How to Identify XSS Vulnerability
Since XSS is an input validation problem, we will probe all the inputs and try to figure out any
input that is not sanitized such as url parameters, forms, cookies, and file uploads before it’s
returned to the user.
The basic test for finding if a website that is prone to XSS vulnerability is to inject the following
piece of code, which is a minor variation of the XSS locator code found on “OWASP XSS Filter
Cheat Sheet.”
'"<>();[]{}XSS
Once you inject this payload into every possible input, view the source of the page that was
rendered back. Then, try finding the word “XSS” in the source; how do you see it reflected back?
If any one of these characters is not escaped, then the website is probably vulnerable to an XSS.
Types of Cross-Site Scripting
Primarily, there are three types of cross site scripting vulnerabilities:
1. Reflected/nonpersistent XSS
2. Stored/persistent XSS
3. DOM-based XSS
You might come across others too, but they are just variations of these three vulnerabilities.
372
◾
Ethical Hacking and Penetration Testing Guide
Reflected/Nonpersistent XSS
This is one of the most common forms of a cross-site scripting vulnerability that you would find
in a reflected XSS attack. The input is reflected back to the user, and it’s not stored on the server
or the database. These types of XSS attacks are a bit harder to exploit, since we need the victim to
click our specially crafted payload.
Let’s talk about an example of a simple cross-site scripting vulnerability. I will use dvwa to
demonstrate the attacks on low, medium, and high security levels. Let’s start by looking at the
underlying vulnerable code for a low security level.
Vulnerable Code
As you can clearly see, the input taken from the user via the GET variable
name
is being
reflected back to the user without any sanitization.
Most of the times, you'd be performing a black box penetration test in your career as a pen-
etration tester. Therefore, you won’t have access to the underlying code for performing a source
code review. In that case, we would need to perform black box penetration testing. So our first test
would be to inject the payload '"<>();[]{}XSS and see how the page returns.
After injecting the payload from the source, we can see that no escaping is being performed
on the input.
Let’s try injecting the following piece of code:
Web Hacking
◾
Dostları ilə paylaş: |