Main Archive Page > Month Archives  > websecurity archives

Re: [WEB SECURITY] How to detect XSS in an automated fashion

From: Romain Gaucher <romain.gaucher_at_nospam>
Date: Thu Aug 30 2007 - 12:27:25 GMT
To: Billy Hoffman <Billy.Hoffman@spidynamics.com>

> Of course, that only works if your web scanner has a JavaScript interpreter!

Which is not that hard with softs like Rhino (Java) or SpiderMonkey (C).

Romain

>
> Billy
>
> -----Original Message-----
> From: gaz_sec@hushmail.com [mailto:gaz_sec@hushmail.com]
> Sent: Wed 8/29/2007 3:03 PM
> To: websecurity@webappsec.org
> Cc: travisaltman@gmail.com
> Subject: Re: [WEB SECURITY] How to detect XSS in an automated fashion
>
> Hi Travis
>
> I've wrote a HTML/JS Fuzzer in which I encountered the same
> problem. I decided to create a simple javascript callback which was
> executed on successful fuzz. I base encoded the result and sent the
> information via a normal HTML image (really a PHP script) which
> logged the results.
>
> Cheers
>
> Gareth
>
> On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman
> <travisaltman@gmail.com> wrote:
> >I am trying to run through a dictionary of XSS attacks (aka
> >fuzzing) on a
> >web application. What is the best way to determine, in an
> >automated
> >fashion, if each attack was successful? Would I simply review the
> >source
> >code of the response to see if my attack was encoded or filtered?
> >
> >http://travisaltman.com
>
> --
> Click to reduce wrinkles, increase energy and drive - anti-aging.
> http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07XGWad22ySq1P1RSIOW/
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

---

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

• This message: [ Message body ]
• Next message: gaz_sec_at_nospam: "RE: [WEB SECURITY] How to detect XSS in an automated fashion"
• Previous message: gaz_sec_at_nospam: "RE: [WEB SECURITY] How to detect XSS in an automated fashion"
• In reply to: Billy Hoffman: "RE: [WEB SECURITY] How to detect XSS in an automated fashion"
• Next in thread: gaz_sec_at_nospam: "RE: [WEB SECURITY] How to detect XSS in an automated fashion"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]