Identifying HTML Scripting Vulnerabilities

Use the following steps to help you identify HTML scripting bugs :

  1. Identify all places where user -supplied data can be sent to the application. This can be a big job. To accomplish this task use the steps listed in Chapter 4 to identify valid network requests . Dont forget to talk with the developer, if possible, and use Web proxies to obtain the query string parameters, POST data, cookie values, and custom HTTP headers. It is useful to keep a list of all valid input and test each one carefully .

  2. Send valid-looking data to the application.

  3. Verify whether any of the data is returned to the Web browser.

  4. If the data is stored on the server or in the local file system, send data that allows script to be returned to the browser ( persisted XSS).

  5. If the data is echoed for the request but is not stored, find ways to force the victim to send data and have it run as script on the clients machine (reflected XSS).

  6. Look for XSS bugs in client-side script by auditing the script to identify ways that data might be run as script.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net