Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Question about XCSS scripting attacks

Posted on 2016-10-07
3
58 Views
Last Modified: 2016-10-27
I recently installed a patch at a client site that is supposed to prevent XCSS attacks.  

I was able to embed HTML into a web form and have it saved to my customer profile.  Is HTML in a form field considered a cross-site script attack?  Or is it something more?  What tools should I obtain to test the patch to make sure ?

Thanks,

-Dan
0
Comment
Question by:danpman
  • 2
3 Comments
 
LVL 29

Assisted Solution

by:Randy Downs
Randy Downs earned 250 total points (awarded by participants)
ID: 41835129
Here's some info on cross-scripting and some test examples.

Here is a scanner to test your page,

Example

If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script instead of a message in the following way:

cross scriptingNow the server will store this information and when a user clicks on our fake message, his browser will execute our script as follow
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41835199
Yes it can be a XSS if the methods and attributes that could be used to render HTML content are provided with an untrusted input, that can leads to this high risk of XSS  - specifically what we call an HTML injection. An example of injection can exploit on the vulnerable code that allows an unvalidated input to be used to create dynamic html in the page context.

HTML Injection assuming the embedding of HTML is of malicious or unauthorised intent
This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context.
Specifically for detection or testing this injection, you can check out DOMinatorPro
This is the only available tool on the market that can identify DOM XSS vulnerabilities with the highest possible precision and will help you solving all exercices on this website.
http://www.domxss.com/domxss/
More in OWASP Phoenix - https://www.owasp.org/index.php/Phoenix/Tools
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
WSTool - http://wstool.sourceforge.net/
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
Prevention is better than cure - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 41861860
Assigned points. Question was answered.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question