Xss Detection

Topics: JavaScript, Text box, Vector Motors Pages: 1 (253 words) Published: April 12, 2013
An XSS scenario without the use of “Script” and <> Usually when testing for XSS vulnerabilities, we normally use the attack vectors <script>alert(111)</script> , <body onload=alert(111)/> etc. If the developer has implemented a blacklist serverside validation for <> and script, we will not get satisfactory test results. But in some scenarios we can successfully demonstrate an XSS attack even without using the above mentioned vectors. This new scenario is mainly observed in the “Search” text box of the applications. test

This is a search text box. Here the user enters some keyword for searching.

Now the page returns the result and the keyword is also reflected in the text box again. Following is the HTML source of the reflected value. <input type=”text” name=”txtSearch” value=”test” /> Here the keyword “test” is rendered in the “value” attribute of the text box. Now an attacker enters the vector ” onmouseover=alert(111) into the textbox and it is reflected in the following way. <input type=”text” name=”txtSearch” value=”” onmouseover=alert(111) /> As there was only a blacklist validation implemented., The attacker was able to close the “name” attribute with a double quote and inject another event attribute which can be used to execute javascript successfully. In this scenario, if the victim had moved the mouse over the “Search” text box, the script would have been executed successfully. Recommendation: Encoding “” to " must be done.
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Coglab Change Detection Essay
  • Image Enhancement and Edge Detection for Real Time System Applications Essay
  • Intrusion Detection Systems Research Paper
  • Essay about Change Detection
  • Edge Detection in Image Processing Essay
  • Intrusion Detection and Prevention Systems Essay
  • Motion Detection Essay
  • Change detection Essay

Become a StudyMode Member

Sign Up - It's Free