Persistant XSS detection issues
379 views
Skip to first unread message
Simon Bennetts
Feb 28, 2014, 6:42:59 AM2/28/14
to zaprox...@googlegroups.com
It looks like a couple of users are having problems getting ZAP to detect persistent / stored XSS issues, so I think its worth a new thread on this list.
This persistent XSS rule injects 'safe' unique tokens into all available parameters. It then spiders to see where these tokens appear on the site. If it finds these tokens on any page it then attacks these parameters in a similar way to the reflected cross site scripting - targeting wherever they appear.
This seems to work well in simple cases, but clearly some people are having problems getting it to work so it might well need to be enhanced.
If any of you can reproduce such problems with open source vulnerable web apps then please let me know which, as I'll hopefully be able to reproduce those more easily.
Otherwise I suggest:
This persistent XSS rule injects 'safe' unique tokens into all available parameters. It then spiders to see where these tokens appear on the site. If it finds these tokens on any page it then attacks these parameters in a similar way to the reflected cross site scripting - targeting wherever they appear.
This seems to work well in simple cases, but clearly some people are having problems getting it to work so it might well need to be enhanced.
If any of you can reproduce such problems with open source vulnerable web apps then please let me know which, as I'll hopefully be able to reproduce those more easily.
Otherwise I suggest:
- Starting a new ZAP session
- Just perform the attack and check the target page via your browser (proxying through ZAP of course;)
- Active scan this site, with _only_ the persistent XSS rules enabled.
This should show ZAP injecting a unique safe value (like zApPX0sS, zApPX1sS, zApPX2sS etc) into every field it knows about.
If this value is _not_ shown on the target page then ZAP isnt going to be able to detect an XSS.
If it is reflected then you should see ZAP performing a series of XSS attacks.
Please let me know how you get on :)
Simon
m.pen...@gmail.com
Mar 1, 2014, 6:50:33 AM3/1/14
to zaprox...@googlegroups.com
hi
i have problems with this,thanks for mention it.
as it discuss in "Why Johnny Can’t Pentest:An Analysis of Black-box Web Vulnerability Scanners", In the WackoPicko web site there is a vulnerability that is triggered by going through a multi-step process. This vulnerability is the stored XSS on pictures, which requires an attacker to confirm a comment posting for the attack to be successful.
I was trying to test if OWASP ZAP can do this or not, for achieve this, after view.php there is preview_comment.php befor creating comment.
but ZAP can't detect preview_comment.php page in spider phase nor active scan phase.
what is your idea about this?
:)
i have problems with this,thanks for mention it.
as it discuss in "Why Johnny Can’t Pentest:An Analysis of Black-box Web Vulnerability Scanners", In the WackoPicko web site there is a vulnerability that is triggered by going through a multi-step process. This vulnerability is the stored XSS on pictures, which requires an attacker to confirm a comment posting for the attack to be successful.
I was trying to test if OWASP ZAP can do this or not, for achieve this, after view.php there is preview_comment.php befor creating comment.
but ZAP can't detect preview_comment.php page in spider phase nor active scan phase.
what is your idea about this?
:)
Simon Bennetts
Mar 3, 2014, 4:49:17 AM3/3/14
to zaprox...@googlegroups.com
Hi,
ZAP doesnt currently detect 'multi-step' issues.
However I do have plans on how we're going to solve this :)
Cheers,
Simon
ZAP doesnt currently detect 'multi-step' issues.
However I do have plans on how we're going to solve this :)
Cheers,
Simon
m.pen...@gmail.com
Mar 3, 2014, 9:14:52 AM3/3/14
to zaprox...@googlegroups.com
i got confused about thinking how to solve this problem! i have some idea but it is just about how to scan the pages that are not accessible at the first ( like pages that will be available after login but not befor that)
what do you mean about 'multi-step'?
can you say alittle about your plans or that are secret? ;)
thanx :)
what do you mean about 'multi-step'?
can you say alittle about your plans or that are secret? ;)
thanx :)
Simon Bennetts
Mar 4, 2014, 7:03:29 AM3/4/14
to zaprox...@googlegroups.com
I've raised an enhancement request to record my thought on this: http://code.google.com/p/zaproxy/issues/detail?id=1062
Feel free to comment on the issue, or you can start a thread on the ZAP dev list :)
Cheers,
Simon
Feel free to comment on the issue, or you can start a thread on the ZAP dev list :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages