Your e-Business Quality Partner eValid™ -- Automated Web Quality Solution
Browser-Based, Client-Side, Functional Testing & Validation,
Load & Performance Tuning, Page Timing, Website Analysis,
and Rich Internet Application Monitoring.

Security Testing Examples -- XSS
eValid Home

Cybersecurity testing often requires making many analyses, at regularly scheduled intervals, to identify a potential exploit. This example illustrates how eValid is applied in one specific way to a web page or web application to search for a pattern that may represent a possible exploit. To apply this method in your specific situation you will need to make decisions about what pages to scan, what specific patterns or features to look for, and how to handle the information that is generated. Web application security requires careful planning and test execution analysis. eValid enables such work.

Overview
This example illustrates how eValid is used to search a a web page for a possible XSS vulnerability. Additional technical details about this kind of vulnerability are given in the References section, below.

The method used is to apply eValid's site analysis functionality to the job of scanning a website for instances of a particular character string. That requires setting up the site analysis run parameters, making the run, and then analyzing the results.

Example Steps & Explanation
Here are the main steps in this example:

  1. Typical Target Page
    The example target page is a very naive one, consisting of just the HTML shown here. (The web pages you'll be analyzing are, of course, more complex; for this illustration we want to keep it as simple as possible.)

    <HTML>
    <BODY>
    <a href="[http://<XSS-host]/xssfile?evil request">Hi! visit my website</a>
    </BODY>
    </HTML>

  2. Defining the "Search For" String
    The scan is for the string that is defined in the site analysis string filter page. In this example the string to be searched for is XSS, which is known to be in the target web page (see HTML text above).

    In this case the "searched for" string is XSS, the search by eValid is to be done on the complete HTML of the page. Note that we didn't check "Regular Expression" but if we did then the content of the Text parameter could be any regular expression.

    Sample of String Filter Setting Page

  3. Running the Search
    Before starting the script playback these settings need to be saved into an eValid parameter profile. In this case we use the name PROFILE.

    Playback begins by running the eValid script (shown below), which launches the site analysis run within the browser.

    The real action begins with the &SiteAnalysis command, shown in bold in the eValid script given below.

    The additional parameters on the &SiteAnalysis command affect how the scan is done and where the resulting files are to be stored.

    At the end of the playback (which includes the site analysis run) you see a "green screen" indicating normal termination.

  4. Test Completion Report
    This page shows the status of the run, indicating the number of commands completed and total run time.

  5. Scan Status Page
    This page shows the status of the site analysis run, indicating the number of pages scanned and the status/results of the scan.

  6. Filter Results Page
    The site analysis process creates this page to show all of the instances of match to the specified search string. Note that the URL for the page that has the vulnerability is shown, along with the specific string match in context with the HTML surrounding it.

eValid Test Script
Here is the test script used in this example:

# Copyright  2013 by Software Research, Inc. 
# Recording made on: Microsoft Windows XP 

ProjectID "ProjExample"
GroupID "Security"
TestID "xsstest"
LogID "AUTO"

DeleteCache
DeleteCookies

InitLink "http://www.e-valid.com/Products/Documentation.9/" \
	"Security/Examples/XSS/cybersecuritycheck.html"

# Search through my webpage(s) for possible XSS related triggers...
# Note: please make sure your current SA profile settings include
#       unchecked startup dialog box and starting on current page,
#       along with string filter=XSS.

&SiteAnalysis PROFILE 15 xssfind

# Upon completion of run the site analysis output file named 
# "xssfind-matchString" will contain reports of all string matches made.

# (optional:) If eValid is unable to process the site analysis engine, 
# send an alert to the user...
#
# OnErrorEmail "email-address" "subject" "message" "attachment-path"

# End of script.

Technical References
Here are key references that describe the XSS vulnerability.