I have been asked to give a presentation about cross site scripting at a local OWASP chapter meeting. I am making my research and notes available in to a series of blog posts. The third – detecting cross site scripting vulnerabilities.
For the following examples, I’ll be using known vulnerable web applications that are part of the OWASP Broken Web Applications virtual machine.
There is a cross site scripting cheat sheet that is kept up-to-date, tested against different browsers, and employs filter evasion techniques. Trying these values in your web applications could be eye opening.
Browser extensions are particularly helpful because of their convenience – the tool is at your fingertips as you are browsing the web. Being built in to the browser gives them the ability to manipulate what you’re seeing in a UI that’s already familiar.
XSS Me by Security Compass is a Firefox extension that will run a series of tests against a web form. It opens in a side bar next to the web page you’re viewing and allows you to assess that page with the click of a button.
Tamper Data is a Firefox extension that acts as a built in proxy. It allows you to view and modify HTTP headers and post parameters. If you right click on a parameter, it gives you options to modify it with an XSS test.
Mantra is an OWASP project that created a browser with a variety of extensions built in and preconfigured. OWASP Mantra is a cross platform security framework with more than 50 browser extensions ready to use.
Web Application Vulnerability Scanners
Web application vulnerability scanners communicate with an application through the web front-end in order to identify potential security vulnerabilities and architectural weaknesses. First they spider the application to find each page and input. Then, they fuzz those inputs looking for responses that indicate security issues. This scan can detect issues including cross site scripting. I want to highlight a couple free, open source scanners you can start using now.
OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. It acts as a web proxy that you point your browser to so it can see the traffic going to a site and allows you to spider, scan, fuzz, and attack the application. Here is ZAP finding the same XSS we found manually.
The Web Application Attack and Audit Framework (w3af) is an open-source web application security scanner and exploitation tool. w3af uses plugins to detect various security issues. After identification, w3af can be used to exploit them to gain access to the remote system. w3af has XSS plugins that can find the vulnerability in web applications, and plugins that can search external databases such as XSSed.com to find previous issues. Here is w3af finding the same XSS we found manually.
With all of the vulnerability scanners out there, it’s difficult to pick one worthy of your money. Shay-Chen compared 60 commercial and open source scanners based on a number of criteria. One of the tests included a head to head comparison of cross site scripting results. Here is how those scanners stack up in XSS detection.