Search This Blog

Wednesday, March 2, 2011

Finding XSS holes in websites

The easiest way to find XSS holes in websites is manually. I'm sure you can write a script to do it for you, but that takes the fun out of it. When searching for holes, you might want to check these fields:
a) Search Field
b) Comment Fields
c) Feedback Forms
d) Login Forms
e) Error Pages

Those are just some of the common pages that contain XSS flaws in websites. Granted, some might be sanitized (although rare).
To see if they are vulnerable, I use simple syntax for both HTML and JavaScript. "< h1 >a< /h1 >" and "< script >alert(1)< /script >". I know if the following page has either a large heading that reads "a" or an alert box that says "1", the field is vulnerable.

If you're looking through PHP source code or any source code, and you see GET or POST vars that are un-sanitized, then you also know that they are vulnerable. Some examples of both Stripped and Un-stripped PHP:

< ?php / * Un-Stripped PHP * / $var = $_GET['var']; echo $var; //Vulnerable $var1 = $_POST['var1']; echo $var1; //Vulnerable echo $_SERVER['HTTP_USER_ AGENT']; //Vulnerable ? >
< ?php / * Stripped PHP * / $var = strip_tags($_GET ['var']); echo $var; //Not Vulnerable $var1 = htmlentities($_POST ['var1']); echo $var1; //Not Vulnerable e cho htmlspecialchars($_ SERVER['HTTP_USER_AGENT']) ; //Not Vulnerable ? >

Back to Main Content

No comments: