Testing for Cross Site Scripting VulnerabilityBy Regina Kwon | Posted 2002-11-01 Email Print
Will your Web site pass our security tests?
Cross-site scripting (also known as XSS or CSS) occurs when a Web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink that contains malicious content within it. Dynamic pages that are vulnerable to this hack include search results, error messages and Web-form results pages that echo data entered by the user.
After collecting data from a user, a Web application may create an output page for the user--such a page may contain the malicious data that was originally sent to it, but in such a way as to appear to be valid content from the Web site.
An attacker who uses cross-site scripting successfully might compromise confidential information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user or execute malicious code on the end user's computer.
You'll specifically want to find an interactive page that accepts the data you input and displays it back to you on a results page. Search functions and registration or login pages are likely spots to check.
Once you have located a search engine or login form, type the word test into the search field or login name.
Press the Enter or Return key. This will send your request to the Web server.
Note whether the results repeat the text that you entered, as in the following examples:
- "Your search for 'test' did not find any items"
- "Your search for 'test' returned the following results"
- "User 'test' is not valid"
- "Invalid login 'test'"
If the word test appears in the result page, then your site offers an entryway for cross-site scripting.
To test for cross-site scripting, input the string <script>alert('hello')</script> into a submission field, in much the same way you entered test in Step 3. Press the Enter or Return key to send your request to the Web server.
If the server responds with a popup box that displays the word "hello," then the Web site is vulnerable to cross-site scripting.
Sometimes a popup window may not launch even though the site is vulnerable. You may have to search the HTML source of the page. Go to View | Source in Microsoft Internet Explorer or View | Page Source in Netscape. In the document that opens, search for the phrase
and click the Find Next button. If the text is found, then the Web server is vulnerable to cross-site scripting.
Read about ways to defend your site in SPI Dynamics' Cross-Site Scripting white paper.