script injection

srikant patro's picture
srikant patro asked on November 19, 2018 - 12:50am | Replies (1).

how to test script injection

1 Answer

Jerry Penner's picture

The folks over at www.owasp.org have a great description of what JavaScript Injection is and the mechanics of how it works.

For JavaScript inection, the basic idea is, if we can put JavaScript into an input on a website, and at another point on the website, perhaps even the back-end, do we see the JavaScript as it was entered, or is it executed? 

There are all sorts of penetration tools that will automatically find all the doors, windows and mouseholes in your application and enter executable data there to see what happens. The simplest manual test is to enter this line:

<script>(alert"BOO!")</script>

and look for a popup box containing the word "BOO!" as you traverse your application. If your application shows that popup you found a potential security hole. Someone who is much craftier than you may be able to exploit that hole to do something much worse.

There are other types of injection attacks, including XPATH and SQL injection. I highly recomment visiting www.owasp.org and reading up on these fascinating topics. 

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.