# 4.11 Client-side Testing

## [Client-side Testing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/README)

## 4.11.1 [Testing for DOM-Based Cross Site Scripting](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting)

* [ ] Append the payload `#"><script>alert('xss')</script>` into the URL on different endpoints of the application.
* [ ] Indetify sources:

```regex
document.URL|document.documentURI|document.URLUnencoded|document.baseURI|location.search|document.cookie|document.referrer|location.
```

* [ ] Identify DOM sinks.

```regex
document.write\(|document.writeln\(|document.domain|\w\.innerHTML|\w\.outerHTML|\w\.insertAdjacentHTML|\w\.onevent
```

* [ ] Use Burp Suite DOM-Invader to identify/exploit id there is DOM-Based XSS

**Evidence**:

```
​
```

## 4.11.2 [Testing for JavaScript Execution](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/02-Testing_for_JavaScript_Execution)

* [ ] Because the latter section was focused on JavaScript execution, there is no need to check it again.

**Evidence**:

```
​
```

## 4.11.3 [Testing for HTML Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection)

* [ ] Most of the reflected, stored , DOM-Based XSS can also be considered HTML injection
* [ ] Identify HTML injection points and assess the severity of the injected content.

**Evidence**:

```
​
```

## 4.11.4 [Testing for Client-side URL Redirect](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect)

* [ ] Identify injection points that handle URLs or paths.

```regex
[?&](url|link|redirect|target|site|page|navigate|ref|callback|host|return|next|returnurl|redirectUrl)=
```

* [ ] Assess the locations that the system could redirect to.

**Evidence**:

```
​
```

## 4.11.5 [Testing for CSS Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/05-Testing_for_CSS_Injection)

* [ ] Identify JavaScript injection points that manages CSS Styles.
* [ ] Assess the impact of the injection.

**Evidence**:

```
​
```

## 4.11.6 [Testing for Client-side Resource Manipulation](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/06-Testing_for_Client-side_Resource_Manipulation)

* [ ] Identify sinks with weak input validation that are used to retrieve resources.
* [ ] Assess the impact of the resource manipulation.

```regex
[?&](file|path|document|folder|dir|download|resource|view|load|template|img|image)=|.src=
```

**Evidence**:

```
​
```

## 4.11.7 [Testing Cross Origin Resource Sharing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing)

* [ ] Check that the value of `Access-Control-Allow-Origin` is not set to `*` or `null`. Except in the case of a public API that is intended to be accessible by everyone.
* [ ] Check that the header `Access-Control-Allow-Credentials` is not in used with `Access-Control-Allow-Origin: *` on a private API.
* [ ] Check for reflection on the `Allow-Origin` header, based on the input of the `Origin` header.

**Evidence**:

```
​
```

## 4.11.8 [Testing for Cross Site Flashing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/08-Testing_for_Cross_Site_Flashing)

* [ ] Check if the application has Flash source code

**Evidence**:

```
​
```

## 4.11.9 [Testing for Clickjacking](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking)

* [ ] Perform a simple clickjacking attack:

```html
<!-- clickjacking.html: -->
<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <h1>Website is vulnerable to clickjacking attacks!</h1>
     <p>Embebed in a iframe for clickjackings attacks</p> 
     <p>Authenticated page with privilege actions</p> 
     <input type="button" value="Vulnerable" style="position:absolute;top:280;left:450;background-color:red;color:white;padding: 10px 15px;">
     <iframe src="https://example.com/" style="opacity:0.5; filter:alpha(opacity=30)" width="1500" height="1000"></iframe>
   </body>
</html>
```

* [ ] Check the response headers for `X-Frame-Options: SAMEORIGIN`. If exists, the attacks below most of the won't work.
* [ ] Check for "Frame Busting" scripts
* [ ] Try to perform a "Double Framing".

```html
<!-- Attacker’s top frame (pre-clickjacking.html): -->
<h1>Double Framing Attack (First Frame)</h1>
<iframe src="clickjacking.html" width="3000" height="2000"></iframe>
```

* [ ] Try disabling Javascript:

```html
<iframe src="http://example.org" security="restricted"></iframe>
```

* [ ] Try using sandbox attributte:

```html
<iframe src="http://example.org" sandbox></iframe>
```

* [ ] OnBeforeUnload Event

```html
<h1>www.fictitious.site</h1>
<script>
    window.onbeforeunload = function()
    {
        return " Do you want to leave fictitious.site?";
    }
</script>
<iframe src="http://example.org">
```

**Evidence**:

```
​
```

## 4.11.10 [Testing WebSockets](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets)

* [ ] Identify that the application is using WebSockets.
  * Inspect the client-side source code for the `ws://` or `wss://` URI scheme.
  * Use Google Chrome’s Developer Tools to view the Network WebSocket communication.
  * Use [ZAP’s](https://www.zaproxy.org/) WebSocket tab.
* [ ] Origin.
  * Using a WebSocket client (one can be found in the [Tools](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets#Tools) section below) attempt to connect to the remote WebSocket server. If a connection is established the server may not be checking the origin header of the WebSocket handshake.
* [ ] Confidentiality and Integrity.
  * Check that the WebSocket connection is using SSL to transport sensitive information `wss://`.
  * Check the SSL Implementation for security issues (Valid Certificate, BEAST, CRIME, RC4, etc). Refer to the [Testing for Weak Transport Layer Security](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security) section of this guide.
* [ ] Authentication.
  * WebSockets do not handle authentication, normal black-box authentication tests should be carried out. Refer to the [Authentication Testing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/README) sections of this guide.
* [ ] Authorization.
  * WebSockets do not handle authorization, normal black-box authorization tests should be carried out. Refer to the [Authorization Testing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/README) sections of this guide.
* [ ] Input Sanitization.
  * Use [ZAP’s](https://www.zaproxy.org/) WebSocket tab to replay and fuzz WebSocket request and responses. Refer to the [Testing for Data Validation](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/README) sections of this guide.

**Evidence**:

```
​
```

## 4.11.11 [Testing Web Messaging](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging)

* [ ] Identify `addEventListener|postMessage` events.
* [ ] Try to exploit those events.

**Evidence**:

```
​
```

## 4.11.12 [Testing Browser Storage](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/12-Testing_Browser_Storage)

* [ ] Check if there is sensitive data stored on the browser's local or session storage.
* [ ] Determine whether the website is storing data in client-side storage `window.localStorage|window.sessionStorage`.
* [ ] The code handling of the storage objects should be examined for possibilities of injection attacks, such as utilizing unvalidated input or vulnerable libraries.

**Evidence**:

```
​
```

## 4.11.13 [Testing for Cross Site Script Inclusion](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion)

* [ ] Detect if there is sensitive data on JS files. You can use extensions as JS Miner.

**Evidence**:

```
​
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/web-owasp-test-cases/4.11-client-side-testing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.