Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Cross Site Scripting Vulnerabilities - XSS [was: Fw: OWASP Update]
From: "Alex Lambert" <alambert () webmaster com>
Date: Tue, 6 Aug 2002 10:13:08 -0500


Hope this helps. You might want to consider signing up for webappsec if
you're into web security. Also, http://www.owasp.org/testing/ has a little
more information.

----- Original Message -----
From: "Mark Curphey" <mark () curphey com>
To: <webappsec () securityfocus com>
Sent: Monday, August 05, 2002 10:52 PM
Subject: OWASP Update

Seems like ages since I sent out an OWASP update and
as the list seems pretty quiet these days (with
people nursing hangovers from last weeks festivities
in Vegas no doubt) so here goes.

Firstly we are proud to say we have a few initial
sponsors. We have an anonymous donor of unlimited
bandwidth and some rack space (Steve you are a hero)
where we will be housing the portal. Secondly Altova
have given all OWASP contributors a copy of their
XML tool which supports DocBook so we can move all
documentation to an open format. Lastly
Butterflysecurity.com have donated some hardware for
the portal and development resources for the VulnXML
application. Very very much appreciated and will be
put to some very good use.

WebScarab - For those that don't know WebScarab is
aiming to be the Nessus of the webappsec world and
continues to be the No 1 priority and the most
challenging and rewarding project to date. There is
now a GUI, the spiders working and XSS, SQL
injection and session hijacking will be working very
soon. Why is it taking so long ? Well apart from the
fact its volunteers, things are being done WELL
rather than fast. No cutting corners ! WebScarab
will be able to be back-ended by an array of
databases for instance like MySQL, PostGress or
Oracle ! You get to choose. This baby will scale
outside of a lab! The spider will deal with various
MIME types so can potentially spider pdf and flash
etc as well as work with JavaScript. You can always
take a look at the code in the CVS. Theres even a
module sandbox being developed so people can run
untrusted checks in the tool without worry of
compromise. A big kudos has to go to Ingo Struck,
Steve Taylor, Tim Panton, Zed Shaw and Apurv Singh
for the work so far. As always serious Java
developers are always welcome and needed. Oh and did
we mentioned it is open source, Java, free and
extensible !

OWASP Portal (replacement for the current
www.owasp.org) is underway and will be built on
UPortal (www.ja-sig.org) with a Jive channel for a
forum. As well as the current content (in a much
more efficient and pleasant layout) there will be a
customizable news channel where you can select news
for technologies you are interested in and
vulnerability alerts where you can again select
technologies you care about and see the history of
those alerts in your alerts tab. The portal will
also host the VulnXML application below.

OWASP Guide to Building Secure Web Applications -
was downloaded more 60,000 times in the first month
and continues to see copnstant downloads. Its now
being ported to DocBook format where various typos
etc will be changed. A complete re-write is then on
the cards for version 2 thanks to many new
volunteers and great freedback. WebServices will be
a good sized portion. That project now has its own
Sourceforge site btw.

OWASP WebMaven will be released in the first week of
September. WebMaven is an intentionally broken web
application written in Perl you can run on your own
Apache web server and investigate web appsec
security holes and issues in the safetly of your own
machines. The first release has a SQL injection bug,
a XSS and some other problems, and the future
releases are likely to support skins, dynamic
vulnerabilities, more holes and other cool features.
We also hope to integrate it into the HoneyD
application at the HoneyNet Project. There is a
project page at Sourceforge and the page at
owasp.org will go up in a few weeks.

Filters had several false starts but I recently saw
a cool design document and know code is very hot on
its heels. The OWASP filters project will create a
set of "stackable" rule sets that address various
boundary conditions that exist in programs. Each
rule set will address a boundary or target
environment, specifically allowing certain types of
data that should be allowed for each environment.
Probably available in Java, PHP and C initially but
to be decided.

VulnXML is moving along nicely but needs to wait til
the portal is done before it can really come into
its own. We will be building a web based application
to allow people to both report vulnerabilites in the
format and to author / QA current checks in the
queue with work flow.  Anyone will be able to
consume the checks and WebScarab will be certainly
right up there in the queue. If you havent read the
vision doc on the site its well worth it.

A last but not least is the OWASP Testing Project.
David "securitypimp" Endler (don't belive me check
out www.securitypimps.com) is doing a great job of
getting people to author all sorts of things for
this project. There will be flowcharts of how to
logically test things, templates for planning and a
whole bunch more cool stuff.  I won't steal his
thunder but its going to be very cool and drafts due
in August 19th if I recall.

As always we always need serious Java developers, a
profesional graphics person and anyone else with a
skill and some spare time as well as sposnsorship
etc. The web site www.owasp.org has more details and
vision documents for most projects, the
corresponding Sourceforge page has the code trees etc

And on that note I owe the pimpadaddy some text !

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

  By Date           By Thread  

Current thread:
  • Re: Cross Site Scripting Vulnerabilities - XSS [was: Fw: OWASP Update] Alex Lambert (Aug 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]