Home

How to reproduce QID 150022

We would like to tell you how to reproduce the QID 150022 Verbose Error Message from a web application scan, using the information provided in the report details. We'll focus on two injection points: the Query-String and Form Inputs.

When looking at the vulnerability report, you'll find the reported URL and either the presence or absence of a "Form Entry Point". The Form Entry Point, when present, tells us that this was a form our service was testing, and the Form can be found at the URL provided within the Form Entry Point.

The absence of a Form Entry Point tells us that the payload can be replayed through the URL and most likely the URL provided already contains one of the payloads used to trigger the reporting.

URL Injection Example:

http://www.example.com/index.php?id=%3CIMG%20SRC%3Djavascript%3Aqss%3D7%3E

Payload: id=%3CIMG%20SRC%3Djavascript%3Aqss%3D7%3E

Results:...

Payload: id=%22%3E%3Cqss%3E

Results:...

Based on the above example, we can see the absence of the Form Entry Point so we know that this can be replayed through the URL. We can also see that one of the payloads reported is "id=%3CIMG%20SRC%3Djavascript%3Aqss%3D7%3E", which tells us that the injection point was the query string parameter "id" and the value injection was "%3CIMG%20SRC%3Djavascript%3Aqss%3D7%3E". With this example, unless access to this link requires authentication, you should be able to reproduce the finding by simply making a request for:

http://www.example.com/index.php?id=%3CIMG%20SRC%3Djavascript%3Aqss%3D7%3E

Form Injection Example:

http://www.example.com/j_security_check

Form Entry Point: http://www.example.com/

Params: username

Payload: username=%22%3E%3Cqss%3E&password=password&action=Login

Result:...

By the presence of the Form Entry Point, we know that this was a Form our service was testing. The form can be found at the Form Entry Point. The injected point is the "username" field, and we can see in the Payload that the payload used for the "username" field was "%22%3E%3Cqss%3E".

If you navigate to the page Form Entry Point you should find at least one form on the page. Most of the time it's a straight forward process to determine which form field you should be injecting the payload into, but if you're unsure you can review the source and identify which <input> has the same name that was reported in "Params" from your report.

At this point you can attempt to inject the provided payload into the form field and submit. If the form you're testing contains multiple form fields, we recommend that you attempt to fill out all other form fields correctly.

In some instances there will be JavaScript that performs client-side validation before actually submitting the data to the server. If this is the case, you'll need to disable the JavaScript execution in your browser as the intended goal is not to test the client-side validation that can be easily bypassed, but to test how the server reacts to such payloads.