Scratch

billyedward · 2009-07-21 23:35:50

I have lately been testing the scratch website for XSS vulnerabilities, and am happy to announce that as of yet none have arisen. If I think of anything else, I will test it and tell you how it went. Below are the posts which I used to test it.
What I did:
> Tested for parsing of HTML tags. Did so by replacing the < and > symbols with their entity codes.
> Tested for multiple embedded tag parsing.
> Tested Image tag with valid URL
> Tried to exploit IE vulnerability for scripts in src attribute
> Continued above using charactercodes and breaks
> More testing revealed that img tags are just displayed as code if not enclosing a valid url.
> Tried hiding code into 'valid' urls. None worked.
> Deduced that connection protocol must be present to be classed as a valid url.
> Deduced that ampersands proceeded by a hash are parsed as entity code prefixes
> So far, The scratch website is safe!

Last edited by billyedward (2009-07-22 04:27:05)

billyedward · 2009-07-21 23:38:29

billyedward · 2009-07-21 23:43:17

<str<str<str<str<str<str<str<str<str<strike>ike>ike>ike>ike>ike>ike>ike>ike>ike>XSS test</str</str</str</str</str</str</str</str</str</strike>ike>ike>ike>ike>ike>ike>ike>ike>ike>

billyedward · 2009-07-21 23:45:03

billyedward · 2009-07-21 23:48:12

[img]javascript:alert('XSS attack')[/img]
^ Malicious image src code

billyedward · 2009-07-21 23:51:38

[img]java script:alert('XSS attack')[/img]

billyedward · 2009-07-21 23:52:43

[img]java script:alert('XSS attack')[/img]

billyedward · 2009-07-21 23:54:11

[img]javAscript:alert('XSS attack')[/img]

billyedward · 2009-07-21 23:55:48

[img]alert('XSS attack')[/img]

billyedward · 2009-07-21 23:57:32

[img]javascript[/img]

billyedward · 2009-07-21 23:59:01

[img]java script[/img]

billyedward · 2009-07-22 00:00:28

[img]aRandomWord[/img]

billyedward · 2009-07-22 00:02:09

billyedward · 2009-07-22 00:03:36

billyedward · 2009-07-22 00:04:46

billyedward · 2009-07-22 00:05:56

[img][/img]

billyedward · 2009-07-22 00:07:00

billyedward · 2009-07-22 00:08:34

[img]http://ttt.com/sss.bmp[/img]

billyedward · 2009-07-22 00:10:13

billyedward · 2009-07-22 00:16:58

billyedward · 2009-07-22 00:18:04

billyedward · 2009-07-22 00:20:48

[img]javascript://pi.com[/img]

billyedward · 2009-07-22 00:24:24

[img]javascript.com[/img]

billyedward · 2009-07-22 00:27:02

[img]streak.t35.com/Pictures/big%20logo.gif[/img]

billyedward · 2009-07-22 00:31:12

[img]streak.t35.com:80/Pictures/big%20logo.gif[/img]

Scratch

archived forums

#1 2009-07-21 23:35:50

XSS Text

#2 2009-07-21 23:38:29

Re: XSS Text

#3 2009-07-21 23:43:17

Re: XSS Text

#4 2009-07-21 23:45:03

Re: XSS Text

#5 2009-07-21 23:48:12

Re: XSS Text

#6 2009-07-21 23:51:38

Re: XSS Text

#7 2009-07-21 23:52:43

Re: XSS Text

#8 2009-07-21 23:54:11

Re: XSS Text

#9 2009-07-21 23:55:48

Re: XSS Text

#10 2009-07-21 23:57:32

Re: XSS Text

#11 2009-07-21 23:59:01

Re: XSS Text

#12 2009-07-22 00:00:28

Re: XSS Text

#13 2009-07-22 00:02:09

Re: XSS Text

#14 2009-07-22 00:03:36

Re: XSS Text

#15 2009-07-22 00:04:46

Re: XSS Text

#16 2009-07-22 00:05:56

Re: XSS Text

#17 2009-07-22 00:07:00

Re: XSS Text

#18 2009-07-22 00:08:34

Re: XSS Text

#19 2009-07-22 00:10:13

Re: XSS Text

#20 2009-07-22 00:16:58

Re: XSS Text

#21 2009-07-22 00:18:04

Re: XSS Text

#22 2009-07-22 00:20:48

Re: XSS Text

#23 2009-07-22 00:24:24

Re: XSS Text

#24 2009-07-22 00:27:02

Re: XSS Text

#25 2009-07-22 00:31:12

Re: XSS Text

Board footer