Re: Cross Site Scripting Vulnerabilities - XSS

From: Jeff Williams (jeff.williams@aspectsecurity.com)
Date: 08/06/02 

From: "Jeff Williams" <jeff.williams@aspectsecurity.com>
To: <pen-test@securityfocus.com>
Date: Tue, 6 Aug 2002 11:08:40 -0400

Check out websleuth -- it takes a little work, but it can do what you
want. The technique is pretty simple -- send a few test tags into each
form field and then see if the responses contain the tag. If so, it's
vulnerable. Not a terribly sophisticated test, but it'll do since in
most cases there's no reason not to filter out the tags.

http://www.geocities.com/dzzie/sleuth/

--Jeff

Jeff Williams
Aspect Security, Inc.
Securing the Last Mile of the Internet
www.aspectsecurity.com
Jeff.Williams@aspectsecurity.com

----- Original Message -----
From: "Jason binger" <cisspstudy@yahoo.com>
To: <pen-test@securityfocus.com>
Sent: Sunday, August 04, 2002 1:52 AM
Subject: Cross Site Scripting Vulnerabilities - XSS

> Has anyone on the list done much with testing for XSS
> vulnerabilities?
>
> Has anyone written a simple work program to test for
> these vulnerabilities that they are happy to
> distribute so others can do basic testing for these
> vulnerabilities?
>
> There a few papers out on this topic, but none that I
> hve seen that really focus on the testing side of
> things.
>
> Thanks
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
>
> ----------------------------------------------------------------------
------
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: Laboratory Setup Help (RS)
    ... >> This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ... >> vulnerabilities please see: ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Vulnebrability level definition
    ... 'severity' of a given vulnerability, and this severity can change with time. ... different methodologies to rate vulnerabilities and present the associated ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Scanners and unpublished vulnerabilities - Full Disclosure
    ... AH> vulnerabilities they have notified vendors about. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)