Skip to content

XSS: Pay attention to input validation

October 21, 2011

“Experience shows that test cases that explore boundary conditions

have a higher payoff than test cases that do not.”

The art of software testing. Glenford J. Myers

Recently I was asked to look through a website to find undetected bugs with fresh pair of eyes.

First of all I decided to pay attention to boundary value analysis and I was rewarded. Since there were plenty of forms on pages it was detected:

  • in the most inputs there were no boundary check (one could put value of any length that caused SQL error)
  • no input data validation (phone number format, e-mail format, incorrect values and so on)
  • and the most harmful was XSS

Cross-site scripting (XSS) is a type web application security vulnerability that enables attackers to inject client side script into web page forms viewed by other users. In most cases XSS is used to bypass access controls.

Below some most common cases how to determinate weak validation or filter.

  • <script>alert()</script>
  •  "><script>alert()</script>
  • <sc<script>ript>alert()</sc</script>ript>

Put values above and submit form and see what happens. If you can see popup it means there are must be potential security hole (attacker can access user cookie by injecting document.cookies command).

As a conclusion pay attention to web application security and train Test staff to detect common security holes (e.g. XSS, CSRF, RFI / LFI, SQL injections).

More information about XSS can be found on the open web application security project.

Advertisements

From → Security Testing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: