Information Technology Dark Side

Struggles of a Self-Taught Coder

Information Technology Dark Side header image 2

Bust out of the asdf testing rut with a little XSS testing fun

September 9th, 2009 · 12 Comments

If you find yourself typing asdf over and over again as you test data entry on
a web-app, do this instead:

<code markup="none">
<script>alert("f")</script>
</code>

Paste it in every field.

If an alert pops up OR the field gets saved and then gets rendered without the
script tags, you’ve found a cross-site scripting vulnerability.

The minute you find one, your brain will power up and you’ll find more energy for testing that data input.

Please note: I’m not a hacker, nor am I a security tester. The test method I’ve described above is not enough to verify that a web site is fully secure, but it’s a good way to find vulnerabilities in your web site while you do other testing. Please don’t use it on web sites you don’t have any business testing for vulnerabilities on – you could be breaking the law.

If you enjoyed this post, make sure you subscribe to my RSS feed!
Stumble it!

Tags: Uncategorized

12 responses so far ↓

  • 1 uhuyu // Sep 9, 2009 at 2:52 pm

    <script>alert("f")</script>

  • 2 davidray // Sep 9, 2009 at 3:10 pm

    Sheesh.

  • 3 davidray // Sep 9, 2009 at 3:10 pm

    Sheesh.

  • 4 Dennis Gorelik // Sep 9, 2009 at 6:38 pm

    What law would I break if I post HTML with alert script?
    It identifies vulnerability, but does not exploit it.
    Exploiting vulnerabilities is illegal.
    Are you saying that identifying vulnerabilities is illegal too?

  • 5 Dennis Gorelik // Sep 9, 2009 at 6:39 pm

    BTW, intensedebate plugin doesn't work.

  • 6 Amit // Sep 9, 2009 at 7:47 pm

    I really liked it but would like to know more…as XSS is an interesting thing to discuss. Do let me know if you are writing on this again.

    Best Regards,

    Amit

  • 7 davidray // Sep 10, 2009 at 11:47 am

    Hmm.. What do you mean it doesn't work?

  • 8 davidray // Sep 10, 2009 at 11:58 am

    Honestly, I don't know of any specific law you would be breaking by using harmless XSS on a web site without permission, but I still wouldn't do it.

    It's hard to say what will land you in trouble with the law these days. Take the case of a Michigan guy who used a coffee shops "free" internet from their parking lot. The shop owner didn't mind, but it bothered a police officer who saw the man in the parking lot. It bothered the cop so much (cuz the guy was "stealing" internet) that he did hours of research to find a law he could use to charge the man.

    That man was convicted of a felony, faced the prospect of going to prison (luckily he didn't), and had to pay a $400 fine. Sadly, he'll be a felon forever.

    So now imagine that you decide to test Amazon.com for vulnerabilities, and they notice that you are trying to post javascript to their web site. And they also notice that you are in the United States. Do you think they will just do nothing? It's true that you haven't done any harm, but do you think they will care? At the very least, I would block your IP address.

    As a general rule, I simply recommend that you only do security testing with the permission/knowledge of the site owners you are testing. Even if it's not "illegal", it still might land you in court. And, even if it doesn't, you still might trigger investigations or other activity on the part of the site owners.

  • 9 Dennis Gorelik // Sep 10, 2009 at 10:16 pm

    David,
    Life by itself is risky. It's not possible to avoid all risks anyway. We should only avoid the most dangerous and likely risks.
    If we try to prevent all risks no matter how minor they are — we are losing efficiency (which means time loss which means life loss).
    It's probably better to avoid running real XSS exploit on somebody else's web site.
    But putting harmless javascript into web site text field is very unlikely to cause problems so I think it's ok to do so (assuming there is a reason to test web site vulnerability in the first place).

  • 10 Dennis Gorelik // Sep 10, 2009 at 10:17 pm

    It gave me some timeout error yesterday.
    But today it seems to be working.

  • 11 Alvaro // Oct 7, 2009 at 11:21 pm

    you can try to use PAROS to complement your security testing, it is easy to use and you can identify more vulnerabilities… this tool may break the application so don't use it before asking for permission.
    http://www.parosproxy.org/download.shtml

  • 12 Matt Heusser's Blog » Oh the Irony! - Testing at the Edge of Chaos // Mar 30, 2010 at 8:30 am

    […] suggest testing for xSS by using an extremely simple, short piece of code I learned from my friend David Christiansen.  Here’s the code: […]

Leave a Comment