Re: Cross Site Scripting Vulnerabilities - XSS

From: Jeff Williams (jeff.williams@aspectsecurity.com)
Date: Tue Aug 06 2002 - 11:08:40 EDT

• Next message: Dave Aitel: "SPIKE 2.5 and associated vulnerabilities in Microsoft SQL Server and Exchange 2000"
• Previous message: Bill Pennington: "Re: Cross Site Scripting Vulnerabilities - XSS"
• In reply to: Jason binger: "Cross Site Scripting Vulnerabilities - XSS"
• Next in thread: Jeremiah Grossman: "Re: Cross Site Scripting Vulnerabilities - XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Check out websleuth -- it takes a little work, but it can do what you
want. The technique is pretty simple -- send a few test tags into each
form field and then see if the responses contain the tag. If so, it's
vulnerable. Not a terribly sophisticated test, but it'll do since in
most cases there's no reason not to filter out the tags.

http://www.geocities.com/dzzie/sleuth/

--Jeff

Jeff Williams
Aspect Security, Inc.
Securing the Last Mile of the Internet
www.aspectsecurity.com
Jeff.Williams@aspectsecurity.com

----- Original Message -----
From: "Jason binger" <cisspstudy@yahoo.com>
To: <pen-test@securityfocus.com>
Sent: Sunday, August 04, 2002 1:52 AM
Subject: Cross Site Scripting Vulnerabilities - XSS

> Has anyone on the list done much with testing for XSS
> vulnerabilities?
>
> Has anyone written a simple work program to test for
> these vulnerabilities that they are happy to
> distribute so others can do basic testing for these
> vulnerabilities?
>
> There a few papers out on this topic, but none that I
> hve seen that really focus on the testing side of
> things.
>
> Thanks
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
>
> ----------------------------------------------------------------------
------
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Dave Aitel: "SPIKE 2.5 and associated vulnerabilities in Microsoft SQL Server and Exchange 2000"
• Previous message: Bill Pennington: "Re: Cross Site Scripting Vulnerabilities - XSS"
• In reply to: Jason binger: "Cross Site Scripting Vulnerabilities - XSS"
• Next in thread: Jeremiah Grossman: "Re: Cross Site Scripting Vulnerabilities - XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT