Friday, 17 August 2007

Cross Site Scripting and other merriment

I got asked today about security testing and what tests I would recommend as a minimum should always be run. It was interesting to be asked as no one has bothered before!
I'm guessing like me you've heard of Cross Site Scripting (XSS). However, perhaps similarly to me you've never had a good play with it. Sure, all test teams will run a standard battery of UI validation checks, but security focused checks? I bet most companies that should don't insist the test teams do and I know from experience it's a luxury to be running these, especially where there's no automation in place.
I wasn't surprised to find entire sites dedicated just to this area of testing. There's a great site over at http://www.xssed.com/ for the study of this.
Just for fun I then went and had a look over some of the sites I do / have done work for and hey presto, issues.
The most common issues I was able to invoke was through testing with a bit of JavaScript, the Alert box XSS approach. It seemed one form field or another would do something untoward.
The Cheat Sheet I used was over at http://ha.ckers.org/xss.html and just dropping down to using “< pulled some interesting issues too. My second non-surprise, how common it seems, I'm such a cynic aren't I.
I'm not sure how vulnerable being able to pop these alert boxes makes the sites, I need to gen up on my JavaScript more. However, one thing I do know is SQL and just popping ' and 1=1-- in form fields was far too many error for comfort. Playing with a few SELECT statements after seeing table data and malforming URLs using JOINs was even more entertaining.
In the past I've been fairly much using a standard battery of UI validation entries but I'll be adding to the set over the coming weeks for sure!
Mark Crowther, Head of teh haxzor team

2 comments: