Completeness of XSS Attack Testing

Completeness of XSS Attack Testing
February 24 16:24 2011 Print This Article

Most of the testers that are not specialized in security testing use a standard procedure:

1. Enter into all fields of tested form the following:
[box type=”info”]<script>alert(‘xss!’) </script>[/box]

2. Post form
3. Go to form to view results
4. View record


Result: If the script is executed, the attack came out.

But as it turned out, xss attack may hide not only in the scripts, but also in the tags.
For example, in our project, where did not work the above example, worked out nicely this:
[box type=”info”]<b onmouseover=”alert(‘Hi!’)”>Hello</b>[/box]

So “live and learn.” By the way, who else knows how to post it xss attack, apart from these two ways? Share your knowledge :)

Related Posts:

  • No Related Posts
  Categories:

About Article Author

view more articles
Nataliia Vasylyna

View More Articles