Re: [WEB SECURITY] How to detect XSS in an automated fashion

[<gaz_sec@xxxxxxxxxxxx>]

Hi Deepan

The script was intentionally quite restrictive because it was being 
hosted on my site and it is an example of a HTML/JS fuzzer not a 
XSS fuzzer. However the code is available to download if anyone 
wishes to modify it and improve it. I created the fuzzer to find 
new and interesting ways of javascript execution and although it 
did find a few things I'm sure it can be greatly improved.

Download available here:-
http://code.google.com/p/jsfuzzer/downloads/list

The code is open source but if you want to use it or improve it let 
me know as I'm interested in how it's being used.

Cheers

Gareth 

On Fri, 31 Aug 2007 04:37:29 +0100 DeeÃan Chakravarthy 
<codeshepherd@xxxxxxxxx> wrote:
>gaz_sec@xxxxxxxxxxxx wrote:
>> True my Fuzzer works in the browser, so it doesn't need an 
>> interpreter:-
>> <http://www.businessinfo.co.uk/labs/jsfuzz/fuzz.php>
>>
>>
>>   
>Hi Gaz_sec,
>   I just  tried the above  URL. Pardon my ignorance. How do I 
>specify 
>the URL of target site ?
>Should I have to call this URL from JS in target site ? Have I got 
>the 
>whole thing wrong ?
>
>-- 
>Deepan 
>http://codeshepherd.com/
>http://codeshepherd.blogspot.com/
>http://sudoku-solver.net/

--
Click to reduce wrinkles, increase energy and drive - anti-aging.
http://tagline.hushmail.com/fc/Ioyw6h4dWDHU2Ko6PXtiLA1jrg7qH47rXdKYQNvsxyfs4A4Kr0tZmq/


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]