Billy
-----Original Message-----
From: gaz_sec@xxxxxxxxxxxx [mailto:gaz_sec@xxxxxxxxxxxx]
Sent: Wed 8/29/2007 3:03 PM
To: websecurity@xxxxxxxxxxxxx
Cc: travisaltman@xxxxxxxxx
Subject: Re: [WEB SECURITY] How to detect XSS in an automated fashion
Hi Travis
I've wrote a HTML/JS Fuzzer in which I encountered the same
problem. I decided to create a simple javascript callback which was
executed on successful fuzz. I base encoded the result and sent the
information via a normal HTML image (really a PHP script) which
logged the results.
Cheers
Gareth
On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman
<travisaltman@xxxxxxxxx> wrote:
>I am trying to run through a dictionary of XSS attacks (aka
>fuzzing) on a
>web application. What is the best way to determine, in an
>automated
>fashion, if each attack was successful? Would I simply review the
>source
>code of the response to see if my attack was encoded or filtered?
>
>http://travisaltman.com
--
Click to reduce wrinkles, increase energy and drive - anti-aging.
http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07XGWad22ySq1P1RSIOW/
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]