Wednesday 6 October 2010

UnitTest for Twitter "XSS Vuln in ManageDomains"

This script is focused on a recently disclosed and patched XSS vulnerability in Twitter :

Actions executed by this UnitTest:
  • Open a new Instance of IE in a separate window
  • Check if there is a logged in user (and if so, logout)
  • Login with a test account
  • Go to
  • Add an random application
  • Asks the user to resolve the Captcha
  • Go to the "Manage Domains" page
  • Asserts that that the encoded payload does NOT exist on the current page
  • Submits a couple paylods
  • Asserts that the endoded DOES exist on the page
  • Close IE after 2 seconds
This is a good example of how the O2 Platform allows the easy creation of UnitTests that can be distributed/published to developers so that they can replicate the problem in a language/enviroment that they are confortable with (vs a PDF document with some screenshots).

The developers can also use these UnitTests to make sure their fix is working and add them as regression tests to be executed before any major code push  (for regression tests one should run also the entire FuzzDB XSS list on the affected field). Note the Green result of the UnitTest (if the Asserts had failed, we would have a Red result)

The objective for the O2 Power User is to be be able to create these complex web workflows during a security engament (using the powerful O2's Browser Automation APIs and the dynamic and semi-real-time  'O2 Script Development Environment')