4.11 Client-side Testing

Client-side Testing

4.11.1 Testing for DOM-Based Cross Site Scripting

• Append the payload #"><script>alert('xss')</script> into the URL on different endpoints of the application.

• Indetify sources:

document.URL|document.documentURI|document.URLUnencoded|document.baseURI|location.search|document.cookie|document.referrer|location.

• Identify DOM sinks.

document.write\(|document.writeln\(|document.domain|\w\.innerHTML|\w\.outerHTML|\w\.insertAdjacentHTML|\w\.onevent

• Use Burp Suite DOM-Invader to identify/exploit id there is DOM-Based XSS

Evidence:

​

4.11.2 Testing for JavaScript Execution

• Because the latter section was focused on JavaScript execution, there is no need to check it again.

Evidence:

​

4.11.3 Testing for HTML Injection

• Most of the reflected, stored , DOM-Based XSS can also be considered HTML injection

• Identify HTML injection points and assess the severity of the injected content.

Evidence:

4.11.4 Testing for Client-side URL Redirect

• Identify injection points that handle URLs or paths.

• Assess the locations that the system could redirect to.

Evidence:

4.11.5 Testing for CSS Injection

• Identify JavaScript injection points that manages CSS Styles.

• Assess the impact of the injection.

Evidence:

4.11.6 Testing for Client-side Resource Manipulation

• Identify sinks with weak input validation that are used to retrieve resources.

• Assess the impact of the resource manipulation.

Evidence:

4.11.7 Testing Cross Origin Resource Sharing

• Check that the value of Access-Control-Allow-Origin is not set to * or null. Except in the case of a public API that is intended to be accessible by everyone.

• Check that the header Access-Control-Allow-Credentials is not in used with Access-Control-Allow-Origin: * on a private API.

• Check for reflection on the Allow-Origin header, based on the input of the Origin header.

Evidence:

4.11.8 Testing for Cross Site Flashing

• Check if the application has Flash source code

Evidence:

4.11.9 Testing for Clickjacking

• Perform a simple clickjacking attack:

• Check the response headers for X-Frame-Options: SAMEORIGIN. If exists, the attacks below most of the won't work.

• Check for "Frame Busting" scripts

• Try to perform a "Double Framing".

• Try disabling Javascript:

• Try using sandbox attributte:

• OnBeforeUnload Event

Evidence:

4.11.10 Testing WebSockets

• Identify that the application is using WebSockets.

  • Inspect the client-side source code for the ws:// or wss:// URI scheme.

  • Use Google Chrome’s Developer Tools to view the Network WebSocket communication.

  • Use ZAP’s WebSocket tab.

• Origin.

  • Using a WebSocket client (one can be found in the Tools section below) attempt to connect to the remote WebSocket server. If a connection is established the server may not be checking the origin header of the WebSocket handshake.

• Confidentiality and Integrity.

  • Check that the WebSocket connection is using SSL to transport sensitive information wss://.

  • Check the SSL Implementation for security issues (Valid Certificate, BEAST, CRIME, RC4, etc). Refer to the Testing for Weak Transport Layer Security section of this guide.

• Authentication.

  • WebSockets do not handle authentication, normal black-box authentication tests should be carried out. Refer to the Authentication Testing sections of this guide.

• Authorization.

  • WebSockets do not handle authorization, normal black-box authorization tests should be carried out. Refer to the Authorization Testing sections of this guide.

• Input Sanitization.

  • Use ZAP’s WebSocket tab to replay and fuzz WebSocket request and responses. Refer to the Testing for Data Validation sections of this guide.

Evidence:

4.11.11 Testing Web Messaging

• Identify addEventListener|postMessage events.

• Try to exploit those events.

Evidence:

4.11.12 Testing Browser Storage

• Check if there is sensitive data stored on the browser's local or session storage.

• Determine whether the website is storing data in client-side storage window.localStorage|window.sessionStorage.

• The code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries.

Evidence:

4.11.13 Testing for Cross Site Script Inclusion

• Detect if there is sensitive data on JS files. You can use extensions as JS Miner.

Evidence: