Welcome Guest [Log In] [Register]
Welcome to Sector 4. We hope you enjoy your visit.


You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.


Join our community!


If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
Commonly used XSS tags.; The basic and the best.
Topic Started: May 22 2009, 08:50 AM (96 Views)
xdemo
Member Avatar
Kurikinton Fox rox my sox!
[ *  * ]
The 14 most commonly used injections
Once you have added the final touch to your new homepage, or company's look. It is recommended to check all entry forms for script leakage. In other words check for holes where inserted scripts can leak out and store themselves within the page.

As a guideline: any HTML tags you can come up with may possibly work.

1. HTML + TEXT
If you're in a rush and you need to quickly check a page, injecting the "<PLAINTEXT>" tag will be more than enough to check to if something is vulnerable to XSS by messing up the output. Forms to be checked, usually search bars and guest books. Respectively here is a list of the most primitive HTML tags...

  • <PLAINTEXT>
  • <u>
  • <b>
  • <font color="red">XSS</font>
  • <title>XSS</title>
As long as the output of the page changes accordingly to the tag you injected into your page, then your site may be vulnerable to an XSS attack.

2. HTML + IMAGES
Images, borders, backgrounds, stylesheets and icons.
The following tags and strings may possibly affect your site in unwanted ways

  • <IMG SRC=http://sector4.secure.la/image.jpg>
  • <BODY BACKGROUND="http://sector4.secure.la/image.jpg">
  • <IMG DYNSRC="http://sector4.secure.la/image.jpg">
  • <IMG LOWSRC="http://sector4.secure.la/image.jpg">
  • <LINK REL="stylesheet" HREF="http://sector4.secure.la/style.css">
  • <STYLE>@import'http://sector4.secure.la/style.css';</STYLE>
  • <TABLE BACKGROUND="http://sector4.secure.la/image.jpg">
If you can inject any of the above strings into your site, you may have an issue. Not only could somebody alter your sites theme, they could deface it with pornographic imagery or extreme content. Your sites customers will most likely stray from your company if this is unchecked for.

3. Manipulation
Re-directing a page to another co-existing "off site" page. The use of an embedded i-frame can also effect the way a page functions by using forign scripts.

  • <META HTTP-EQUIV="refresh" CONTENT="0;url=http://sector4.secure.la">
  • <IFRAME SRC="http://sector4.secure.la"></IFRAME>
Please note, all of the html tags above can be used safely on any web page, but you must bear in mind they can also be used "maliciously".

How to avoid XSS attacks. Simply require moderation on all guestbook/feedback submission pages. This way you can look for any well known attack vectors.
Offline Profile Quote Post Goto Top
 
« Previous Topic · Cross Site Scripting · Next Topic »
Add Reply