Skip to content

Cross-site scripting (XSS) - What's that and how to identify them?

On my blog are some vulnerabilities called "Cross-site scripting" or "XSS", but what exactly is a Cross-site scripting?

A Cross-site scripting attack is a type of a html injection and the problem is always when a web application accept user input and generates the output without validating or encoding it. This flaw makes it possible for an attacker to inject a malicious script – like javascript – to access cookies, session tokes or some other sensitive information stored in the user’s browser, because it thinks the script came from a trusted source.  

They are some different possibilties to identify XSS vulnerabilities:

- use a web security scanner, like xsser, arachni, Nikto
- test/review the code for places with user input which possibly ends into HTML output
(contact forms, search forms …)
 
Continue reading "Cross-site scripting (XSS) - What's that and how to identify them?"

SSCHADV2011-027 - KaiBB 2.0.1 XSS and SQL Injection vulnerabilities

Advisory:
KaiBB 2.0.1 XSS and SQL Injection vulnerabilities
Advisory ID:
SSCHADV2011-027
Author:
Stefan Schurtz
Affected Software: Successfully tested on KaiBB 2.0.1
Vendor URL:
Vendor Status: informed
CVE-ID: -
 
======================
Vulnerability Description:
======================

KaiBB 2.0.1 is prone to XSS and SQL Injection vulnerabilities
 
Continue reading "SSCHADV2011-027 - KaiBB 2.0.1 XSS and SQL Injection vulnerabilities"

SSCHADV2011-026 - openEngine 2.0 'key' Blind SQL Injection vulnerability

Advisory:
openEngine 2.0 ‘key’ Blind SQL Injection vulnerability
Advisory ID: SSCHADV2011-026
Author:
Stefan Schurtz
Affected Software: Successfully tested on openEngine 2.0 100226
Vendor URL:
Vendor Status: informed
CVE-ID: -
 
======================
Vulnerability Description
======================

The ‘key’ parameter in openEngine 2.0 is prone to a Blind SQL Injection
 
Continue reading "SSCHADV2011-026 - openEngine 2.0 'key' Blind SQL Injection vulnerability"

SSCHADV2011-025 - Contao 2.10.1 Cross-site scripting vulnerability

Advisory:
Contao 2.10.1 Cross-site scripting vulnerability
Advisory ID:
SSCHADV2011-025
Author:
Stefan Schurtz
Affected Software:
Successfully tested on Contao 2.10.1
Vendor URL:
Vendor Status:
fixed
CVE-ID:
CVE-2011-4335
 
======================
Vulnerability Description:
======================
 
Contao 2.10 is prone to a Cross-site scripting vulnerability
 
Continue reading "SSCHADV2011-025 - Contao 2.10.1 Cross-site scripting vulnerability"

SSCHADV2011-022 - phpFK 7.2.5 Multiple Cross-site Scripting vulnerabilities

Advisory:
phpFK 7.2.5 Multiple Cross-site Scripting vulnerabilities
Advisory ID:
SSCHADV2011-022
Author:
Stefan Schurtz
Affected Software:
Successfully tested on phpFK 7.2.5
Vendor URL:
Vendor Status:
informed
CVE-ID:
-
 
======================
Vulnerability Description:
======================
 
phpFK 7.2.5 is prone to multiple Cross-site scripting vulnerabilities
 
Continue reading "SSCHADV2011-022 - phpFK 7.2.5 Multiple Cross-site Scripting vulnerabilities"

SSCHADV2011-023 - Phorum 5.2.18 Cross-site Scripting vulnerability

Advisory:
Phorum 5.2.18 Cross-site Scripting vulnerability
Advisory ID:
SSCHADV2011-023
Author:
Stefan Schurtz
Affected Software:
Successfully tested on Phorum 5.2.18
Vendor URL:
Vendor Status:
informed
CVE-ID:
-
 
======================
Vulnerability Description:
======================
 
Phorum 5.2.18 is prone to a Cross-site scripting vulnerability
 
Continue reading "SSCHADV2011-023 - Phorum 5.2.18 Cross-site Scripting vulnerability"
Imprint | Contact | Privacy Statement