Posts Tagged ‘Cross Site Scripting’

There is a great article available about advanced web security testing, especially if a certain web-form requires other forms that have to be filled out correctly in advance – workflow issues – and how to test such applications where traditional web scanners fail because they can’t follow the flow of an application.

== Leveraging User Interactions for In-Depth Testing of Web Applications ==

Authors: Sean McAllister1, Engin Kirda2, and Christopher Kruegel3

Over the last years, the complexity of web applications has grown significantly, challenging desktop programs in terms of functionality and design. Along with the rising popularity of web applications, the number of exploitable bugs has also increased significantly. Web application flaws, such as cross-site scripting or SQL injection bugs, now account
for more than two thirds of the reported security vulnerabilities. Black-box testing techniques are a common approach to improve software quality and detect bugs before deployment. There exist a number of vulnerability scanners, or fuzzers, that expose web applications to a barrage of malformed inputs in the hope to identify input validation errors. Unfortunately, these scanners often fail to test a substantial fraction of a web
application?s logic, especially when this logic is invoked from pages that can only be reached after filling out complex forms that aggressively check the correctness of the provided values. In this paper, we present an automated testing tool that can find reflected
and stored cross-ite scripting (XSS) vulnerabilities in web applications. The core of our system is a black-box vulnerability scanner. This scanner is enhanced by techniques that allow one to generate more comprehensive test cases and explore a larger fraction of the application. Our experiments demonstrate that our approach is able to test more thoroughly
these programs and identify more bugs than a number of open-source and commercial web vulnerability scanners.

Original URL
http://www.cs.ucsb.edu/~chris/research/doc/raid08_xss.pdf

Have a safe day.

Advertisements

Microsoft has developed a new security offering called HELLOSECUREWORLD.COM. It is a program to engage developers in a fun and exciting way to build knowledge around security in application development. In addition, developers can share information about secure coding for today’s internet-based computing environment. The program features an array of online and offline customer activities ranging from MSDN events, to security virtual labs, to video presentations on a new website.

Includes:

* XSS (Cross Site Scripting)
* SQLi (SQL Injection)
* Canonicalization Attack
* CSRF (Cross Site Request Forgery)
* Integer Overflow/Underflow
* Etc…

To access the labs go to: HelloSecureWorld