Penetration Testing mailing list archives
Re: Cross Site Scripting Vulnerabilities - XSS [was: Fw: OWASP Update]
From: "Alex Lambert" <alambert () webmaster com>
Date: Tue, 6 Aug 2002 10:13:08 -0500
Jason, Hope this helps. You might want to consider signing up for webappsec if you're into web security. Also, http://www.owasp.org/testing/ has a little more information. apl ----- Original Message ----- From: "Mark Curphey" <mark () curphey com> To: <webappsec () securityfocus com> Sent: Monday, August 05, 2002 10:52 PM Subject: OWASP Update
Seems like ages since I sent out an OWASP update and as the list seems pretty quiet these days (with people nursing hangovers from last weeks festivities in Vegas no doubt) so here goes. Firstly we are proud to say we have a few initial sponsors. We have an anonymous donor of unlimited bandwidth and some rack space (Steve you are a hero) where we will be housing the portal. Secondly Altova have given all OWASP contributors a copy of their XML tool which supports DocBook so we can move all documentation to an open format. Lastly Butterflysecurity.com have donated some hardware for the portal and development resources for the VulnXML application. Very very much appreciated and will be put to some very good use. WebScarab - For those that don't know WebScarab is aiming to be the Nessus of the webappsec world and continues to be the No 1 priority and the most challenging and rewarding project to date. There is now a GUI, the spiders working and XSS, SQL injection and session hijacking will be working very soon. Why is it taking so long ? Well apart from the fact its volunteers, things are being done WELL rather than fast. No cutting corners ! WebScarab will be able to be back-ended by an array of databases for instance like MySQL, PostGress or Oracle ! You get to choose. This baby will scale outside of a lab! The spider will deal with various MIME types so can potentially spider pdf and flash etc as well as work with JavaScript. You can always take a look at the code in the CVS. Theres even a module sandbox being developed so people can run untrusted checks in the tool without worry of compromise. A big kudos has to go to Ingo Struck, Steve Taylor, Tim Panton, Zed Shaw and Apurv Singh for the work so far. As always serious Java developers are always welcome and needed. Oh and did we mentioned it is open source, Java, free and extensible ! OWASP Portal (replacement for the current www.owasp.org) is underway and will be built on UPortal (www.ja-sig.org) with a Jive channel for a forum. As well as the current content (in a much more efficient and pleasant layout) there will be a customizable news channel where you can select news for technologies you are interested in and vulnerability alerts where you can again select technologies you care about and see the history of those alerts in your alerts tab. The portal will also host the VulnXML application below. OWASP Guide to Building Secure Web Applications - was downloaded more 60,000 times in the first month and continues to see copnstant downloads. Its now being ported to DocBook format where various typos etc will be changed. A complete re-write is then on the cards for version 2 thanks to many new volunteers and great freedback. WebServices will be a good sized portion. That project now has its own Sourceforge site btw. OWASP WebMaven will be released in the first week of September. WebMaven is an intentionally broken web application written in Perl you can run on your own Apache web server and investigate web appsec security holes and issues in the safetly of your own machines. The first release has a SQL injection bug, a XSS and some other problems, and the future releases are likely to support skins, dynamic vulnerabilities, more holes and other cool features. We also hope to integrate it into the HoneyD application at the HoneyNet Project. There is a project page at Sourceforge and the page at owasp.org will go up in a few weeks. Filters had several false starts but I recently saw a cool design document and know code is very hot on its heels. The OWASP filters project will create a set of "stackable" rule sets that address various boundary conditions that exist in programs. Each rule set will address a boundary or target environment, specifically allowing certain types of data that should be allowed for each environment. Probably available in Java, PHP and C initially but to be decided. VulnXML is moving along nicely but needs to wait til the portal is done before it can really come into its own. We will be building a web based application to allow people to both report vulnerabilites in the format and to author / QA current checks in the queue with work flow. Anyone will be able to consume the checks and WebScarab will be certainly right up there in the queue. If you havent read the vision doc on the site its well worth it. A last but not least is the OWASP Testing Project. David "securitypimp" Endler (don't belive me check out www.securitypimps.com) is doing a great job of getting people to author all sorts of things for this project. There will be flowcharts of how to logically test things, templates for planning and a whole bunch more cool stuff. I won't steal his thunder but its going to be very cool and drafts due in August 19th if I recall. As always we always need serious Java developers, a profesional graphics person and anyone else with a skill and some spare time as well as sposnsorship etc. The web site www.owasp.org has more details and vision documents for most projects, the corresponding Sourceforge page has the code trees etc And on that note I owe the pimpadaddy some text !
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Cross Site Scripting Vulnerabilities - XSS [was: Fw: OWASP Update] Alex Lambert (Aug 06)