Cross-Site Scripting (XSS)

Cross-Site Scripting

Detected by Syhunt: Yes (Dynamic, Code)
Type: Injection Flaw
Also Known As: XSS, CSS
CWE: 79

Many web sites contain flaws that allow remote cross-site scripting attacks (also known as XSS or CSS). XSS flaws exist because applications fail to validate input upon submission. A XSS flaw can allow attackers to create specially crafted URLs that can execute arbitrary code in a user's browser within the trust relationship between the browser and server, leading to loss of integrity.

Resources

Examples of vulnerable code

Below you can find very basic examples of XSS vulnerabilities.

PHP

 
<?
echo($_GET['name']); // XSS 1
echo($_POST['name']); // XSS 2
echo($_REQUEST['name']); // XSS 3
?>
 

Syhunt scan results for this example code:

Found: 3 vulnerabilities
In /xss_basic.php (source code, locally), on line 2:
  Possible XSS Vulnerability
In /xss_basic.php (source code, locally), on line 3:
  Possible XSS Vulnerability
In /xss_basic.php (source code, locally), on line 4:
  Possible XSS Vulnerability

See: Vulnerable PHP Code for more examples

ASP

ASP.NET/Classic ASP

 
<%
Response.Write(Request.Form["name"]);
Response.Write(Request.QueryString["name"]);
%>
 

Syhunt scan results for this example code:

Found: 3 vulnerabilities
In /xss.aspx (source code, locally), on line 2:
  Possible XSS Vulnerability
In /xss.aspx (source code, locally), on line 3:
  Possible XSS Vulnerability

ASP.NET

 
<%@ Page Language="C#"%>
<script runat="server">
void SubmitBtn _Click(object sender, EventArgs e) { 
Response.Write(InputText.Text);
}
</script>
<html>
<body>
<form id="form1" runat="server">
<asp:TextBox ID="InputText" Runat="server" TextMode="MultiLine" Width="300px" Height="150px"> 
</asp:TextBox>
<asp:Button ID="SubmitBtn" Runat="server" Text="Submit" OnClick="SubmitBtn _Click"/> 
</form>
</body>
</html>
 

Syhunt scan results for this example code:

Found: 1 vulnerability
In /xss_runatsrv.aspx (source code, locally), on line 4:
  Possible XSS Vulnerability

JSP

 
<%@ page import="java.util.*,java.io.*"%>
<% out.println(request.getParameter("name")); %>
 

LP (Lua Pages)

 
<?lua
cgilua.put(cgilua.QUERY.name)
cgilua.put(cgilua.POST.name)
?>
 

Lua

 
cgilua.htmlheader()
cgilua.put(cgilua.QUERY.name)
cgilua.put(cgilua.POST.name)
 

Links For Pen-Testers

Cheat Sheets

Page last modified on December 31, 2018, at 02:51 PM