Monday, March 31, 2008

Security Testing - CSS or XSS

The Cross Site Scripting (also known as XSS or CSS) is one of the most common Security Testing in web applications. Recently It was implemented in our application. We certified our AUT for CSS.

Generally hackers try to embed malicious script into a vulnerable dynamic web applications. This malicious script is executed and hacker can steal the data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems.

To avoid cross site scripting vulnerabilities, the application should use encoded HTML content and it should not allow any URL or data, which contains <script and %3C%2Fscript.

In web so many tools are available to test this. I used a freeware called Webscarab. Also you can go through following links to know more about XSS.

Cross Site Scripting Definition - Wiki
Cross site Scripting FAQ
Sample Videos from Microsoft

5 comments:

Unknown said...

Hi Chitra,

I am not commenting anything on this topic.

I had few querries, I hope to get clariffied. I am getting into a role, where i have to get the ISO certification for the company.

Can you please guide me, being a tester how can we do documentation or get this ISO certification.

Nirmala

Palani Selvam said...

Hi Nirmala,
ISO has different standards for various industries. For software development or service, ISO has 9001 and 90003. Few more standards might be there.

We used to develop documents for various testing stages. To get to know more about list of documents, you can ask you company's quality coordinators or internal auditors.

You can go through following links:
ISO 9000
ISO IEC 90003 2004
ISO/IEC 90003:2004 - Software engineering

Hope that it will help you to understand more...

Unknown said...

Thanks Palani,

I am glad for your response, I have one more question, i.e what is the role of a QA in and as a internal auditor.?

Nirmala

Palani Selvam said...

As the internal auditor, QA can verify the documents for each processes and can request appropriate teams for required documents.

For example, QA team may prepare following document in different periods.
1. Test Plan
2. High Level testcases
3. Test cases.
4. Testcase reviews
5. QA status (per week or twice in a week)
6. Test results for each build/release
7. Test Coverage (support for different platforms)
8. Traceability Matrix
9. Automation results
10. Automation help/plan/standards
11. Load test plan
12. Load test report
13. Automation Status
14. Sun Set Review for each release.

This list is endless. You have to ensure this for all teams.

Tee Chess said...

Nice information. I love to read your blog as it gives me so many useful facts about the software process. Thanks for sharing those links as I want to know in depth about XSS. Software Testing Services