Check out websleuth -- it takes a little work, but it can do what you want. The technique is pretty simple -- send a few test tags into each form field and then see if the responses contain the tag. If so, it's vulnerable. Not a terribly sophisticated test, but it'll do since in most cases there's no reason not to filter out the tags. http://www.geocities.com/dzzie/sleuth/ --Jeff Jeff Williams Aspect Security, Inc. Securing the Last Mile of the Internet www.aspectsecurity.com Jeff.Williamsat_private ----- Original Message ----- From: "Jason binger" <cisspstudyat_private> To: <pen-testat_private> Sent: Sunday, August 04, 2002 1:52 AM Subject: Cross Site Scripting Vulnerabilities - XSS > Has anyone on the list done much with testing for XSS > vulnerabilities? > > Has anyone written a simple work program to test for > these vulnerabilities that they are happy to > distribute so others can do basic testing for these > vulnerabilities? > > There a few papers out on this topic, but none that I > hve seen that really focus on the testing side of > things. > > Thanks > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - Feel better, live better > http://health.yahoo.com > > ---------------------------------------------------------------------- ------ > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 10:58:46 PDT