I've started to get my feet wet with web apps, and I'm trying to make sense of the output that xss-me add-on in firefox gives you when you run a test on a given page, I've been testing the demo.testfire.net ( altoro mutual )..login page, which test for numerous xss vulnerabilities, but the ones in red are showing what appears to be the script tested, it doesn't seem to work when you inserted in the login form....I don't think that's the actual xss script, but the form in which the script would be inserted....could someone give me a hand interpreting this output?
Actually, is very likely that as you see it in the image, the script was tested, I mean, if you see <script>document.something=true</script>, that's what was tested, however, not necessarily this is tested in the login form. The thing with XSS is that you can test it using several routes.
In one hand you could try writing the script in the input text of a login form but you could also send it during a GET, for instance, what would happen if I send a malformed user agent and you site doesn't check that?
Also, the login form could work like login.php?id=1234 and if the login is succesful, then you'll end up with something like login.php?id=1234&access=true
All that means that you can, manipulate the GET values of the uri with something like login.php?id=<script>alert('xss')</script>, also, you could manipulate a hidden field (if the login form has one), by modifing the html code in your browser or you could use something like livehttp headers, check the payload of the login form and then manipulate any of those values
What I'm saying is that not always the alerts you see when using things like xss-me means that it was tested just using the input text of the form and yes, the script as you see it in the alerts was the script tested :)
ok... then how come that when I insert that xss script on the form nothing happens?... also xss-me comes with lots of xss scripts built-in already, and if the test came back with xss vulnerabilities why is that it won't tell you which ones tested ok against that specific form...maybe I'm just missing something or it's just not the way the apps it is spoused to work
ok... then how come that when I insert that xss script on the form nothing happens?
Because is possible that xss-me isn't placing the xss in the input text of the form instead placing them in other place, like a cookie, payload POST, GET and so on... in which case the problem won't relay in the form itself but the way the form is handled thus putting script code in the form won't give you anything.
Maybe you could try with other tool like acunetix to get more verbose information, or things like w3fa, ratproxy or even webscarab
well I thought that xss-me only tested forms for xss... any way of all those tools you mentioned I'm familiar with webscarab which I found very useful for analyzing cookies and trap request and responses from the server... but I didn't know you could insert xss in the http header using POST or GET request... I'll try that next
thanks
Last edited by k_tech; July 22nd, 2008 at 07:57 PM.