How to manually reproduce the cross site scripting error from the zap results
585 views
Skip to first unread message
winx...@gmail.com
Jul 21, 2015, 4:40:00 AM7/21/15
to zaprox...@googlegroups.com
Hi Team,
I have reported cross site scripting reflected by the zaproxy, but being new to this, not sure how do i reproduce the error manually ?
The results i have got is , url , parameter and attack info.
winxlinx
Simon Bennetts
Jul 23, 2015, 7:32:42 AM7/23/15
to OWASP ZAP User Group, winx...@gmail.com, winx...@gmail.com
Hi winxlinx,
That depends on various things:
You can also select the full URL from the alert and paste that into a browser if you wish.
In the other cases you'll need to paste the URL into your browser, identify the field that the 'parameter' refers to and supply the 'attack' as the field value.
If its a stored XSS attack then the page attacked may be different to the one where the evidence was discovered.
Note that ZAP identifies XSSs by analysing the context in the HTML that the user input appears in and escaping out of it. It doesnt check that the specific attack used actually worked.
So dont be surprised if you dont get an alert popup, you may need to tweak the attack to get it to run.
If you have problems with any specific attack then please post sanitized details here and we'll try to help :)
Note that you can also right click an alert and "Generate Zest script for alert" - this generates a Zest script which can automate the process, but again you may need to tweak the attack.
Does that help?
Cheers,
Simon
That depends on various things:
- Is this a reflected XSS or a stored one?
- If its reflected, is it via a GET request or a POST?
- Are you using the ZAP UI or the API?
You can also select the full URL from the alert and paste that into a browser if you wish.
In the other cases you'll need to paste the URL into your browser, identify the field that the 'parameter' refers to and supply the 'attack' as the field value.
If its a stored XSS attack then the page attacked may be different to the one where the evidence was discovered.
Note that ZAP identifies XSSs by analysing the context in the HTML that the user input appears in and escaping out of it. It doesnt check that the specific attack used actually worked.
So dont be surprised if you dont get an alert popup, you may need to tweak the attack to get it to run.
If you have problems with any specific attack then please post sanitized details here and we'll try to help :)
Note that you can also right click an alert and "Generate Zest script for alert" - this generates a Zest script which can automate the process, but again you may need to tweak the attack.
Does that help?
Cheers,
Simon
timo....@owasp.org
Jul 29, 2015, 3:35:54 AM7/29/15
to OWASP ZAP User Group, winx...@gmail.com
Have you turned off xss filtering in firefox?
winx...@gmail.com
Jul 31, 2015, 4:58:59 AM7/31/15
to OWASP ZAP User Group, winx...@gmail.com, timo....@owasp.org
I am not using xss filtering in firefox !, is there a tool like that
kingthorin+owaspzap
Jul 31, 2015, 7:12:24 AM7/31/15
to OWASP ZAP User Group, winx...@gmail.com, timo....@owasp.org
It's turned on by default:
https://www.phillips321.co.uk/2012/03/01/xss-browser-filters-disabling-it-for-app-testing/
https://www.phillips321.co.uk/2012/03/01/xss-browser-filters-disabling-it-for-app-testing/
kingthorin+owaspzap
Jul 31, 2015, 1:33:14 PM7/31/15
to OWASP ZAP User Group, kingt...@gmail.com
For some unfortunate reason it seems this discussion has moved to email (which seems to be happening with google groups a lot lately :( ), I'm going to attempt to bring it back here:
Assuming it's a reflected XSS then yes you may need to disable that in order to get it to pop manually. Try it, you have nothing to lose, you can always switch the setting back.
---------- Forwarded message ----------
From: Winx Linx
Date: Fri, Jul 31, 2015 at 8:41 AM
Subject: Re: How to manually reproduce the cross site scripting error from the zap results
To: kingthorin+owaspzapOK, we need to disable in order to get the popup manually ?
Assuming it's a reflected XSS then yes you may need to disable that in order to get it to pop manually. Try it, you have nothing to lose, you can always switch the setting back.
Reply all
Reply to author
Forward
0 new messages