[WEB SECURITY] Re: [Webappsec] xss filter to protect from xss attacks

[anurag.agarwal@xxxxxxxxx]

--0-935039454-1169541274=:71417
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Amit -=0A=0AGood point and my apologies for the same. I will make the code =
available too. It will be there on the site in few hours.=0A =0ACheers,=0A =
=0AAnurag Agarwal=0A =0ASEEC - An application security search engine=0AWeb:=
 www.attacklabs.com , www.myappsecurity.com=0AEmail : anurag.agarwal@yahoo.=
com=0ABlog : http://myappsecurity.blogspot.com=0A =0A=0A=0A=0A----- Origina=
l Message ----=0AFrom: Amit Klein <aksecurity@gmail.com>=0ATo: Anurag Agarw=
al <anurag.agarwal@yahoo.com>=0ACc: WASC Forum <websecurity@webappsec.org>;=
 "webappsec @OWASP" <webappsec@lists.owasp.org>=0ASent: Monday, January 22,=
 2007 11:50:06 PM=0ASubject: Re: [Webappsec] xss filter to protect from xss=
 attacks=0A=0A=0AAnurag Agarwal wrote:=0A> I have created a xss filter to p=
rotect from xss attacks. Though i have =0A> filtered only for 8 characters =
but i was able to test against all the =0A> attacks mentioned in the RSnake=
's cheat sheet. Appscan was not able to =0A> detect any xss attacks on it. =
I request the application security =0A> community to help test this filter.=
 90% i am sure that you wont be =0A> able to perform any xss attack on it, =
the rest 10% i will find out =0A> after the feedback from the community. Fo=
r the curious mind, it is =0A> written in java=0AIf this is an open source =
project - then where is the source code? if =0Ait's not - then why should w=
e bother testing it?
--0-935039454-1169541274=:71417
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:arial, helvetica, sans-serif;font-size:1=
0pt"><DIV></DIV>=0A<DIV>Amit -</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Good point =
and my apologies for the same. I will&nbsp;make the code available too. It =
will&nbsp;be there on the site in few hours.<BR>&nbsp;</DIV>=0A<P>Cheers,</=
P>=0A<P>&nbsp;</P>=0A<P>Anurag Agarwal</P>=0A<P>&nbsp;</P>=0A<P><A href=3D"=
http://www.myappsecurity.com/";>SEEC - An application security search engine=
</A></P>=0A<P>Web:&nbsp;<A href=3D"http://www.attacklabs.com/";>www.attackla=
bs.com</A>&nbsp;, <A href=3D"http://www.myappsecurity.com/";>www.myappsecuri=
ty.com</A></P>=0A<P>Email : <A href=3D"mailto:anurag.agarwal@yahoo.com";>anu=
rag.agarwal@yahoo.com</A></P>=0A<P>Blog : <A href=3D"http://myappsecurity.b=
logspot.com/">http://myappsecurity.blogspot.com</A></P>=0A<P>&nbsp;</P>=0A<=
DIV style=3D"FONT-SIZE: 10pt; FONT-FAMILY: arial, helvetica, sans-serif"><B=
R><BR>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new y=
ork, times, serif">----- Original Message ----<BR>From: Amit Klein &lt;akse=
curity@gmail.com&gt;<BR>To: Anurag Agarwal &lt;anurag.agarwal@yahoo.com&gt;=
<BR>Cc: WASC Forum &lt;websecurity@webappsec.org&gt;; "webappsec @OWASP" &l=
t;webappsec@lists.owasp.org&gt;<BR>Sent: Monday, January 22, 2007 11:50:06 =
PM<BR>Subject: Re: [Webappsec] xss filter to protect from xss attacks<BR><B=
R>=0A<DIV>Anurag Agarwal wrote:<BR>&gt; I have created a xss filter to prot=
ect from xss attacks. Though i have <BR>&gt; filtered only for 8 characters=
 but i was able to test against all the <BR>&gt; attacks mentioned in the R=
Snake's cheat sheet. Appscan was not able to <BR>&gt; detect any xss attack=
s on it. I request the application security <BR>&gt; community to help test=
 this filter. 90% i am sure that you wont be <BR>&gt; able to perform any x=
ss attack on it, the rest 10% i will find out <BR>&gt; after the feedback f=
rom the community. For the curious mind, it is <BR>&gt; written in java<BR>=
If this is an open source project - then where is the source code? if <BR>i=
t's not - then why should we bother testing it?</DIV></DIV><BR></DIV></div>=
</body></html>
--0-935039454-1169541274=:71417--