Solved

Question about XCSS scripting attacks

Posted on 2016-10-07
3
45 Views
Last Modified: 2016-10-27
I recently installed a patch at a client site that is supposed to prevent XCSS attacks.  

I was able to embed HTML into a web form and have it saved to my customer profile.  Is HTML in a form field considered a cross-site script attack?  Or is it something more?  What tools should I obtain to test the patch to make sure ?

Thanks,

-Dan
0
Comment
Question by:danpman
  • 2
3 Comments
 
LVL 29

Assisted Solution

by:Randy Downs
Randy Downs earned 250 total points (awarded by participants)
ID: 41835129
Here's some info on cross-scripting and some test examples.

Here is a scanner to test your page,

Example

If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script instead of a message in the following way:

cross scriptingNow the server will store this information and when a user clicks on our fake message, his browser will execute our script as follow
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41835199
Yes it can be a XSS if the methods and attributes that could be used to render HTML content are provided with an untrusted input, that can leads to this high risk of XSS  - specifically what we call an HTML injection. An example of injection can exploit on the vulnerable code that allows an unvalidated input to be used to create dynamic html in the page context.

HTML Injection assuming the embedding of HTML is of malicious or unauthorised intent
This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context.
Specifically for detection or testing this injection, you can check out DOMinatorPro
This is the only available tool on the market that can identify DOM XSS vulnerabilities with the highest possible precision and will help you solving all exercices on this website.
http://www.domxss.com/domxss/
More in OWASP Phoenix - https://www.owasp.org/index.php/Phoenix/Tools
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
WSTool - http://wstool.sourceforge.net/
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
Prevention is better than cure - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 41861860
Assigned points. Question was answered.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now