4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
190<br />
Web Application Penetration Testing<br />
able rr that contains the user supplied input via the query string<br />
and additionally does not apply any form of encoding:<br />
var rr = location.search.substring(1);<br />
if(rr)<br />
window.location=decodeURIComponent(rr);<br />
This implies that an attacker could inject JavaScript code<br />
simply by submitting the following query string: www.victim.<br />
com/?javascript:alert(1)<br />
Black Box testing<br />
Black box testing for JavaScript Execution is not usually performed<br />
since access to the source code is always available as it<br />
needs to be sent to the client to be executed.<br />
Gray Box testing<br />
Testing for JavaScript Execution vulnerabilities:<br />
For example, looking at the following URL: http://www.domxss.<br />
com/domxss/01_Basics/04_eval.html<br />
The page contains the following scripts:<br />
<br />
function loadObj(){<br />
var cc=eval(‘(‘+aMess+’)’);<br />
document.getElementById(‘mess’).textContent=cc.message;<br />
}<br />
if(window.location.hash.indexOf(‘message’)==-1)<br />
var aMess=”({\”message\”:\”Hello User!\”})”;<br />
else<br />
var aMess=location.hash.substr(window.location.hash.<br />
indexOf(‘message=’)+8);<br />
<br />
The above code contains a source ‘location.hash’ that is controlled<br />
by the attacker that can inject directly in the ‘message’<br />
value a JavaScript Code to take the control of the user browser.<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
• DOMXSS.com - http://www.domxss.com<br />
Whitepapers<br />
• Browser location/document URI/URL Sources - https://code<br />
google.com/p/domxsswiki/wiki/LocationSources<br />
• i.e., what is returned when the user asks the browser for things<br />
like document.URL, document.baseURI, location, location.href,<br />
etc.<br />
Testing for HTML Injection (OTG-CLIENT-003)<br />
Summary<br />
HTML injection is a type of injection issue that occurs when a<br />
user is able to control an input point and is able to inject arbitrary<br />
HTML code into a vulnerable web page.<br />
This vulnerability can have many consequences, like disclosure<br />
of a user’s session cookies that could be used to impersonate the<br />
victim, or, more generally, it can allow the attacker to modify the<br />
page content seen by the victims.<br />
How to Test<br />
This vulnerability occurs when the user input is not correctly<br />
sanitized and the output is not encoded. An injection allows the<br />
attacker to send a malicious HTML page to a victim. The targeted<br />
browser will not be able to distinguish (trust) the legit from the<br />
malicious parts and consequently will parse and execute all as<br />
legit in the victim context.<br />
There is a wide range of methods and attributes that could be<br />
used to render HTML content. If these methods are provided<br />
with an untrusted input, then there is an high risk of XSS, specifically<br />
an HTML injection one. Malicious HTML code could be<br />
injected for example via innerHTML, that is used to render user<br />
inserted HTML code. If strings are not correctly sanitized the<br />
problem could lead to XSS based HTML injection. Another method<br />
could be document.write()<br />
When trying to exploit this kind of issues, consider that some<br />
characters are treated differently by different browsers. For reference<br />
see the DOM XSS Wiki.<br />
The innerHTML property sets or returns the inner HTML of an<br />
element. An improper usage of this property, that means lack of<br />
sanitization from untrusted input and missing output encoding,<br />
could allow an attacker to inject malicious HTML code.<br />
Example of Vulnerable Code: The following example shows a<br />
snippet of vulnerable code that allows an unvalidated input to be<br />
used to create dynamic html in the page context:<br />
var userposition=location.href.indexOf(“user=”);<br />
var user=location.href.substring(userposition+5);<br />
document.getElementById(“Welcome”).innerHTML=” Hello,<br />
“+user;<br />
In the same way, the following example shows a vulnerable code<br />
using the document.write() function:<br />
var userposition=location.href.indexOf(“user=”);<br />
var user=location.href.substring(userposition+5);<br />
document.write(“Hello, “ + user +””);<br />
In both examples, an input like the following:<br />
http: /vulnerable.site/page.html?user=<br />
will add to the page the image tag that will execute an arbitrary<br />
JavaScript code inserted by the malicious user in the HTML context.<br />
Black Box testing