Home > Developer > Web Develop
Number |
Sec_web_xss_01 |
Test Case Name |
Get mode cross-site scripting test |
Test purpose |
Because cross-site scripting can lead to session hijacking, sensitive information disclosure, account theft, or even data modification, deletion, resulting in business disruption, it is necessary to detect the presence of cross-site scripts |
Use case level |
1 |
| Test condition | 1, web business uptime 2, Known target URL to be tested, assuming http://www.exmaple.com/page.xxx 3, parameter input for the target to be measured, assuming name=value 4, in some cases , the user input is re-displayed on the page, including the name, account number, search results, and so on (indicating that the target site server did not submit data detection to the user) |
| Perform step |
1, Add the following statement one by one after the input parameters, Take the first example, enter Http://www.exmaple.com/page.xxx?name=<script>alert (123456) </script> as long as one of the pop-up display 123456 alarm box, This means that there is a cross-site vulnerability, logging the vulnerability, and stopping the test. 2, If no alarm box appears with 123456, right-click on the Returned page, select View Source file 3, Find the full string in the page source file <script>alert (123456) </script>, a cross-site scripting vulnerability exists regardless of whether there is a pop-up display of 123456 warning box. 4, because some HTML elements (such as <textarea> or ") will affect the execution of the script, so does not necessarily be able to correctly pop up the 123456 alarm box, you need to return to the page source file content, the value of the construction value, such as </textarea><script>alert (123456) </script> ' ><script>alert (123456) </script> |
Expected results |
There is no cross-site scripting vulnerability |
Note |
You need to test all the places on the page where you can submit parameters. The test statements for a specific cross-site script vary depending on the actual situation, and some of the most common construction statements are listed here. AppScan can find out the vast majority of cross-site scripting vulnerabilities on scanned pages, but there is nothing to do with pages that are not scanned. |
Test results |
Number |
Sec_web_ xss_02 |
Test Case Name |
Post mode cross-site scripting test |
Test purpose |
Because cross-site scripting can lead to session hijacking, sensitive information disclosure, account theft, or even data modification, deletion, resulting in business disruption, it is necessary to detect the presence of cross-site scripts |
Use case level |
1 |
Test conditions |
1, the web business operation is normal 2. The target URL is known to be measured, assuming http://www.exmaple.com/page.xxx 3, the target to be measured by post to submit parameters, displayed as a form mode 4, in some cases, the user input is re-displayed on the page, including the name, account number, search results and so on (indicating that the target site server is not submitted to the user data detection) |
| Perform step |
1, Enter the following statement in the Post form, As soon as one of the 123456 dialogs pops up, a cross-site vulnerability exists, a vulnerability is logged, and the test is stopped. 2 If no alarm box appears with 123456, right-click on the returned page and select "View Source file" 3, Find whether the page source file contains the full string <script>alert (123456) </script>, or whether there is a pop-up display 123456 of the alarm box, indicating that there is a cross-site scripting vulnerability. 4, because some HTML elements (such as <textarea> or ") will affect the execution of the script, so does not necessarily be able to correctly pop up the 123456 alarm box, you need to return to the page source file content, the value of the construction value, such as </textarea><script>alert (123456) </script> ' ><script>alert (123456) </script> |
Expected results |
There is no cross-site scripting vulnerability |
Note |
You need to test all the places on the page where you can submit parameters. |
Test results |
Number |
Sec_web_ xss_03 |
Test Case Name |
URL Cross-site scripting test |
Test purpose |
Because cross-site scripting can lead to session hijacking, sensitive information disclosure, account theft, or even data modification, deletion, resulting in business disruption, it is necessary to detect the presence of cross-site scripts |
Use case level |
1 |
Test conditions |
1, the web business operation is normal 2. The target URL is known to be measured, assuming http://www.exmaple.com/page.xxx |
Perform steps |
1, enter Http://www.exmaple.com/<script>alert (123456) </script>. XXX in the browser address bar, as long as one of the pop-up display 123456 of the dialog box, This means that there is a cross-site vulnerability, logging the vulnerability, and stopping the test. 2. If no 123456 alarm box is displayed, right-click on the returned page and select "View Source file" 3. Find out if the page source file contains the full string <script>alert (123456) </script>, or whether there is a pop-up display 123456 alarm box, indicating a cross-site scripting vulnerability. |
Expected results |
There is no cross-site scripting vulnerability |
Note |
You need to test all the places on the page where you can submit parameters. |
| Test results |
|
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
