Posts Tagged ‘XSS’

There is a great article available about advanced web security testing, especially if a certain web-form requires other forms that have to be filled out correctly in advance – workflow issues – and how to test such applications where traditional web scanners fail because they can’t follow the flow of an application.

== Leveraging User Interactions for In-Depth Testing of Web Applications ==

Authors: Sean McAllister1, Engin Kirda2, and Christopher Kruegel3

Over the last years, the complexity of web applications has grown significantly, challenging desktop programs in terms of functionality and design. Along with the rising popularity of web applications, the number of exploitable bugs has also increased significantly. Web application flaws, such as cross-site scripting or SQL injection bugs, now account
for more than two thirds of the reported security vulnerabilities. Black-box testing techniques are a common approach to improve software quality and detect bugs before deployment. There exist a number of vulnerability scanners, or fuzzers, that expose web applications to a barrage of malformed inputs in the hope to identify input validation errors. Unfortunately, these scanners often fail to test a substantial fraction of a web
application?s logic, especially when this logic is invoked from pages that can only be reached after filling out complex forms that aggressively check the correctness of the provided values. In this paper, we present an automated testing tool that can find reflected
and stored cross-ite scripting (XSS) vulnerabilities in web applications. The core of our system is a black-box vulnerability scanner. This scanner is enhanced by techniques that allow one to generate more comprehensive test cases and explore a larger fraction of the application. Our experiments demonstrate that our approach is able to test more thoroughly
these programs and identify more bugs than a number of open-source and commercial web vulnerability scanners.

Original URL

Have a safe day.


Netsparker is a Web Application Security Scanner that claims to be False-Positive Free. The developers thought that if you need to investigate every single identified issue manually what’s the point of having an automated scanner? So they developed a new technology which can confirm vulnerabilities on demand which allowed us to develop the first false positive free web application security scanner.

When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.

Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.

Thanks to its comprehensive and powerful JavaScript engine it’s possible to simulate a real attacker successfully. This means it can successfully analyse websites that rely on AJAX and JavaScript.

You don’t need to be a security expert, get training or read a long manual to start. Since the user interface is easy to use and can confirm and show you the impact, you can just fire it up and start using it.

Netsparker - Community Edition

You can download Netsparker – Community Edition here:


Or read more here.


On July 6th, 2009 a zero day vulnerability in a component of the Windows operating system controlling
MPEG2 videos became publicly distributed. The attack code is currently present on several malware
servers in Asia and being used to infect unwitting clients who have been redirected to these servers. This
vulnerability will allow the remote control of clients who are pushed to malicious web servers via XSS or
phishing techniques. Microsoft has not issued a patch for this vulnerability, but they have recommended a
common workaround for dealing with ActiveX vulnerabilities which we have included below under
‘Recommended Preventative Actions’. Only older versions of Windows (2000, XP, 2003) are vulnerable to
this, as Vista and later operating systems have architecture which prevents the vulnerable code from being
exposed to the malicious control object. Major IDS/IPS/AV vendors have released signatures to detect
exploits against this vulnerability.

Severity: MEDIUM

We consider this to be a ‘medium’ severity event. We have not, to this date, seen high infection ratesamongst our monitored networks, but vendors are just now releasing signatures to detect the exploit comingback from a malicious webserver to a vulnerable client. This exploit is not related to any worms, but isbeing used to install Trojan software which may then perform additional attacks on vulnerable hosts viaother exploit vectors. While normally we would give ActiveX exploits a low severity, there over the past 18months there have been a proliferation of SQL Injection attacks resulting in legitimate ASP.NET sitesunwittingly serving up malicious javascript, that ‘trusting’ the intention of a site is no longer prudent forsurfing behavior We feel the multitude of the hacked web environments hosting up active pages with malicious javascript inclusions, coupled with newer methods of attack obfuscation, added to the knowledgethat MPEG2 is an EXTREMELY popular media format justifies this severity.

How to Determine Whether You Are Vulnerable:

All 2003 and XP systems will be vulnerable to this unless specific actions have been taken to:
[1] Disable ActiveX altogether (not recommended in many environments)
[2] Are not using Internet Explorer at all
[3] Disabled Windows Media Software by some 3rd party application
[4] Have updated A/V software which detects the attack and mitigates it
[5] Have set the kill-bit for ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-
[6] Perform an automated Scan on hosts that are in the Windows 2003/XP tranche of Operating Systems.

Recommended Preventive Actions:

Oddly, Microsoft has discovered that no ActiveX control objects which interface with MSvidctl.dll are
needed by Internet Explorer. On Windows XP and 2003 systems they may all be safely disabled by using
the tool Microsoft provides for at URL: Later systems such as
Windows Vista, 2008, v7 do not appear to be vulnerable.

How to Detect Potential Attacks:

Intrusion Detection Systems which have recently come out withsignatures to detect some facet of this attempted exploit. We are currently investigating efficacy of these signatures and will be updating managed and monitored devices according.
Tipping Point
Popular Antivirus Software are detecting attacks as ‘JS/Exploit.CVE-2008-0015.A.Gen trojan

What to do if You Have Been Attacked:

Typically workstations, laptops and desktops running XP or 2003 are the ones likely to fall victim to this
type of attack. Recommend consulting your security policy for the Incident Response
procedure as it pertains to the asset which is compromised. Infection should be considered serious, and
Windows MSRT may or may not be enough to remove the Trojan Software that the attacker has installed.

Detailed Analysis:

From Microsoft:
Customers who are using Windows Vista or Windows Server 2008 are not affected because the
ability to pass data to this control within Internet Explorer has been restricted.
By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is
known as Enhanced Security Configuration. Enhanced Security Configuration is a group of
preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator
downloading and running specially crafted Web content on a server. This is a mitigating factor for
Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing
Internet Explorer Enhanced Security Configuration.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open
HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate
attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail messages. However, if a user clicks a link in
an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through
the Web-based attack scenario.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is
used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or
host user-provided content or advertisements could contain specially crafted content that could
exploit this vulnerability. In all cases, however, an attacker would have no way to force users to
visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or Instant Messenger message that
takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the
local user. Users whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

Suggested Reading:

Microsoft has developed a new security offering called HELLOSECUREWORLD.COM. It is a program to engage developers in a fun and exciting way to build knowledge around security in application development. In addition, developers can share information about secure coding for today’s internet-based computing environment. The program features an array of online and offline customer activities ranging from MSDN events, to security virtual labs, to video presentations on a new website.


* XSS (Cross Site Scripting)
* SQLi (SQL Injection)
* Canonicalization Attack
* CSRF (Cross Site Request Forgery)
* Integer Overflow/Underflow
* Etc…

To access the labs go to: HelloSecureWorld