Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Question about XCSS scripting attacks

Posted on 2016-10-07
3
Medium Priority
?
94 Views
Last Modified: 2016-10-27
I recently installed a patch at a client site that is supposed to prevent XCSS attacks.  

I was able to embed HTML into a web form and have it saved to my customer profile.  Is HTML in a form field considered a cross-site script attack?  Or is it something more?  What tools should I obtain to test the patch to make sure ?

Thanks,

-Dan
0
Comment
Question by:danpman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Assisted Solution

by:Randy Downs
Randy Downs earned 1000 total points (awarded by participants)
ID: 41835129
Here's some info on cross-scripting and some test examples.

Here is a scanner to test your page,

Example

If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script instead of a message in the following way:

cross scriptingNow the server will store this information and when a user clicks on our fake message, his browser will execute our script as follow
0
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points (awarded by participants)
ID: 41835199
Yes it can be a XSS if the methods and attributes that could be used to render HTML content are provided with an untrusted input, that can leads to this high risk of XSS  - specifically what we call an HTML injection. An example of injection can exploit on the vulnerable code that allows an unvalidated input to be used to create dynamic html in the page context.

HTML Injection assuming the embedding of HTML is of malicious or unauthorised intent
This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context.
Specifically for detection or testing this injection, you can check out DOMinatorPro
This is the only available tool on the market that can identify DOM XSS vulnerabilities with the highest possible precision and will help you solving all exercices on this website.
http://www.domxss.com/domxss/
More in OWASP Phoenix - https://www.owasp.org/index.php/Phoenix/Tools
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
WSTool - http://wstool.sourceforge.net/
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
Prevention is better than cure - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
0
 
LVL 30

Expert Comment

by:Randy Downs
ID: 41861860
Assigned points. Question was answered.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Check out what's been happening in the Experts Exchange community.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question