Code available on the client that is executed in the browser requires testing to determine any presence of sensitive information or the allowance of user input without server-side validation. We will learn how to perform these tests using Burp Suite.

In this chapter, we will cover the following recipes:

• Testing for clickjacking
• Testing for DOM-based cross-site scripting
• Leveraging DOM Invader to test for DOM XSS
• Testing for JavaScript execution
• Testing for HTML injection
• Testing for client-side resource manipulation

To complete the recipes in this chapter, you will need the following:

• OWASP Broken Web Applications
• OWASP Mutillidae link
• Burp Suite Proxy Community or Professional (https://portswigger.net/BurpSuite/)

Clickjacking is also known as a UI redress attack. This attack is a deceptive technique that tricks a user into interacting with a transparent iframe and, potentially, sending unauthorized commands or sensitive information to an attacker-controlled website. Let’s see how to use Burp Clickbandit to test whether a site is vulnerable to clickjacking.

Getting ready

We’ll use the OWASP Mutillidae II application and Burp Clickbandit to determine whether the application protects against clickjacking attacks.

How to do it...

1. Navigate to the Home page of OWASP Mutillidae II.
2. Switch to Burp and, from the top-level menu, select Burp Clickbandit:

Figure 9.1 – Clickbandit menu item

3. A pop-up box explains the tool. Click the Copy Clickbandit to clipboard button:

Figure 9.2 – Copying code to the clipboard

4. Return to the Firefox browser and the landing...

The Document Object Model (DOM) is a tree-like structural representation of all HTML web pages captured in a browser. Developers use the DOM to store information inside the browser for convenience. As a web penetration tester, it is important to determine the presence of DOM-based cross-site scripting (XSS) vulnerabilities.

Getting ready

We will use the OWASP Mutillidae II HTML5 web storage exercise to determine whether the application is susceptible to DOM-based XSS attacks.

How to do it...

1. Navigate to HTML 5 | HTML5 Web Storage | HTML5 Storage:

Figure 9.10 – HTML5 Storage lesson

2. Note the name/value pairs stored in the DOM using the HTML5 Web Storage locations. Web storage includes Session and Local variables. Developers use these storage locations to conveniently store information inside a user’s browser:

Figure 9.11 – Web storage...

Let’s use PortSwigger’s integrated browser with an add-on called DOM Invader to cover more of the attack surface on the client, probing for potential DOM XSS and other weaknesses.

Getting ready

We will use the same exercise, HTML5 Storage, and Burp Suite’s DOM Invader to help us determine whether there are any vulnerable sinks or sources on the web page.

How to do it...

1. Using the Burp Suite browser, click the DOM Invader icon at the top.

Figure 9.16 – DOM Invader icon on the Burp Suite browser

2. Select the DOM Invader tab and make sure DOM Invader is on is set. Also, note the canary value that is assigned. This is randomized and you can customize the value if you like:

Figure 9.17 – DOM Invader menu

3. Navigate to the HTML 5 Storage page in your Burp Suite browser:

Figure 9.18 –...

JavaScript injection is a subtype of XSS attacks specific to the arbitrary injection of JavaScript. Vulnerabilities in this area can affect sensitive information held in the browser, such as user session cookies, or it can lead to the modification of page content, allowing script execution from attacker-controlled sites.

Getting ready

We will the OWASP Mutillidae II Password Generator exercise to determine whether the application is susceptible to JavaScript XSS attacks.

How to do it...

1. Navigate to OWASP 2013 | A1 - Injection (Other) | JavaScript Injection | Password Generator:

Figure 9.24 – Password Generator lesson

2. Note that after clicking the Generate Password button, a password is shown. Also, note that the username value provided in the URL is reflected in the browser as is on the web page: http://192.168.56.101/mutillidae/index.php?page=password-generator.php&username=anonymous...

HTML injection is the insertion of arbitrary HTML code into a vulnerable web page. Vulnerabilities in this area may lead to the disclosure of sensitive information or the modification of page content for the purposes of socially engineering the user.

Getting ready

We will use OWASP Mutillidae II’s Capture Data Page to determine whether the application is susceptible to HTML injection attacks.

How to do it...

1. Navigate to OWASP 2013 | A1 - Injection (Other) | HTMLi Via Cookie Injection | Capture Data Page:

Figure 9.30 – Capture Data Page lesson

2. Note how the page looks before the attack:

Figure 9.31 – Data Capture Page

Switch to the Burp Suite Proxy | Intercept tab and turn Intercept on with the Intercept is on button.

3. While the request is paused, make a note of the last cookie, acgroupswitchpersist=nada:

Figure...

If an application performs actions based on client-side URL information or pathing to a resource (that is, AJAX call, external JavaScript, or iframe source), the result can lead to a client-side resource manipulation vulnerability. This vulnerability relates to attacker-controlled URLs in, for example, the JavaScript location attribute, the location header found in an HTTP response, or a POST body parameter, which controls redirection. The impact of this vulnerability could lead to an XSS attack.

Getting ready

We will use the OWASP Mutillidae II application to determine whether it is possible to manipulate any URL parameters that are exposed on the client side and whether the manipulation of those values causes the application to behave differently.

How to do it...

1. Navigate to OWASP 2013 | A10 - Unvalidated Redirects and Forwards | Credits:

Figure 9.35 – Credits page

2. Click the...