Xss Detection
An XSS scenario without the use of “Script” and <>
Usually when testing for XSS vulnerabilities, we normally use the attack vectors <script>alert(111)</script> , <body onload=alert(111)/> etc. If the developer has implemented a blacklist serverside validation for <> and script, we will not get satisfactory test results. But in some scenarios we can successfully demonstrate an XSS attack even without using the above mentioned vectors.
This new scenario is mainly observed in the “Search” text box of the applications. test Ex: This is a search text box. Here the user enters some keyword for searching. Search
Now the page returns the result and the keyword is also reflected in the text box again. Following is the HTML source of the reflected value.
<input type=”text” name=”txtSearch” value=”test” />
Here the keyword “test” is rendered in the “value” attribute of the text box.
Now an attacker enters the vector ” onmouseover=alert(111) into the textbox and it is reflected in the following way.
<input type=”text” name=”txtSearch” value=”” onmouseover=alert(111) />
As there was only a blacklist validation implemented., The attacker was able to close the “name” attribute with a double quote and inject another event attribute which can be used to execute javascript successfully. In this scenario, if the victim had moved the mouse over the “Search” text box, the script would have been executed successfully.
Recommendation: Encoding “” to " must be
Usually when testing for XSS vulnerabilities, we normally use the attack vectors <script>alert(111)</script> , <body onload=alert(111)/> etc. If the developer has implemented a blacklist serverside validation for <> and script, we will not get satisfactory test results. But in some scenarios we can successfully demonstrate an XSS attack even without using the above mentioned vectors.
This new scenario is mainly observed in the “Search” text box of the applications. test Ex: This is a search text box. Here the user enters some keyword for searching. Search
Now the page returns the result and the keyword is also reflected in the text box again. Following is the HTML source of the reflected value.
<input type=”text” name=”txtSearch” value=”test” />
Here the keyword “test” is rendered in the “value” attribute of the text box.
Now an attacker enters the vector ” onmouseover=alert(111) into the textbox and it is reflected in the following way.
<input type=”text” name=”txtSearch” value=”” onmouseover=alert(111) />
As there was only a blacklist validation implemented., The attacker was able to close the “name” attribute with a double quote and inject another event attribute which can be used to execute javascript successfully. In this scenario, if the victim had moved the mouse over the “Search” text box, the script would have been executed successfully.
Recommendation: Encoding “” to " must be