Javier Fernandez-Sanguino jfernandez at germinus.com
Thu Nov 27 04:47:13 EST 2003

Mark Curphey wrote:

> Hi Javier,
> Great start. I have a few suggestions / comments that may be considered ?
> 1. In the first paragraph I think it should be "in the web application" 
> not the web server.

There have been cases of XSS through the default error pages of the web 
server. Sample (now that I'm looking at Domino stuff):

I will rephrase it though.

> 2. I think it might be worth highlighting that the problem can occur 
> anywhere where input is converted into output without be filtered. That 
> covers TRACE etc as well.

I've added some more examples there.

> 3. I think it is worth listing an HTTP TRACE request as a source


> 4. It maybe worth listing potential sources  / payloads i.e. any http header


> 6. Might be worth a list of potential targets such as users browsers, 
> html aware log files, html aware email clients, error messages (which 
> maybe a source not a target)

> 7. How about XSS in XML payloads ? Webservices have the same issues I think.

Yes, I've added that.

> 8. The biggest thing I would add would be a section on how to look for 
> XSS in code. As code review is by far the most effective way to find any 
> security issue I think it needs to be as prominent as possible. That may 
> look something like this


> 9. You focus on XSS with cookie stealing but as the WebGoat lesson 
> points out database data theft etc is equally probable. It may be worth 
> pointing that out at some point.

I've skipped that lesson :-)
However, I've tried to separate XSS attacks, which attempt to retrieve 
information from the user's _browser_ (as added in the description) from 
  attacks such as remote code execution (having the user's browser 
download Java applets or run ActiveX content) which might use the same 
vector of attack (unfiltered input/output) but which is a different 
attack altogether.

The way I understand XSS, it's limited to trying to retrieve information 
that the user's browser would only give to the server it contacts with 
and not to other server. AFAIK sensitive information exchanged between 
client/server solely involves cookies.

I might be wrong here, so feel free to point me in the right direction.

I will submit Penny and Mark (not to the list due to the size 
limitation) a new revised version today.


More information about the Owasp-testing mailing list