Fuzz XSS against REST API where attack should be different URL than the assertion
461 views
Skip to first unread message
Mark Davison
Jul 21, 2014, 5:04:03 AM7/21/14
to zaprox...@googlegroups.com
I am looking to PEN test my application against XSS attacks.
The application is a REST API... As such when you POST some JSON to /cart/add to see the result of that attack you would need to GET /cart (HTML).
So far I have figured out how to successfully use Fuzzer to make XSS attacks to my application.
However it expects the response to contain the data it just submitted.
I guess what I need is a two step approach to Fuzzer.
- Make attack request to POST /cart/add
- Assert if attack was successful by requesting GET /cart
Does anyone know how I can do this?
Simon Bennetts
Jul 21, 2014, 6:07:03 AM7/21/14
to zaprox...@googlegroups.com
I think it all depends on how the GET request is used.
Does this return HTML, or does it return data (JSON/XML/..) that is accessed pulled into an HTML page using the REST API?
I would test these 2 cases in different ways :)
Cheers,
Simon
Does this return HTML, or does it return data (JSON/XML/..) that is accessed pulled into an HTML page using the REST API?
I would test these 2 cases in different ways :)
Cheers,
Simon
Mark Davison
Jul 23, 2014, 9:53:32 AM7/23/14
to zaprox...@googlegroups.com
The GET request returns JSON which is then passed to an underscore Js template.
Thanks for your help
Actually different
Simon Bennetts
Jul 24, 2014, 5:57:13 AM7/24/14
to zaprox...@googlegroups.com
For this situation I think you really need a browser, unless anyone else can suggest alternative approaches.
But thats ok, we can now launch and control a browser using Zest :)
So I would write a Zest script that posts a test value, then launches the browser and opens the page that uses the GET request.
When you have that working you can surround that with a Loop which goes through one of the XSS attack fuzzing files we provide and use that as the attack.
I would just check the resulting pages manually to see if any of the attacks have broken out of your HTML context.
But we also have a DOM XSS fuzzing file that makes a call back to the ZAP API, so it should be possible to automate the detection if thats what you want.
Want to give that a try?
Just let me know if any of thats unclear or if you hit any problems and I'll help you sort it out.
I've done something similar fuzzing an application protected by a SSO solution which I demoed at AppSec EU: https://www.youtube.com/watch?v=Ofmp-haNI7s from around 28:00
Cheers,
Simon
But thats ok, we can now launch and control a browser using Zest :)
So I would write a Zest script that posts a test value, then launches the browser and opens the page that uses the GET request.
When you have that working you can surround that with a Loop which goes through one of the XSS attack fuzzing files we provide and use that as the attack.
I would just check the resulting pages manually to see if any of the attacks have broken out of your HTML context.
But we also have a DOM XSS fuzzing file that makes a call back to the ZAP API, so it should be possible to automate the detection if thats what you want.
Want to give that a try?
Just let me know if any of thats unclear or if you hit any problems and I'll help you sort it out.
I've done something similar fuzzing an application protected by a SSO solution which I demoed at AppSec EU: https://www.youtube.com/watch?v=Ofmp-haNI7s from around 28:00
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages