How do I test for Reflected XSS in webpage titles, url parameters and javascript variables?

Çağlar Arlı - 14 Views

How do I test for Reflected XSS in webpage titles, url parameters and javascript variables?

I have a java web app. I'm using OWASP Java Encoder to encode for html, javascript and url components to mitigate reflected XSS. I'm new to this so I'm not sure on how to test on my web app for the following scenarios where there's no direct user input. So I have the following questions with examples. The java variable, testVarFromJava, is retrieved from backend code that do not rely on user input directly.

Questions:

How to test on encoded title of webpage?

<title> <%= Encode.forHtml("testVarFromJava")> </title>

How to test on encoded java script variable?

   var testVar = '<%= Encode.forJavaScript(testVarFromJava)>';
   if (testVar == "Y") { 
      alert("testVar is Y"); 
   }

How to test on encoded component in url path?

<frame src="testApp/main.jsp?param=<%=Encode.forUriComponent(testVarFromJava)%>">

P	S	Ç	P	C	C	P
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Annanowa

How do I test for Reflected XSS in webpage titles, url parameters and javascript variables?

How do I test for Reflected XSS in webpage titles, url parameters and javascript variables?

Son Yazılar

Son Yorumlar