Comments on: Bust out of the asdf testing rut with a little XSS testing fun

By: Matt Heusser's Blog » Oh the Irony! - Testing at the Edge of Chaos

Matt Heusser's Blog » Oh the Irony! - Testing at the Edge of Chaos — Tue, 30 Mar 2010 13:30:45 +0000

[...] suggest testing for xSS by using an extremely simple, short piece of code I learned from my friend David Christiansen. Here’s the code: [...]

By: Alvaro

Alvaro — Wed, 07 Oct 2009 23:21:16 +0000

you can try to use PAROS to complement your security testing, it is easy to use and you can identify more vulnerabilities... this tool may break the application so don't use it before asking for permission. http://www.parosproxy.org/download.shtml

By: Dennis Gorelik

Dennis Gorelik — Thu, 10 Sep 2009 22:17:36 +0000

It gave me some timeout error yesterday.
But today it seems to be working.

By: Dennis Gorelik

Dennis Gorelik — Thu, 10 Sep 2009 22:16:34 +0000

David,
Life by itself is risky. It's not possible to avoid all risks anyway. We should only avoid the most dangerous and likely risks.
If we try to prevent all risks no matter how minor they are — we are losing efficiency (which means time loss which means life loss).
It's probably better to avoid running real XSS exploit on somebody else's web site.
But putting harmless javascript into web site text field is very unlikely to cause problems so I think it's ok to do so (assuming there is a reason to test web site vulnerability in the first place).

By: davidray

davidray — Thu, 10 Sep 2009 11:58:24 +0000

Honestly, I don't know of any specific law you would be breaking by using harmless XSS on a web site without permission, but I still wouldn't do it.

It's hard to say what will land you in trouble with the law these days. Take the case of a Michigan guy who used a coffee shops "free" internet from their parking lot. The shop owner didn't mind, but it bothered a police officer who saw the man in the parking lot. It bothered the cop so much (cuz the guy was "stealing" internet) that he did hours of research to find a law he could use to charge the man.

That man was convicted of a felony, faced the prospect of going to prison (luckily he didn't), and had to pay a $400 fine. Sadly, he'll be a felon forever.

So now imagine that you decide to test Amazon.com for vulnerabilities, and they notice that you are trying to post javascript to their web site. And they also notice that you are in the United States. Do you think they will just do nothing? It's true that you haven't done any harm, but do you think they will care? At the very least, I would block your IP address.

As a general rule, I simply recommend that you only do security testing with the permission/knowledge of the site owners you are testing. Even if it's not "illegal", it still might land you in court. And, even if it doesn't, you still might trigger investigations or other activity on the part of the site owners.

By: davidray

davidray — Thu, 10 Sep 2009 11:47:05 +0000

Hmm.. What do you mean it doesn't work?

By: Amit

Amit — Wed, 09 Sep 2009 19:47:59 +0000

I really liked it but would like to know more…as XSS is an interesting thing to discuss. Do let me know if you are writing on this again.

Best Regards,

Amit

By: Dennis Gorelik

Dennis Gorelik — Wed, 09 Sep 2009 18:39:20 +0000

BTW, intensedebate plugin doesn't work.

By: Dennis Gorelik

Dennis Gorelik — Wed, 09 Sep 2009 18:38:05 +0000

What law would I break if I post HTML with alert script?
It identifies vulnerability, but does not exploit it.
Exploiting vulnerabilities is illegal.
Are you saying that identifying vulnerabilities is illegal too?

By: davidray

davidray — Wed, 09 Sep 2009 15:10:39 +0000

Sheesh.