Testing Techniques to Find the Sin

The simplest way to test for XSS issues is to make a request against your web application, and set all input parameters to a known malicious value. Then look at the HTML response; dont look at the visual representation of the response. Look at the raw HTML byte stream and see if the data you entered comes back. If it does, you may have XSS issues in your code. This simple Perl code shows the basis of such a test:

 #!/usr/bin/perl use HTTP::Request::Common qw(POST GET); use LWP::UserAgent; # Set the user agent string. my $ua = LWP::UserAgent->new(); $ua->agent("XSSInject/v1.40");  # Injection strings my @xss = ('><script>alert(window.location);</script>',  '\"; alert(document.cookie);',  '\' onmouseover=\'alert(document.cookie);\' \'',  '\"><script>alert(document.cookie);</script>',  '\"></a><script>alert(document.cookie);</script>',  'xyzzy'); # Build the request. my $url = "http://127.0.0.1/form.asp"; my $inject; foreach $inject (@xss) {  my $req = POST $url, [Name => $inject,   Address => $inject,   Zip => $inject];  my $res = $ua->request($req);  # Get the response.  # If we see the injected script, we may have a problem.  $_ = $res->as_string;   print "Possible XSS issue [$url]\n" if (index(lc $_, lc $inject) != -1); }

There are a number of tools available to test for these defects including, but not limited to, the following:

AppScan from Sanctum (now part of Watchfire): www.watchfire.com/
libwhisker: http:// sourceforge .net/projects/whisker/
DevPartner SecurityChecker from Compuware: www. compuware .com/products/devpartner/securitychecker.htm
WebScarab: www.owasp.org/software/webscarab.html