Testing Cross site scripting

A lot of time the QA's or the testers have to came across testing cross site scripting or XSS scenarios. Fixes for XSS defects will ultimately require code based fixes. So here i will be discussing some manual operations which can be performed by a QA / tester to verify the site integrity and security against xss.


Step 1. Open any Web site in a browser, and look for places on the site that accept user input such as a search form or some kind of login page. Enter the word test in the search box and send this to the Web server.


Step 2. Look for the Web server to respond back with a page similar to something like "Your search for 'test' did not find any items" or "Invalid login test." If the word "test" appears in the results page, you are in luck.


Step 3. To test for Cross-Site Scripting, input the string "" without the quotes in the same search or login box you used before and send this to your Web server.


Step 4. If the server responds back with a popup box that says "hello", then the site is vulnerable to Cross-Site Scripting.


Step 5. If Step 4 fails and the Web site does not return this information, you still might be at risk. Click the 'View Source' option in your browser so you can see the actual HTML code of the Web page. Now find the " text in this source code, then the Web server is vulnerable to Cross-Site Scripting


Note - The discussed article is extracted from xss manuals and other documents.

Comments

  1. AnonymousMarch 22, 2013 at 3:50 AM

    Thanks for the post. This was helpful for me

    ReplyDelete

Post a Comment

Popular posts from this blog

All about Dates using QTP

Majority of applications have Calendars controls. Automating a calendar can be painful at times if the textbox is disabled, and it only works if you select the date from the calendar widget provided on your website/application. I have been working on date controls for couple of months so thought about sharing all the findings with you people. So here i am summarizing some of the checks which can be handy working on date/Calendar controls. '''''' '''''' Compare start and End date For comparing end date validation, set today's date using Date function in start date textbox and set previous date in end date, and check if the validation is fired.   '''''startdate - set as todays date using 'date' Browser("").Page("").WebEdit("").Set Date '''''End date, set prev 5 days date Browser("").Page("").WebEdit("").Set DateAdd(...
Read more

LoadRunner Controller

Image
This is my second post from the HP LoadRunner series. As I discussed earlier, here I will be discussing an overview of LoadRunner Controller . So before going into detail, let me recap the prerequisites. Create script – Checked Replay Script – Checked Updating script if required (Add transaction, Parameterization and Content Check) – Checked  Runtime settings and Iterations – Checked Assuming the script is absolutely fine i.e. error free and ready to be passed on Controller, let us get familiar with the UI first. I will be using LoadRunner 9.5, the screens may vary at your end depending on the version you are using.   The UI The Controller has a Title bar, Menu bar, tool bar and a Status bar. After these we have multiple sections or panes.   The first is Scenario Groups pane. We can add multiple scripts or a single script and name them as a Group.  Next is Scenario schedule, here we define how the load will be passed and executed. We have two types o...
Read more

Working with WebRadioGroup

QTP WebRadioGroup means a radio button on the web page. Identifying and working with them can be easy or difficult. Sometimes they works out fine and at times executing the same code gives you error. If you have two radio buttons on the screen for example Gender selection options the code below might give problem. Browser("").Page("").WebRadioGroup("").Select "M" Where "M" can be the id or the value of the radio button (Spy the object). So what is the problem in the code above? As there are two radio buttons QTP identifies them as same, so we need to differentiate between them. Index is a property by which you can differentiate, it tells the position of the object. So if we write the same code below with an additional index property it will work fine. Browser("").Page("").WebRadioGroup("html id:=" ,"index:= 1").Select "M". This code is intended to select a radio button among two, what ...
Read more