Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
On the value of blackbox XSS scanning
Posted by: metal_hurlant
Date: October 03, 2006 03:29PM

the latest entry on http://ha.ckers.org/blog/20061003/hackersafe-site-hacked-safely/ reminded me of something:

It is impossible to do a blackbox scan for XSS and claim that there are no XSS on a site based on that scan alone.

Let's take an extremely simplified example:
h[/b]ttp://any.site/page.php?a=1&b=2&c=3&d=4&e=5&f=6&g=7&h=8

Let's assume that you were told from a reliable source that one of those parameters can be used for a script injection by inserting a simple <script>alert('yo')</script> in it.

If you're thinking it's going to take you only 1 try, or at most 8 tries, that may not quite cut it.

The problem here is that each input parameter can be used by the server script to potentially change the meaning of every other input parameter.
So maybe the injection happens when a=<script>alert('yo')</script>, but only when e=test. Maybe "e" here is the parameter for a template that gets included in the final page. Or something else. Who knows.

It could be worse. Maybe adding a &debug=1 is the key. Developers love to add those kind of warts to help them figure out what's really going on, then they forget to clean them up before pushing the code live.


In short, if someone is selling a service that guarantees anything about the security of your site by doing blackbox testing only, they're selling you snake oil.

Options: ReplyQuote
Re: On the value of blackbox XSS scanning
Posted by: rsnake
Date: October 03, 2006 03:42PM

That's exactly right. I've thought about that a lot too... Even (automated) open sourced scanning has similar issues. If you are dependant on some state of something to act on something else to have a bug in it to cause the security issue, chances are very slim that the code would catch it.

But to answer your question, you're exactly right. And often times I've run into that exact issue, where it will only fail if I have a fake address in place (on contact forms) or not in some cases (if I have it it won't fail out and show the XSS). It's extremely complex to automate, and especially so when you add on things like the infinite depth issues (calendars) and understanding state management (are you logged in or not)?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.