[WEB SECURITY] Blackbox xss reversing

Milton Smith msmith at successfactors.com
Tue Feb 8 14:38:46 EST 2011

Hi Gaz,

We created a vulnerability testing framework using Groovy.  The framework runs nightly across our products.  Just as you describe, we crafted a JavaScript payload for an alert and check the response.  If the response contains the string sequence, XSS was successful, the test fails.  We caught lots of areas where filtering was not being done.

If the fields are numeric then injecting the payload will likely result in errors.  You still want to test them anyway since the user input (e.g., payload) may be displayed on the error page.  You might try both HTTP GET and POST methods.  In Java, it generally does not matter but sometimes it can lead to alternate code paths.  I don't find a lot of false positives or matches on our test payload.  If anyone else has ideas I would be interested as well.


From: gaz Heyes <gazheyes at gmail.com<mailto:gazheyes at gmail.com>>
Date: Thu, 3 Feb 2011 01:50:08 -0800
To: "websecurity at webappsec.org<mailto:websecurity at webappsec.org>" <websecurity at webappsec.org<mailto:websecurity at webappsec.org>>
Subject: [WEB SECURITY] Blackbox xss reversing

Hi all

I'd like your thoughts on blackbox xss reversing. Do you think one canary/identifier is enough? Is it needed? Using the input as a identifier itself, would there be too many false positives? If a variable doesn't allow alphanumeric characters, how would you create a canary/identifier? If a variable is numeric only how would you know? Hmmm maybe doing a diff on the page with different numbers might work, but what about randomized content unrelated to inputs? Other then tags, attributes and characters what other stuff would be useful to know?



PS I like asking questions, did you know that?
The information contained in this message may be legally privileged and confidential.  It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of thismessage, in any form, is strictly prohibited.  If you have received this message in error, please immediately notify the sender and/or SuccessFactors, Inc. by telephone at (650) 645-2000 and delete or destroy any copy of this message.

More information about the websecurity mailing list