Examplebodgeitregxss
This is a walkthrough of the example Zest script which demonstrated the XSS in the BodgeIt Store Registration page.
In order to try the script out you will need to have the BodgeIt Store running locally. See http://code.google.com/p/bodgeit/ for more details.
The full script is here: https://github.com/mozilla/zest/blob/master/examples/BodgeIt_Register_XSS.zst
In the ZAP Add-on the script is shown like this:
You can run the script using the ZAP Add-on: http://code.google.com/p/zap-extensions/wiki/AddOn_Zest
You can also run it from the command line just using the Zest java library.
Assuming you have downloaded the full Zest project and are in the 'dist' directory then you can run the script like:
./zest.sh -script ../examples/BodgeIt_Register_XSS.zst
This should result in output like:
Using Java version: 1.7.0_09 GET : http://localhost:8080/bodgeit/home.jsp Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertStatusCode Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertLength GET : http://localhost:8080/bodgeit/login.jsp Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertStatusCode Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertLength GET : http://localhost:8080/bodgeit/register.jsp Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertStatusCode Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertLength POST : http://localhost:8080/bodgeit/register.jsp Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertStatusCode Assertion PASSED: org.mozilla.zest.core.v1.ZestAssertLength Conditional TRUE: org.mozilla.zest.core.v1.ZestConditionRegex Action invoke: org.mozilla.zest.core.v1.ZestActionFail Error running script: org.mozilla.zest.core.v1.ZestActionFailException: There is an XSS in the username field org.mozilla.zest.core.v1.ZestActionFailException: There is an XSS in the username field at org.mozilla.zest.core.v1.ZestActionFail.invoke(ZestActionFail.java:30) at org.mozilla.zest.impl.ZestBasicRunner.handleAction(ZestBasicRunner.java:129) at org.mozilla.zest.impl.ZestBasicRunner.runStatement(ZestBasicRunner.java:117) at org.mozilla.zest.impl.ZestBasicRunner.runStatement(ZestBasicRunner.java:108) at org.mozilla.zest.impl.ZestBasicRunner.run(ZestBasicRunner.java:87) at org.mozilla.zest.impl.CmdLine.run(CmdLine.java:199) at org.mozilla.zest.impl.CmdLine.main(CmdLine.java:183)
The first 3 Requests (with the Green right arrow icon) are not strictly necessary, but do show how the security tester arrived at the 'Register' page.
All of the requests have Status Code and Length assertions (with the balance icon) associated with them - these are sanity checks which indicate if the script is performing as required.
The Length assertion on the Home page is more lenient as this page returns random content - it allows +/- 2% variation rather than the +/- 1% the other length assertions allow.
The POST request is the one that performs the actual attack. This request has a 'Replace Random Integer' transformation applied to it before it is submitted. This is so that a new username is used every time the script is run. If this is not performed the BodgeIt app would return an error saying that the user already exists and the attack would fail.
The POST request is followed by a conditional which checks the response for a regex expression, in this case it is looking for the escaped string <script>alert(1);</script>.
If the string is found then the script fails with an appropriate message.
If the string is not found then the script performs a scan on the last request made. This scan action will not work if run just using the Zest Java library as this does not support the Scan action. It will however work if run via the ZAP Add-on.
This action is not strictly necessary but is included both as an example and a sanity check that the developer has not introduced another XSS vulnerability when they fix the one demonstrated.