Things I thought I should be careful about when writing my own XSS penetration tests.

Introduction

This is an article that I google translated my article and reviewed a little.🙇‍♀️

Sorry for my bad English.🙇‍♀️

There are some parts that are omitted.🙇‍♀️

The article is below. (Japanese)🙇‍♀️
https://qiita.com/sachiko-kame/items/d6128c0674a75f5ec809

in the world,
Penetration testing tools such as OWASP ZAP,
There are useful XSS checking strings such as XSS Locator (Polygot).

but,
How far can this be detected?
How should I test it in the first place?
Are there any precautions for inspection?
How can I write an XSS Penetration Test to detect more XSS?
I think there are many things to think about!

I thought about such a variety of things, so as a result of actually doing it,
I would like to write about what I think you should be careful about when writing your own XSS penetration test!
thank you!

Here's a github link for you to try!

『OWASP ZAP』 VS 『XSS Locator (Polygot)』

First of all, on the page with various vulnerabilities,
I checked how much it can detect with "OWASP ZAP" and "XSS Locator (Polygot)"!

There are various things I picked up from various sites and things I made by looking at Polygot's character strings.

You can see a lot by looking at the table below.
・Both light XSS can be detected to some extent.
・there Are times when "OWASP ZAP" does not check the scheme ■sample-a9
・Both of them basically cannot detect vulnerabilities using regular expressions.
・Both of them are basically unable to detect vulnerabilities at error locations.
・"owasp zap" is less detectable than "XSS Locator (Polygot)".
・ "XSS Locator (Polygot)" may not be detected if the detection method or input is wrong. (details later)

	Examples of expected values to be entered during normal operation	OWASP ZAP	XSS Locator (Polygot)
Escape omission in <title> * sample-a1	1	Detected	Detected
Escape omission in <style> *sample-a2	red	Detected	Detected
Omission of escaping in <textarea> *sample-a3	This is my first post!	Detected	Detected
Escape omission in <script> ※sample-a4	sss	Detected	Detected
Escape omission in <xmp> ※sample-a5	sample	Detected	Detected
Escape omission in <pre> ※sample-a6	sample	Detected	Detected
Insufficient escaping *sample-a7 Unescaped 『'』 and『"』	red	Detected	Detected
Insufficient escaping *sample-a8 Unescaped 『'』 and『"』	"color: red"	Not detected	Detected (Enclosed in "" required)
url scheme check omission ※sample-a9	https://sachiko-kame.github.io/	cannot be detected	detected
Omission of escaping where php string output is enclosed in HTML comments *sample-b1	sample	Detected	Detected
Inappropriate escaping *Sample-b2 php output is surrounded by js escape function	sample	Detected	Detected
Escape leak in for statement ※sample-b3	Nice weather#Event#Weather#aaa	Detected	Detected (must be entered after #)
Escape omission in the for statement *Sample-b4 I added processing to play only the characters in the script	It's a nice weather#Event#Weather#aaa	Detected	Detected (Behind # required)
Insufficient checking due to user input in regular expression (in php code) *sample-b5 Do not create basic regular expression with user input	https://sachiko-kame.github.io#abc	Undetectable	Undetectable
Insufficient check due to user input in regular expression (in js code) *sample-b6 Do not create basic regular expression with user input	https://sachiko-kame.github.io#abc	Undetectable	Undetectable
Insufficient checking due to some user input in the regular expression (in php code) *sample-b7 Basic regular expression is not created with user input	http://192.168.99.100:86/sample- b7/?name=sachiko	Undetectable	Undetectable
Insufficient checking due to some user input in the regular expression (in js code) *sample-b8 Basic regular expression is not created with user input	http://192.168.99.100:86/sample- b8/?name=sachiko	Undetectable	Undetectable
Escape leak after putting prefix in style class description * sample-b9	php	Cannot be detected	Detected
Escape omission of error output wording of trycatch *sample-c1	sample	Cannot be detected	Cannot be detected
iframe url scheme check omission * sample-c2	https://sachiko-kame.github.io/	Detected	Detected

"XSS Locator (Polygot)" may not be detected if the detection method or input is wrong.

It may be natural, but

• You should put the value of "XSS Locator (Polygot)" where the user can freely enter.
• If there is an instruction to insert a character specified by the system in a place where the user can freely enter, the character specified by the system + "XSS Locator (Polygot)" should be inserted.

If you can enter anything after "#" ……

○
https://sachiko-kame.github.io#<<Polygot value>>

×
<<Polygot value>>

×(I really want to do this if possible)
https://sachiko-kame.github.io/<<Polygot value>>

If you are instructing to enclose the input value with ""……

○
"<<Polygot value>>"

×(I really want to do this if possible)
<<Polygot value>>

Summary of things I thought I should be careful about when creating my own XSS penetration test

• The inspection will be conducted without WAF.
  If there is a WAF, it seems that there are cases where the attack could not be detected because it was repelled by the WAF.

• Basically, the attack code uses XSS Locator (Polygot) and |.|.
  As you can see from the table above, this can detect to some extent, so I feel that this is the appropriate attack code. |.| is explained again a little later.

• First, output the normal pattern of the system. ex) If you do 〇〇, it will behave as 〇〇.
  On the contrary, to look for suspicious things that do not behave this way. I think it would be difficult to find vulnerabilities in regular expressions without doing something like this.
  

example
・If you type 〇〇 in the form, 〇〇 will be displayed in this place.
・If you type red in the form, this place will turn red.
・If you type "sample" in the form, it will be URL#sample here and the appropriate part will be displayed when you click it.

• Identify areas where users can freely enter data. Reference: sample-b3
  To put the attack code here and inspect it.

• Where the user can freely input + If there is anything the system is asking for, it will also be identified. Enclose in "". Reference: sample-a8
  To put the attack code here and inspect it.

• When diagnosing vulnerability (on your own), try clicking and focusing to see if there is any difference from normal behavior. Reference: sample-a7
  Assuming when js is installed in the event handler or src
  

example
・Check that js does not fire without doing anything.
・Confirm that js is not fired by hitting the form.
・Check that js does not fire when clicked.
・Check if the behavior is normal and expected behavior.

• Check whether it fires even when an error occurs. *Reference: sample-c1
  It's like inserting an attack code and checking it when an error occurs.
  Basically, I think that it will be like entering and confirming with "<<character string that causes an error>><<Polygot>>".

• Considering the possibility of regular expressions, it is suspicious if characters that always behave differently and do not behave as intended.

• I feel like I'm going to put in a character that looks like a bug and detect it!

For example:

|.|

I've tried to show what I've tried in the table below.

①
↓

|.|

inspected pattern	what you entered	What behavior was normal?	What is the behavior of the bug
sample-b5	https://sachiko-kame.github.io#①	Clickable URL =>https://sachiko-kame.github.io	Clickable URL =>http://192.168.99.100:86/sample-b5/?name=https%3A%2F%2Fsachiko-kame.github.io%23%7C.%7C
sample-b6	https://sachiko-kame.github.io#①	Clickable URL =>https://sachiko-kame.github.io	Clickable URL =>http://192.168.99.100:86/sample-b6/
sample-b7	http://192.168.99.100:86/sample-b7/?①=①	image url => https://sachiko-kame.github.io/images/sachiko.png	A lot of ① are displayed
sample-b8	http://192.168.99.100:86/sample-b8/?①=①	image url => https://sachiko-kame.github.io/images/sachiko.png	A lot of ① are displayed

• Confirmation that the intended tag is not included. If you don't go this far, you won't be able to find it completely sample-c1

• As a bonus, if there is a tag that is allowed where you are entering a long sentence, it might be better if you could enter an event handler there and check if it doesn't fire at all. I'm thinking. I wrote this as a bonus.

lastly

Thank you for reading to the end! !🙇‍♀️