Think like a user, but break software like an expert!

Testing From The Trenches...
From Someone Who Has Been There and Done That!

Wednesday, July 7, 2010

Google, YouTube and My Favorite Security Test: XSS

This past weekend it turns out that YouTube was hacked using a XSS attack in the comments section of a YouTube site.

What you may ask is a XSS attack?  It is a method in which Java Script and HTML code is inserted in between script tags resulting in malicious code being executed.  In the case of Google's YouTube, the malicious code redirected fans of Justin Bieber to a pornography site!  While it's not nice to send young kids to a pornography site, it could have been much worse for Google had the hackers wanted to do something more serious, like attacking the server, getting accounts/password, get the idea.

Google is very big on automating regression testing of new builds and probably those tests were executed on this build of YouTube. Probably unit tests were executed as well.   The problem is that the automation tests must not have tested XSS attacks on comment fields or other input fields, or if they did test for scripts, they probably only tested that the first script tag was escaped but then did not check for what came after that.  As it turned out, the hackers inserted their malicious code after the first script tag was escaped but the second script tag was not.

A good manual tester with a desire to 'break things' would have found this security hole before the code went live just by playing around with the input fields.  If this had been found ahead of time, the developers would have fixed the code and the build would never have gone out.  I am sure that Google and YouTube were embarrassed by this incident.

As I said, XSS attack testing is my favorite.  I know that if I can get some code to execute, then a hacker with a malicious intention will be able to exploit the security hole more than I would even know how to do.  My job as an Exploratory tester is to just find the hole.  That's the fun part.

No comments:

Post a Comment