[WEB SECURITY] Detecting Persistent XSS With Automated Scanners - Technically Feasible??

B Snake bsnak3 at gmail.com
Thu Sep 13 07:43:26 EDT 2007 

The idea of inserting a GUID into each XSS injection string and using this
GUID to determine the vulnerable parameter in the case of persistent XSS is
nothing new.  It's a good idea, but it's only one piece of the solution for
automatically detecting persistent XSS.

There are numerous other problems.  The big one that's been bugging me is
the problem of thoroughly testing for persistent XSS without causing a huge
increase in the number of requests that need to be made during the scan.
>From some of your replies, it sounds like there actually is a solution to
this problem.

When manually testing for persistent XSS, a security tester would start by
exploring the website and getting a feel for what is being done with the
various inputs and where in the website they are being echoed back.  After
injecting an XSS payload into a particular field, the manual tester will
have a pretty good idea where that script might be echoed back, and will go
straight to those places where the script is most likely to be found.  The
manual tester isn't going to inject an XSS payload into a field and then
blindly check every single page in the website looking for where the script
might be echoed back - that wouldn't be efficient at all.

Maybe an automated scanner can do something similar.  Start off by exploring
the entire web application, filling in all forms with valid input values and
observing where each input is being echoed back, whether on the same page or
on other parts of the site.  Then do more of a "smart" persistent XSS test
of each input parameter.  Inject an XSS variant into an input parameter,
then check only those pages that are known to echo back that particular
parameter value, then move on to the next XSS variant, and so on.  This
would allow for a thorough test and wouldn't cause an unreasonable increase
in the number of requests required.

This all sounds easy enough to build into a scanner, but I have a feeling
that this is one of those things that's easier said than done.  The devil is
in the details.

Some products claim to be able to detect persistent XSS already.  And a
number of people claim that they are on the verge of being able to do this.
I'll believe it when I see it!

-BSnake
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20070913/f6b69270/attachment.html>

More information about the websecurity mailing list