Check for persistent Cross attack-Site Scripting bugs through the input form fields

Steps:

o    Identify entry points that collect user input such as Form inputs [e.g text boxes], query string parameters, etc.

o    Check if the user input saved to database and same data is fetched back and rendering back to screen.

    • Enter this : <Script>alert('XSS')</script> , "><script>('XSS')</script> , ;alert('XSS') , ');alert('XSS') , javascript:alert('XSS')
    • In data rendering page, If this pops up an alert box saying “XSS” attack was successful.
    •  Depending on the context of the output this payload might need more tweaking. Do a View Source to find where & how the input was echoed back.

Cheers,

Anmol Malhotra

Security Consultant
ACE Services