Penetration Testing: Re: Cross Site Scripting Vulnerabilities - XSS

["Jeff Williams" <jeff.williams () aspectsecurity com>]

Check out websleuth -- it takes a little work, but it can do what you
want. The technique is pretty simple -- send a few test tags into each
form field and then see if the responses contain the tag. If so, it's
vulnerable.  Not a terribly sophisticated test, but it'll do since in
most cases there's no reason not to filter out the tags.

http://www.geocities.com/dzzie/sleuth/

--Jeff

Jeff Williams
Aspect Security, Inc.
Securing the Last Mile of the Internet
www.aspectsecurity.com
Jeff.Williams () aspectsecurity com

----- Original Message -----
From: "Jason binger" <cisspstudy () yahoo com>
To: <pen-test () securityfocus com>
Sent: Sunday, August 04, 2002 1:52 AM
Subject: Cross Site Scripting Vulnerabilities - XSS


> Has anyone on the list done much with testing for XSS
> vulnerabilities?
>
> Has anyone written a simple work program to test for
> these vulnerabilities that they are happy to
> distribute so others can do basic testing for these
> vulnerabilities?
>
> There a few papers out on this topic, but none that I
> hve seen that really focus on the testing side of
> things.
>
> Thanks
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
>
> ----------------------------------------------------------------------
------
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/