OWASP Hackademic Challenges Project – Challenge 3

Another day, another challenge… What’s the topic today? Cross-Site Scripting (XSS)!

Scenario below:

XSS permits a malevolent user to inject his own code in vulnerable web pages. According to the OWASP 2010 Top 10 Application Security Risks, XSS attacks rank 2nd in the “most dangerous” list.

Your objective is to make an alert box appear HERE bearing the message: “XSS!“.

Solution:

Entering the challenge we see the following –

xsschallenge3

Looking at the page source we noticed that there is a POST method

xsschallenge3pagesource

A POST method is used to send data to the server either to a database or to another file or API (Application Programming Interface).

Going to Google – I found a link from OWASP that describes the common ways to test for Cross-Site Scripting (XSS).

Trying one of the items in the web page – alert(“XSS!”); – I get the following:

challengethreebeginning

challengethreeend

We were successfully able to use XSS scripting on the webpage.
Lessons learned:

When having input fields – as the web developer we need to make sure there is input validation. The reason for this is that we can disallow invalid characters (in this case the script tags) so our website would not be susceptible to XSS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s