Solved

Question about XCSS scripting attacks

Posted on 2016-10-07
3
64 Views
Last Modified: 2016-10-27
I recently installed a patch at a client site that is supposed to prevent XCSS attacks.  

I was able to embed HTML into a web form and have it saved to my customer profile.  Is HTML in a form field considered a cross-site script attack?  Or is it something more?  What tools should I obtain to test the patch to make sure ?

Thanks,

-Dan
0
Comment
Question by:danpman
  • 2
3 Comments
 
LVL 29

Assisted Solution

by:Randy Downs
Randy Downs earned 250 total points (awarded by participants)
ID: 41835129
Here's some info on cross-scripting and some test examples.

Here is a scanner to test your page,

Example

If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script instead of a message in the following way:

cross scriptingNow the server will store this information and when a user clicks on our fake message, his browser will execute our script as follow
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points (awarded by participants)
ID: 41835199
Yes it can be a XSS if the methods and attributes that could be used to render HTML content are provided with an untrusted input, that can leads to this high risk of XSS  - specifically what we call an HTML injection. An example of injection can exploit on the vulnerable code that allows an unvalidated input to be used to create dynamic html in the page context.

HTML Injection assuming the embedding of HTML is of malicious or unauthorised intent
This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context.
Specifically for detection or testing this injection, you can check out DOMinatorPro
This is the only available tool on the market that can identify DOM XSS vulnerabilities with the highest possible precision and will help you solving all exercices on this website.
http://www.domxss.com/domxss/
More in OWASP Phoenix - https://www.owasp.org/index.php/Phoenix/Tools
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py
WSTool - http://wstool.sourceforge.net/
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/
Prevention is better than cure - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 41861860
Assigned points. Question was answered.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
FSRREMOS 7 53
Windows 10 Errors 11 58
global Variable - 2 functions in powershell 1 19
Table header must be on top 2 21
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question