[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] How to detect XSS in an automated fashion

From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Date: Wed, 29 Aug 2007 20:48:29 -0400

------_=_NextPart_001_01C7EA9F.C3581BFD
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Of course, that only works if your web scanner has a JavaScript =
interpreter!

Billy

-----Original Message-----
From: gaz_sec@hushmail.com [mailto:gaz_sec@hushmail.com]
Sent: Wed 8/29/2007 3:03 PM
To: websecurity@webappsec.org
Cc: travisaltman@gmail.com
Subject: Re: [WEB SECURITY] How to detect XSS in an automated fashion
=20
Hi Travis

I've wrote a HTML/JS Fuzzer in which I encountered the same=20
problem. I decided to create a simple javascript callback which was=20
executed on successful fuzz. I base encoded the result and sent the=20
information via a normal HTML image (really a PHP script) which=20
logged the results.

Cheers

Gareth

On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman=20
<travisaltman@gmail.com> wrote:
>I am trying to run through a dictionary of XSS attacks (aka=20
>fuzzing) on a
>web application.  What is the best way to determine, in an=20
>automated
>fashion, if each attack was successful?  Would I simply review the=20
>source
>code of the response to see if my attack was encoded or filtered?
>
>http://travisaltman.com

--
Click to reduce wrinkles, increase energy and drive - anti-aging.
http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07XGWad2=
2ySq1P1RSIOW/


-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:=20
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



------_=_NextPart_001_01C7EA9F.C3581BFD
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>RE: [WEB SECURITY] How to detect XSS in an automated =
fashion</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>Of course, that only works if your web scanner has a =
JavaScript interpreter!<BR>
<BR>
Billy<BR>
<BR>
-----Original Message-----<BR>
From: gaz_sec@hushmail.com [<A =
HREF=3D"mailto:gaz_sec@hushmail.com";>mailto:gaz_sec@hushmail.com</A>]<BR>=

Sent: Wed 8/29/2007 3:03 PM<BR>
To: websecurity@webappsec.org<BR>
Cc: travisaltman@gmail.com<BR>
Subject: Re: [WEB SECURITY] How to detect XSS in an automated =
fashion<BR>
<BR>
Hi Travis<BR>
<BR>
I've wrote a HTML/JS Fuzzer in which I encountered the same<BR>
problem. I decided to create a simple javascript callback which was<BR>
executed on successful fuzz. I base encoded the result and sent the<BR>
information via a normal HTML image (really a PHP script) which<BR>
logged the results.<BR>
<BR>
Cheers<BR>
<BR>
Gareth<BR>
<BR>
On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman<BR>
&lt;travisaltman@gmail.com&gt; wrote:<BR>
&gt;I am trying to run through a dictionary of XSS attacks (aka<BR>
&gt;fuzzing) on a<BR>
&gt;web application.&nbsp; What is the best way to determine, in an<BR>
&gt;automated<BR>
&gt;fashion, if each attack was successful?&nbsp; Would I simply review =
the<BR>
&gt;source<BR>
&gt;code of the response to see if my attack was encoded or =
filtered?<BR>
&gt;<BR>
&gt;<A HREF=3D"http://travisaltman.com";>http://travisaltman.com</A><BR>
<BR>
--<BR>
Click to reduce wrinkles, increase energy and drive - anti-aging.<BR>
<A =
HREF=3D"http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky=
07XGWad22ySq1P1RSIOW/">http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyD=
eVPgVWtCgUCy5Ky07XGWad22ySq1P1RSIOW/</A><BR>
<BR>
<BR>
-------------------------------------------------------------------------=
---<BR>
Join us on IRC: irc.freenode.net #webappsec<BR>
<BR>
Have a question? Search The Web Security Mailing List Archives:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>
<BR>
Subscribe via RSS:<BR>
<A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C7EA9F.C3581BFD--

Follow-Ups:
- Re: [WEB SECURITY] How to detect XSS in an automated fashion
  - From: Romain Gaucher

References:
- Re: [WEB SECURITY] How to detect XSS in an automated fashion
  - From: gaz_sec

Prev by Date: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Next by Date: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Previous by thread: Re: [WEB SECURITY] How to detect XSS in an automated fashion
Next by thread: Re: [WEB SECURITY] How to detect XSS in an automated fashion
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site