Thursday, August 7, 2008

Checking security vulnerability -XSS

While testing the web based application we need to test for security . As there are malicious people , you can say hackers , who can apply SQL injection to access some of you data or information of your application. for this we need to check our application for security vulnerabilities. One of the most common vulnerability is XSS (Cross-Site Scripting). This Occurs when web pages accept user input without using proper validation. This allows hackers (or any attacker) to embed malicious script or code which injected to that page. Some time you see some links appearing in any web pages while surfing, these links are kind of this activities. on clicking to these links that embedded code injected to your web pages .
Some of the Risks associated with XSS are:
1- One can track your activities
2- One can stolen your session ID.
3- One can use your cookies
4- One can modify/change/delete the content of your web page.
5- Its possible to crash a browser
6- Some harmful software installation.
and many more..................................

So this is our (Testers) job to find such vulnerabilities while testing. So the question is How to Determine Whether a Web page Is Vulnerable or not?
This is very common vulnerability and can be check easily whether you page is vulnerabile or not.

To check Supply the string"<></>" to your form field which display string.
* If you see "<></>" returned, most likely not vulnerable.
* If you see "<>" returned, most likely vulnerable.

one more simple easy test is to take a current parameter that is sent in the HTTP GET request and modify it. Take for example the following request in the browser address URL bar. This url will take a name parameter that you enter in a textbox and print something on the page. Like "Hello Vishal, thank you for coming to my site"
http://www.yoursite.com/index.html?name=vishal
Now lets modify this request For example try entering something similar to the following request in the browser address URL bar.

http://www.yoursite.com/index.html?name=<script> Alet('You just found a XSS vulnerability')</script>
If this pops up an alert message box stating "You just found a XSS vulnerability", then you know this parameter is vulnerable to XSS attacks. The parameter name is not being validating, it is allowing anything to be processed as a name, including a malicious script that is injected into the parameter passed in. Basically what is occurring is normally where the name George would be entered on the page the message is instead being written to the dynamic page. The alert message just is an example of how to test for the XSS vulnerability. A malicious hacker would be much more devious to this type of security vulnerability.

Cross-site scripting (XSS) attacks are a type of attack in which a variety of techniques are used to attempt to execute malicious script code by injecting it into form input, query strings, or cookies.
XSS vulnerabilities are caused by a failure in the web application to properly validate user input.

what should developer do?
If you are using post method for data submission then client side checks might be sufficient but it is all the more necessary to do server side validation if you are using Get method to retrieve data.
# Always do input validation.
# If possible do output validation as well.
# Never rely on client side scripting.
# Avoid Get method for sending data.
# Always use validateRequest=True;
# Always replace ‘(single quote-if you are storing data in a database especially) to prevent SQL Injection.
# Avoid using Cookies.
# Always verify and check the lengths of string to safeguard against stack-overwriting attacks and SQL errors

So bieng a tester , we need to test our site for this and let dev team know abt this.
There are many tools available to check thesase vulnerabilities. I tried one which is paid but its taril version is available to use. This will facilitate the XSS checking.

http://www.acunetix.com/vulnerability-scanner/
steps:
->open this link
->you need to fill a form with basic info. Make sure you must have to put a valid email id.
->later you wil recieve a mail having a link to download this tool.
->you will get an exe file. install the ......Now what.... play with this and find more.


Happy QA,ing


References:
http://www.nus.edu.sg/
http://www.lboro.ac.uk/
http://www.testingsecurity.com/

No comments :

Post a Comment