Projects: Security - Baseline
Home arrow Projects: Security arrow Page 3 - Testing for Web Site Vulnerabilities















Renew Your Subscription

Projects: Security



Testing for Web Site Vulnerabilities



By Regina Kwon
2002-11-01
Article Views: 12855
Article Rating:starstarstarstarstar / 3

  Table of Contents:
  1. Testing for Web Site Vulnerabilities
  2. ' Testing for SQL Injection '
  3. ' Testing for Cross'
  4. ' Testing for Unrestricted Directory '

Will your Web site pass our security tests?

Rate This Article:
Poor Best
Add This Article To:

Testing for Web Site Vulnerabilities - ' Testing for Cross'


( Page 3 of 4 )

-Site Scripting Vulnerability">
Testing for Cross-Site Scripting Vulnerability

Cross-site scripting (also known as XSS or CSS) occurs when a Web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink that contains malicious content within it. Dynamic pages that are vulnerable to this hack include search results, error messages and Web-form results pages that echo data entered by the user.

After collecting data from a user, a Web application may create an output page for the user--such a page may contain the malicious data that was originally sent to it, but in such a way as to appear to be valid content from the Web site.

An attacker who uses cross-site scripting successfully might compromise confidential information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user or execute malicious code on the end user's computer.

Step 1. Open the Web site in a browser.

Step 2. Locate a search box or login page.
You'll specifically want to find an interactive page that accepts the data you input and displays it back to you on a results page. Search functions and registration or login pages are likely spots to check.

Step 3. Begin testing.
Once you have located a search engine or login form, type the word test into the search field or login name.

Step 4. Send request.
Press the Enter or Return key. This will send your request to the Web server.

Step 5. Determine possibility of cross-site scripting vulnerability.
Note whether the results repeat the text that you entered, as in the following examples:
  • "Your search for 'test' did not find any items"
  • "Your search for 'test' returned the following results"
  • "User 'test' is not valid"
  • "Invalid login 'test'"

If the word test appears in the result page, then your site offers an entryway for cross-site scripting.

Step 6. Submit an actual script to the Web site.
To test for cross-site scripting, input the string <script>alert('hello')</script> into a submission field, in much the same way you entered test in Step 3. Press the Enter or Return key to send your request to the Web server.

Step 7. Determine whether vulnerability exists.
If the server responds with a popup box that displays the word "hello," then the Web site is vulnerable to cross-site scripting.

Sometimes a popup window may not launch even though the site is vulnerable. You may have to search the HTML source of the page. Go to View | Source in Microsoft Internet Explorer or View | Page Source in Netscape. In the document that opens, search for the phrase

<script>alert('hello')</script>

and click the Find Next button. If the text is found, then the Web server is vulnerable to cross-site scripting.

Step 8. Learn more.
Read about ways to defend your site in SPI Dynamics' Cross-Site Scripting white paper.




 
 
>>> More Projects: Security Articles          >>> More By Regina Kwon
 



Sponsored Links
  • Get up and running in as quickly as 30 days with BI. Learn how today.

  • FREE Securing Smartphones & Tablets for Dummies Book from Sophos
  • 5 New Technologies That Will Change Enterprise ITAdvertisement
  • Build an IT Infrastructure That Delivers the Future
     
    		•
     
    FEATURED SPONSORED ARTICLES
    FEATURED SPONSORED VIDEOS

     

    Related Content

    Articles Labs/How-To Multimedia


    LATEST STORIES
    - Five Ways to Put Mobile Technology to Work
    - Ten iPhone Apps that Will Save You Money
    - Mobility Transforms the Customer Relationshi...
    - BPM Keeps Pace With Business Changes
    - Speech Recognition Speaks To Businesses


     

     

    Advertisement
    rss graphic
           Baseline Newsletters

    Baseline:  

    Issue Index | Contact Us | About | Magazine Customer Service | Navigation Guide

    Quick Links:  

    Project Planners | Enterprise Resource Planning | Network and Online Security | Data Analysis | Process Management | Storage Devices| Link to Us

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    Tech RSS Feeds | White Papers | Tech Podcasts | Tech Video | VARs | System Builder

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | Security IT Hub | Strategic Partner | TechDirect | Technology White Papers | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.