Your e-Business Quality Partner eValid™ -- Automated Web Quality Solution
Browser-Based, Client-Side, Functional Testing & Validation,
Load & Performance Tuning, Page Timing, Website Analysis,
and Rich Internet Application Monitoring.

Security Testing Examples -- Query
eValid Home

Cybersecurity testing often requires making many analyses, at regularly scheduled intervals, to identify a potential exploit. This example illustrates how eValid is applied in one specific way to a web page or web application to search for a pattern that may represent a possible exploit. To apply this method in your specific situation you will need to make decisions about what pages to scan, what specific patterns or features to look for, and how to handle the information that is generated. Web application security requires careful planning and test execution analysis. eValid enables such work.

Summary Of Example
This example uses eValid to identify an exploitable query type HTML passage.

The example web page contains a form with some exploitable query type HTML elements that reference an OnLoad action.

Example Steps & Explanation
Here are the main steps in this example:

  1. Typical Target Page
    The example target page is a very naive one, consisting of just the HTML shown here. (The web pages you'll be analyzing are, of course, more complex; for this illustration we want to keep it as simple as possible.)

    <html>
    <BODY>
    <p>
    <FORM name="QueryForm" METHOD=Post ACTION="./query_output.html">
    <br>
      <table border="0" cellpadding="2" width="614">
        <tr>
          <td colspan="5" width="500">
    	<b> Please Identify Yourself:</b></td>
        </tr>
           
        <tr>
          <td width="20"> </td>
          <td width="35">Name:</td>
          <td width="200"><INPUT TYPE="text" NAME="name" SIZE="22" 
    	MAXLENGTH="50" style="border:1px solid #171787; 
    	font-family:verdana,arial,courier; 
    	color:#000000;padding:2px;background:#EEEFFF ;"><
    	font color="red"> *</font></td>
    
          <td width="35">E-mail:</td>
          <td width="200"><INPUT TYPE="text" NAME="e-mail" SIZE="18" 
    	MAXLENGTH="40" style="border:1px solid #171787; 
    	font-family:verdana,arial,courier; 
    	color:#000000;padding:2px;background:#EEEFFF ;">
    </td>
        </tr>
      </table>
    
    <p>
    <INPUT TYPE="submit" NAME="submit" VALUE="Submit Query" 
    	style="border:1px solid #171787; 
    	font-family:verdana,arial,courier; 
    	color:#000000;padding:2px;background:#EEEFFF ;">
    </form>
    
    </body>
    </html>
    

  2. Target Web Page
    This picture shows the page when rendered. When you see this page and take an action -- in this case input of some data and clicking on a SUBMIT query button on the page -- there is the possibility to insert extra XSS triggers in the page. This is what an attacker would do.

  3. First Input Field Filled In
    Here is the page with the first input field filled in. This is where an attacker could hijack the page.

  4. Second Input Field Filled In
    Here is the page with the second input field filled in. This is where an attacker could hijack the page.

  5. Page When Rendered After Clicking "Submit Query"
    Here is how the page appears with simulated attacker exploits applied.

  6. Playback Showing Detected (Intended) Error
    The playback finds that the page has been modified, and the ERROR induces a "red screen" to signal that a query exploit has happened.

  7. Playback EventLog
    The eValid EventLog shown below retraces the steps in the playback.

    1. The modal popups suppression option in eValid is activated.
    2. The browser navigates to the target web page (the HTML passage shown above) and displays the page. There are two input fields based on the HTML INPUT tag asking for your name and email address.
    3. An attacker can use this input area to insert code that will cause an XSS error. Instead of replying with intended XSS interactions, you instead get unexpected (hijacked) XSS versions.
    4. A scan for a text non-match of XSS is supposed to demonstrate that the page has not been hacked. Because it has, the non-match test FAILs and eValid issues ERRORS to alert the user about the suspicuous activity.
    5. The date and time of the detection are appended to the file QueryFile.txt to confirm absence of the offending string pattern. In case an ERROR is detected, the script would send an error email (not implemented here).

  8. Queryfile.txt Contents
    Here is the content of the generated Queryfile.txt that confirms the results of the tests.

eValid Test Script
Here is the test sript:

# 
# Copyright 2013 by Software Research, Inc. 
# Recording made on: Microsoft Windows XP, HostName "barbados-PC"
# 

ProjectID "ProjExample"
GroupID "Security"
TestID "querytest"
LogID "AUTO"

ScreenSize 1280 768
FontSize 1
DeleteCache
DeleteCookies

# Do not suppress modal pop-ups, need to see these evil requests...
PlayValue _PS 0

InitLink "http://www.e-valid.com/Products/Documentation.9/Security/" \
	"Examples/Query/cyberquerycheck.html"

# Fill in form and submit...

Wait 3774
InputValue 0 16 "TEXT" "" "name" "Joe Smith" "" ""
Wait 3566
InputValue 0 20 "TEXT" "" "e-mail" "joe@abc.com" "" ""
Wait 3936
SubmitClick 0 22 "" "submit" "Submit Query" "" NO_NAV

# Synchronizing on the response page...  
SyncOnText 0 "exploit" "" 

# Seek out any XSS related triggers and record any suspicuous findings...

MatchNotString 0 "XSS" 0 ""
SaveRecord Queryfile.txt "Date/Time: \t%T"
SaveRecord Queryfile.txt " on page: \tURL=$_StartURL"

# Notifications/alerts...tell the user about the problem...
#
# OnErrorSendFile "email-address" "subject" "Queryfile"

# End of script.

References