[OWASP-Security101] XSS with tag parsing

psiinon psiinon at gmail.com
Mon Jun 4 12:32:49 UTC 2012


Hi Patrick,

It all depends on where the string is reflected :)
Could you send us an example snipet of the HTML with the string in?

Have you tried using the Zed Attack Proxy?
http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Its XSS detection is pretty good and it will give you a good indication of
the type of attack that is likely to succeed.
So install ZAP and then proxy via ZAP, visit that page and pass something
innocuous into the page and then use the Active Scanner.
You can also use the fuzzer to help you to test it manually.
Find the request with your test string, highlight the string, right click
and select 'Fuzz..".
Then select some of the XSS attacks - ZAP will try them all and will flag
which ones were passed through without any change.

Cheers,

Simon


On Thu, May 31, 2012 at 3:24 PM, Patrick Laverty
<patrick_laverty at brown.edu>wrote:

> We're testing out a web app here in the office and we're seeing that
> we can pass anything we want in from the URL into the page's source.
> However the tag brackets (< and >) are being parsed into their %3C
> equivalents. So the <script> tag is turned into %3Cscript%3E
>
> I'm pretty sure there's a way around this. Any help on things to test
> to get the ubiquitous alert box to pop up and prove a positive test?
>
> Thank you!
>
> Patrick
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
>



-- 
OWASP ZAP: Toolsmith Tool of the Year
2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>


More information about the Security101 mailing list