Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : New page __TOC__ This script shows a Unit Test that checks for a patched XSS vulnerability in Twitter example of regression test . The script is not 100pourcents automated due to the captcha requirement when adding new applications The vulnerability that this UnitTest covers is documented here http bug-zone.org 2010 09 07 twitter-xss-vulnerability-by-sangteamtham Video YoutubeDpDiGpzaVw0 How it works This script executed as a UnitTest will Open a new Instance of IE in a separate window Check if there is a logged in user and if so, logout Login with a test account Go to dev.twitter.com Add an random application Asks the user to resolve the Captcha Go to the Manage Domains page Asserts that that the encoded payload does NOT exist on the current page Submits a couple paylods Asserts that the endoded DOES exist on the page close IE after 2 seconds Source Code using O2.Kernel.ExtensionMethods using O2.DotNetWrappers.ExtensionMethods using O2.XRules.Database.APIs using O2.XRules.Database.Utils using O2.XRules.Database.Utils.O2 using mshtml using NUnit.Framework O2File Ref WatiN_IE_ExtensionMethods.cs O2Ref WatiN.Core.1x.dll O2Ref O2_External_IE.dll O2Ref Microsoft.mshtml.dll O2Ref nunit.framework.dll namespace O2.XRules.Database.UnitTests TestFixture public class BlackBox_PoCs_UnitTests string twitterID o2 Test_gpuCS o--2.com string password Super Password checks for vulnerability described here Test public string XSS_Vuln_in_ManageDomains var ie about blank .ie 0,0,800,600 logout if required ie.open http www.twitter.com if ie.hasLink Sign out ie.link Sign out .click sign in with test account ie.field username .value twitterID ie.field password .value password ie.button Sign in .click ie.open http dev.twitter.com ie.link Your apps .click ie.link Register a new application .click ie.link Register a new app .click var appName appName_ 5.randomLetters var description description var website http www.google.com var organization organization var callbackUrl http a.com ie.field client_application name ,appName ie.field client_application description ,description ie.field client_application url ,website ie.field client_application organization ,organization ie.field client_application callback_url ,callbackUrl var captchaUrl ie.images 3 .url var captchaAnswer ascx_CaptchaQuestion.askQuestion captchaUrl ie.field recaptcha_response_field ,captchaAnswer ie.button Register application .click ie.forms 1 .Submit if ie.hasLink Manage Domains .isFalse Application registration didn't work .error return error ie.link Manage Domains .click finally first check that payload is not there var xssPayload alert 'aaa' Assert.That ie.html .contains xssPayload.htmlEncode .isFalse , Endoded payload was in html page then submit the payloads and check again for the Encoded payload ie.field host .value xssPayload ie.button Authorize .click ie.field host .value xssPayload ie.button Authorize .click Assert.That ie.html .contains xssPayload.htmlEncode .isFalse , Endoded payload was NOT in html page ie.closeInNSeconds 2 return ok - XSS_Vuln_in_ManageDomains

Les mots clés de la revue de presse pour cet article : twitter
Les videos sur SecuObs pour les mots clés : twitter
Les éléments de la revue Twitter pour les mots clé : twitter





Les derniers articles du site " Recent changes en " :

- O2 Presentation at Event
- User Fabricio
- O2 Blog Entries
- File 7 21 2011 1 00 59 PM tmp9003.jpg
- File Open-source-icon-e1310696581917.png
- File 7 21 2011 12 59 42 PM tmp3EAA.jpg
- File 4 10 2011 7 38 23 AM tmp561C.jpg
- File 4 10 2011 7 06 43 AM tmp616F.jpg
- File 4 10 2011 7 14 27 AM tmp720B.jpg
- Blog Post

---

S'abonner au fil RSS global de la revue de presse

---