Web Security Test---Cross-site scripting test

Source: Internet
Author: User

1.1 Cross-site scripting test 1.1.1 Get mode cross-site scripting test

Number

Sec_web_xss_01

Test Case Name

Get mode cross-site scripting test

Test purpose

Because cross-site scripting can lead to session hijacking, sensitive information disclosure, account theft, or even data modification, deletion, resulting in business disruption, it is necessary to detect the presence of cross-site scripts

Use case level

1

Test condition

1,   web business uptime

2,   Known target URL to be tested, assuming http://www.exmaple.com/page.xxx

3,   parameter input for the target to be measured, assuming name=value

4,   in some cases , the user input is re-displayed on the page, including the name, account number, search results, and so on (indicating that the target site server did not submit data detection to the user)

Perform step

1,   Add the following statement one by one after the input parameters, Take the first example, enter Http://www.exmaple.com/page.xxx?name=<script>alert (123456) </script> as long as one of the pop-up display 123456 alarm box, This means that there is a cross-site vulnerability, logging the vulnerability, and stopping the test.

2,   If no alarm box appears with 123456, right-click on the Returned page, select View Source file

3,   Find the full string in the page source file <script>alert (123456) </script>, a cross-site scripting vulnerability exists regardless of whether there is a pop-up display of 123456 warning box.

4,   because some HTML elements (such as <textarea> or ") will affect the execution of the script, so does not necessarily be able to correctly pop up the 123456 alarm box, you need to return to the page source file content, the value of the construction value, such as

</textarea><script>alert (123456) </script>

' ><script>alert (123456) </script>
"><script>alert (123456) </script>
</ Title><script>alert (123456) </script>
--><script>alert (123456) </script>
[ Img]javascript:alert (123456) [/img]
<scrip<script>t>alert (123456) </scrip</script>t>
</div><script>alert (123456) </script>

Expected results

There is no cross-site scripting vulnerability

Note

You need to test all the places on the page where you can submit parameters. The test statements for a specific cross-site script vary depending on the actual situation, and some of the most common construction statements are listed here.

AppScan can find out the vast majority of cross-site scripting vulnerabilities on scanned pages, but there is nothing to do with pages that are not scanned.

Test results

1.1.2 Post mode cross-site scripting test

Number

Sec_web_ xss_02

Test Case Name

Post mode cross-site scripting test

Test purpose

Because cross-site scripting can lead to session hijacking, sensitive information disclosure, account theft, or even data modification, deletion, resulting in business disruption, it is necessary to detect the presence of cross-site scripts

Use case level

1

Test conditions

1, the web business operation is normal

2. The target URL is known to be measured, assuming http://www.exmaple.com/page.xxx

3, the target to be measured by post to submit parameters, displayed as a form mode

4, in some cases, the user input is re-displayed on the page, including the name, account number, search results and so on (indicating that the target site server is not submitted to the user data detection)

Perform step

1,   Enter the following statement in the Post form, As soon as one of the 123456 dialogs pops up, a cross-site vulnerability exists, a vulnerability is logged, and the test is stopped.
<script>alert (123456) </script>

2   If no alarm box appears with 123456, right-click on the returned page and select "View Source file"

3,   Find whether the page source file contains the full string <script>alert (123456) </script>, or whether there is a pop-up display 123456 of the alarm box, indicating that there is a cross-site scripting vulnerability.

4,   because some HTML elements (such as <textarea> or ") will affect the execution of the script, so does not necessarily be able to correctly pop up the 123456 alarm box, you need to return to the page source file content, the value of the construction value, such as

</textarea><script>alert (123456) </script>

' ><script>alert (123456) </script>
"><script>alert (123456) </script>
</ Title><script>alert (123456) </script>
--><script>alert (123456) </script>
[ Img]javascript:alert (123456) [/img]
<scrip<script>t>alert (123456) </scrip</script>t>
</div><script>alert (123456) </script>

Expected results

There is no cross-site scripting vulnerability

Note

You need to test all the places on the page where you can submit parameters.

Test results

1.1.3 URL Cross-site scripting test

Number

Sec_web_ xss_03

Test Case Name

URL Cross-site scripting test

Test purpose

Because cross-site scripting can lead to session hijacking, sensitive information disclosure, account theft, or even data modification, deletion, resulting in business disruption, it is necessary to detect the presence of cross-site scripts

Use case level

1

Test conditions

1, the web business operation is normal

2. The target URL is known to be measured, assuming http://www.exmaple.com/page.xxx

Perform steps

1, enter Http://www.exmaple.com/<script>alert (123456) </script>. XXX in the browser address bar, as long as one of the pop-up display 123456 of the dialog box, This means that there is a cross-site vulnerability, logging the vulnerability, and stopping the test.

2. If no 123456 alarm box is displayed, right-click on the returned page and select "View Source file"

3. Find out if the page source file contains the full string <script>alert (123456) </script>, or whether there is a pop-up display 123456 alarm box, indicating a cross-site scripting vulnerability.

Expected results

There is no cross-site scripting vulnerability

Note

You need to test all the places on the page where you can submit parameters.

Test results

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.