Results 1 to 5 of 5

Thread: question about web app testing...

  1. #1
    Member
    Join Date
    Oct 2006
    Posts
    63

    question about web app testing...

    I've started to get my feet wet with web apps, and I'm trying to make sense of the output that xss-me add-on in firefox gives you when you run a test on a given page, I've been testing the demo.testfire.net ( altoro mutual )..login page, which test for numerous xss vulnerabilities, but the ones in red are showing what appears to be the script tested, it doesn't seem to work when you inserted in the login form....I don't think that's the actual xss script, but the form in which the script would be inserted....could someone give me a hand interpreting this output?

    check the attached png file


    thanks in advance
    Attached Images Attached Images

  2. #2
    Junior Member
    Join Date
    Jul 2008
    Posts
    15
    Actually, is very likely that as you see it in the image, the script was tested, I mean, if you see <script>document.something=true</script>, that's what was tested, however, not necessarily this is tested in the login form. The thing with XSS is that you can test it using several routes.

    In one hand you could try writing the script in the input text of a login form but you could also send it during a GET, for instance, what would happen if I send a malformed user agent and you site doesn't check that?

    Also, the login form could work like login.php?id=1234 and if the login is succesful, then you'll end up with something like login.php?id=1234&access=true

    All that means that you can, manipulate the GET values of the uri with something like login.php?id=<script>alert('xss')</script>, also, you could manipulate a hidden field (if the login form has one), by modifing the html code in your browser or you could use something like livehttp headers, check the payload of the login form and then manipulate any of those values

    What I'm saying is that not always the alerts you see when using things like xss-me means that it was tested just using the input text of the form and yes, the script as you see it in the alerts was the script tested :)
    Last edited by LKP; July 22nd, 2008 at 04:09 PM.
    Simplicity is power!

  3. #3
    Member
    Join Date
    Oct 2006
    Posts
    63
    ok... then how come that when I insert that xss script on the form nothing happens?... also xss-me comes with lots of xss scripts built-in already, and if the test came back with xss vulnerabilities why is that it won't tell you which ones tested ok against that specific form...maybe I'm just missing something or it's just not the way the apps it is spoused to work

    anyway thanks for the explanation

  4. #4
    Junior Member
    Join Date
    Jul 2008
    Posts
    15
    Quote Originally Posted by k_tech
    ok... then how come that when I insert that xss script on the form nothing happens?
    Because is possible that xss-me isn't placing the xss in the input text of the form instead placing them in other place, like a cookie, payload POST, GET and so on... in which case the problem won't relay in the form itself but the way the form is handled thus putting script code in the form won't give you anything.

    Maybe you could try with other tool like acunetix to get more verbose information, or things like w3fa, ratproxy or even webscarab
    Simplicity is power!

  5. #5
    Member
    Join Date
    Oct 2006
    Posts
    63
    well I thought that xss-me only tested forms for xss... any way of all those tools you mentioned I'm familiar with webscarab which I found very useful for analyzing cookies and trap request and responses from the server... but I didn't know you could insert xss in the http header using POST or GET request... I'll try that next

    thanks
    Last edited by k_tech; July 22nd, 2008 at 07:57 PM.

Similar Threads

  1. Question Time
    By jm459 in forum Tech Humor
    Replies: 1
    Last Post: April 14th, 2004, 01:41 PM
  2. Maximum performance question
    By Fasheezy in forum Hardware
    Replies: 5
    Last Post: February 5th, 2004, 04:25 PM
  3. Test Your General Linux Knowledge
    By smirc in forum AntiOnline's General Chit Chat
    Replies: 6
    Last Post: May 13th, 2002, 04:35 PM
  4. Test Your Knowledge of Redhat?
    By smirc in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: May 13th, 2002, 03:24 AM
  5. Question Bout AntiPoint Assignment
    By NetSyn in forum Site Feedback/Questions/Suggestions
    Replies: 15
    Last Post: May 8th, 2002, 01:45 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •