Tuesday, January 7, 2014

Alternatives to the Boring XSS Alert Box

Demonstrating that a web application is vulnerable to reflected cross-site scripting (XSS) is not very exciting.  It's always kind of like, "oh hey, look here, an alert box popped up when you clicked on that link".  Scary.  Dramatic. Not!  I was looking for more interesting ways to show how XSS could be used.  I figure the code is more likely to get fixed if you can make a memorable impression.  I came up with a few options. 

I'll present these techniques using 3 websites that are Internet facing and purposefully built to be susceptible to reflected XSS.

  1. demo.testfire.net (operated by IBM)
  2. www.webscantest.com (NT Objectives)
  3. testasp.vulnweb.com (Acunetix)
All of the URLs here were tested successfully with Firefox 26, IE 11 with the XSS Filter disabled, and Chrome 31 with the "--disable-xss-auditor" command line option.  If you have the NoScript Firefox extension, you'll have to allow scripts on these sites as well as sc0rn.com for everything to work properly.  You'll also have to disable the XSS protection in NoScript.

First, there is the boring alert box that I'm trying to get away from:
Alternative #1 is to fill the victim's screen with unicorns and rainbows. (in Firefox w/NoScript you may have to click refresh for this to work)
Alternative #2 is to Rickroll the victim (i.e., redirect to Rick Astley's famous 80's music video).
Alternative #3 is to display some HTML... a funny news story in this case. (in Firefox w/NoScript you may have to click refresh for this to work)
Feel free to use these or create your own.  I think you'll agree these are definitely better than popping an alert box.

Lastly, I have a hilarious, but mildly racy (NSFW?) alternative. (in Firefox w/NoScript you may have to click refresh for this to work)

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP