Security Xss Testing

security-xss

// Security - Cross Site Scripting - Testing:

Security testers often look for XSS in two ways:

1. Black Box Testing: The art of looking for security flaws at the application 
   layer, with no knowledge of the code.

2. White Box Testing: Looking for security flaws with access to the application 
   layer AND the source code. Most often when you own the code you will be white 
   box testing because it is much easier.

Blackbox Testing for XSS:

1. Find places on your webpage where user input is being displayed back.

2. Assign unique values to the input parameters that are easy to search for and 
   wouldn't otherwise occur on the page. 

3. Right click -> "View Page Source" and search for the unique values and 
   determine the context in which they are reflected.

4. Identify the reflection context and try adding special characters to the 
   user input for that context (For eg: <> for HTML context).

5. Right click->"Inspect Element" to see if the output is encoded in the correct 
   context.  

6. If not encoded correctly, try breaking out of the context and execute your 
   payload.

7. For eg: <div> {!CurrentPage.parameters.name}</div>

8. Attack payload - name = blah</div><img src=x onerror=alert(0)> 

9. This would let you close the div tag and insert your attack string and 
   execute it.  

Whitebox Testing for XSS:

1. Look for anti-patterns like "escape="false". Make sure user input is being 
   encoded in the controller if VF page disables escaping.

2. Looks for innerHTML assignments. User input should not be  assigned to an 
   HTML element directly. 

3. Look for merge fields in VF pages and make sure the correct encoding function 
   is being called. 

4. For eg: JS function parameters on event handlers. 

5. Make sure coding patterns like document.write and eval are not being used.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License