Test 5) Cross Site Scripting

Cross Site Scripting Test

Vulnerability Type Dynamic

Test Web Service URI http://[yourhostName]/XSS.asmx?WSDL

Vulnerable Code Block This method displays message on browser and does not validate the input string:

ShowMessageOnBrowser(txt);
return txt;

Attack Payload <script>alert(1)</script>

Vulnerable Method Name ShowMessage Vulnerable Parameter Name txt

Response

<script>alert(1)</script>

Indications of Vulnerability

Web server returned: Http status code is 200 (i.e. OK - The request has succeeded).
Malicious script (payload) is returned without any escaping of the payload.