Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Blackbox xss reversing

GH
gaz Heyes
Thu, Feb 3, 2011 9:50 AM

Hi all

I'd like your thoughts on blackbox xss reversing. Do you think one
canary/identifier is enough? Is it needed? Using the input as a identifier
itself, would there be too many false positives? If a variable doesn't allow
alphanumeric characters, how would you create a canary/identifier? If a
variable is numeric only how would you know? Hmmm maybe doing a diff on the
page with different numbers might work, but what about randomized content
unrelated to inputs? Other then tags, attributes and characters what other
stuff would be useful to know?

Cheers

Gareth

PS I like asking questions, did you know that?

Hi all I'd like your thoughts on blackbox xss reversing. Do you think one canary/identifier is enough? Is it needed? Using the input as a identifier itself, would there be too many false positives? If a variable doesn't allow alphanumeric characters, how would you create a canary/identifier? If a variable is numeric only how would you know? Hmmm maybe doing a diff on the page with different numbers might work, but what about randomized content unrelated to inputs? Other then tags, attributes and characters what other stuff would be useful to know? Cheers Gareth PS I like asking questions, did you know that?
MS
Milton Smith
Tue, Feb 8, 2011 7:38 PM

Hi Gaz,

We created a vulnerability testing framework using Groovy.  The framework runs nightly across our products.  Just as you describe, we crafted a JavaScript payload for an alert and check the response.  If the response contains the string sequence, XSS was successful, the test fails.  We caught lots of areas where filtering was not being done.

If the fields are numeric then injecting the payload will likely result in errors.  You still want to test them anyway since the user input (e.g., payload) may be displayed on the error page.  You might try both HTTP GET and POST methods.  In Java, it generally does not matter but sometimes it can lead to alternate code paths.  I don't find a lot of false positives or matches on our test payload.  If anyone else has ideas I would be interested as well.

Regards,
Milton

From: gaz Heyes <gazheyes@gmail.commailto:gazheyes@gmail.com>
Date: Thu, 3 Feb 2011 01:50:08 -0800
To: "websecurity@webappsec.orgmailto:websecurity@webappsec.org" <websecurity@webappsec.orgmailto:websecurity@webappsec.org>
Subject: [WEB SECURITY] Blackbox xss reversing

Hi all

I'd like your thoughts on blackbox xss reversing. Do you think one canary/identifier is enough? Is it needed? Using the input as a identifier itself, would there be too many false positives? If a variable doesn't allow alphanumeric characters, how would you create a canary/identifier? If a variable is numeric only how would you know? Hmmm maybe doing a diff on the page with different numbers might work, but what about randomized content unrelated to inputs? Other then tags, attributes and characters what other stuff would be useful to know?

Cheers

Gareth

PS I like asking questions, did you know that?
The information contained in this message may be legally privileged and confidential.  It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of thismessage, in any form, is strictly prohibited.  If you have received this message in error, please immediately notify the sender and/or SuccessFactors, Inc. by telephone at (650) 645-2000 and delete or destroy any copy of this message.

Hi Gaz, We created a vulnerability testing framework using Groovy. The framework runs nightly across our products. Just as you describe, we crafted a JavaScript payload for an alert and check the response. If the response contains the string sequence, XSS was successful, the test fails. We caught lots of areas where filtering was not being done. If the fields are numeric then injecting the payload will likely result in errors. You still want to test them anyway since the user input (e.g., payload) may be displayed on the error page. You might try both HTTP GET and POST methods. In Java, it generally does not matter but sometimes it can lead to alternate code paths. I don't find a lot of false positives or matches on our test payload. If anyone else has ideas I would be interested as well. Regards, Milton From: gaz Heyes <gazheyes@gmail.com<mailto:gazheyes@gmail.com>> Date: Thu, 3 Feb 2011 01:50:08 -0800 To: "websecurity@webappsec.org<mailto:websecurity@webappsec.org>" <websecurity@webappsec.org<mailto:websecurity@webappsec.org>> Subject: [WEB SECURITY] Blackbox xss reversing Hi all I'd like your thoughts on blackbox xss reversing. Do you think one canary/identifier is enough? Is it needed? Using the input as a identifier itself, would there be too many false positives? If a variable doesn't allow alphanumeric characters, how would you create a canary/identifier? If a variable is numeric only how would you know? Hmmm maybe doing a diff on the page with different numbers might work, but what about randomized content unrelated to inputs? Other then tags, attributes and characters what other stuff would be useful to know? Cheers Gareth PS I like asking questions, did you know that? The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of thismessage, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or SuccessFactors, Inc. by telephone at (650) 645-2000 and delete or destroy any copy of this message.
Empathy v1.0   2024 ©Harmonylists.com