[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] How to detect XSS in an automated fashion

From: <gaz_sec@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] How to detect XSS in an automated fashion
Date: Wed, 29 Aug 2007 20:03:15 +0100

Hi Travis

I've wrote a HTML/JS Fuzzer in which I encountered the same 
problem. I decided to create a simple javascript callback which was 
executed on successful fuzz. I base encoded the result and sent the 
information via a normal HTML image (really a PHP script) which 
logged the results.

Cheers

Gareth

On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman 
<travisaltman@xxxxxxxxx> wrote:
>I am trying to run through a dictionary of XSS attacks (aka 
>fuzzing) on a
>web application.  What is the best way to determine, in an 
>automated
>fashion, if each attack was successful?  Would I simply review the 
>source
>code of the response to see if my attack was encoded or filtered?
>
>http://travisaltman.com

--
Click to reduce wrinkles, increase energy and drive - anti-aging.
http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07XGWad22ySq1P1RSIOW/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- RE: [WEB SECURITY] How to detect XSS in an automated fashion
  - From: Billy Hoffman

Prev by Date: Re: [WEB SECURITY] Why JSON/JavaScript hijacking only works on Mozilla
Next by Date: [WEB SECURITY] Re: HTTP Proxy for thick clients
Previous by thread: [WEB SECURITY] How to detect XSS in an automated fashion
Next by thread: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site