Finding and Exploiting Reflected XSS Vulnerabilities
The most reliable approach to detecting reflected XSS vulnerabilities involves working systematically through all the entry points for user input that were identified during application mapping (see Chapter 4) and following these steps:
- Submit a benign alphabetical string in each entry point.
- Identify all locations where this string is reflected in the application's response.
- For each reflection, identify the syntactic context in which the reflected data appears.
- Submit modified data tailored to the reflection's syntactic context, attempting to introduce arbitrary script into the response.
- If the reflected data is blocked or sanitized, preventing your script from executing, try to understand and circumvent the application's defensive filters.
Identifying Reflections of User Input
The first stage in the testing process is to submit a benign string to each entry point and to identify every location in the response where the string is reflected.
- Choose a unique arbitrary string that does not appear anywhere within the application and that contains only alphabetical characters and therefore is unlikely to be affected by any XSS-specific filters. For example:
Submit this string as every parameter to every page, targeting only one parameter at a time.
- Monitor the application's responses for any appearance of this same string. Make a note of every parameter whose value is being copied into the application's ...