Solved

Question about XCSS scripting attacks

Posted on 2016-10-07
3
35 Views
Last Modified: 2016-10-27
I recently installed a patch at a client site that is supposed to prevent XCSS attacks.  

I was able to embed HTML into a web form and have it saved to my customer profile.  Is HTML in a form field considered a cross-site script attack?  Or is it something more?  What tools should I obtain to test the patch to make sure ?

Thanks,

-Dan
0
Comment
Question by:danpman
  • 2
3 Comments
 
LVL 29

Assisted Solution

by:Randy Downs
Randy Downs earned 250 total points (awarded by participants)
Comment Utility
Here's some info on cross-scripting and some test examples.

Here is a scanner to test your page,

Example

If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script instead of a message in the following way:

cross scriptingNow the server will store this information and when a user clicks on our fake message, his browser will execute our script as follow
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
Comment Utility
Yes it can be a XSS if the methods and attributes that could be used to render HTML content are provided with an untrusted input, that can leads to this high risk of XSS  - specifically what we call an HTML injection. An example of injection can exploit on the vulnerable code that allows an unvalidated input to be used to create dynamic html in the page context.

HTML Injection assuming the embedding of HTML is of malicious or unauthorised intent
This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context.
Specifically for detection or testing this injection, you can check out DOMinatorPro
This is the only available tool on the market that can identify DOM XSS vulnerabilities with the highest possible precision and will help you solving all exercices on this website.
http://www.domxss.com/domxss/
More in OWASP Phoenix - https://www.owasp.org/index.php/Phoenix/Tools
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
WSTool - http://wstool.sourceforge.net/
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
Prevention is better than cure - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
0
 
LVL 29

Expert Comment

by:Randy Downs
Comment Utility
Assigned points. Question was answered.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
In this tutorial viewers will learn how to embed videos in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <video> tag to insert a video. Define the src as the URL of your video; this is similar to …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now