz, and attack the application. Here is ZAP finding the same XSS we found manually.

The Web Application Attack and Audit Framework (w3af) is an open-source web application security scanner and exploitation tool. w3af uses plugins to detect various security issues. After identification, w3af can be used to exploit them to gain access to the remote system. w3af has XSS plugins that can find the vulnerability in web applications, and plugins that can search external databases such as XSSed.com to find previous issues. Here is w3af finding the same XSS we found manually.

With all of the vulnerability scanners out there, it’s difficult to pick one worthy of your money. Shay-Chen compared 60 commercial and open source scanners based on a number of criteria. One of the tests included a head to head comparison of cross site scripting results. Here is how those scanners stack up in XSS detection.

Sources

Cross Site Scripting Cheat Sheet
OWASP Zed Attack Proxy (ZAP)
Web Application Attack and Audit Framework (w3af)
Web Application Vulnerability Scanner Comparisons
XSS Attacks (Amazon):

Leave a Reply

Your email address will not be published. Required fields are marked *