Re: Cross Site Scripting Vulnerabilities - XSS [was: Fw: OWASP Update]

["Alex Lambert" <alambert () webmaster com>]

Jason,

Hope this helps. You might want to consider signing up for webappsec if
you're into web security. Also, http://www.owasp.org/testing/ has a little
more information.



apl
----- Original Message -----
From: "Mark Curphey" <mark () curphey com>
To: <webappsec () securityfocus com>
Sent: Monday, August 05, 2002 10:52 PM
Subject: OWASP Update


> Seems like ages since I sent out an OWASP update and
> as the list seems pretty quiet these days (with
> people nursing hangovers from last weeks festivities
> in Vegas no doubt) so here goes.
>
> Firstly we are proud to say we have a few initial
> sponsors. We have an anonymous donor of unlimited
> bandwidth and some rack space (Steve you are a hero)
> where we will be housing the portal. Secondly Altova
> have given all OWASP contributors a copy of their
> XML tool which supports DocBook so we can move all
> documentation to an open format. Lastly
> Butterflysecurity.com have donated some hardware for
> the portal and development resources for the VulnXML
> application. Very very much appreciated and will be
> put to some very good use.
>
> WebScarab - For those that don't know WebScarab is
> aiming to be the Nessus of the webappsec world and
> continues to be the No 1 priority and the most
> challenging and rewarding project to date. There is
> now a GUI, the spiders working and XSS, SQL
> injection and session hijacking will be working very
> soon. Why is it taking so long ? Well apart from the
> fact its volunteers, things are being done WELL
> rather than fast. No cutting corners ! WebScarab
> will be able to be back-ended by an array of
> databases for instance like MySQL, PostGress or
> Oracle ! You get to choose. This baby will scale
> outside of a lab! The spider will deal with various
> MIME types so can potentially spider pdf and flash
> etc as well as work with JavaScript. You can always
> take a look at the code in the CVS. Theres even a
> module sandbox being developed so people can run
> untrusted checks in the tool without worry of
> compromise. A big kudos has to go to Ingo Struck,
> Steve Taylor, Tim Panton, Zed Shaw and Apurv Singh
> for the work so far. As always serious Java
> developers are always welcome and needed. Oh and did
> we mentioned it is open source, Java, free and
> extensible !
>
> OWASP Portal (replacement for the current
> www.owasp.org) is underway and will be built on
> UPortal (www.ja-sig.org) with a Jive channel for a
> forum. As well as the current content (in a much
> more efficient and pleasant layout) there will be a
> customizable news channel where you can select news
> for technologies you are interested in and
> vulnerability alerts where you can again select
> technologies you care about and see the history of
> those alerts in your alerts tab. The portal will
> also host the VulnXML application below.
>
> OWASP Guide to Building Secure Web Applications -
> was downloaded more 60,000 times in the first month
> and continues to see copnstant downloads. Its now
> being ported to DocBook format where various typos
> etc will be changed. A complete re-write is then on
> the cards for version 2 thanks to many new
> volunteers and great freedback. WebServices will be
> a good sized portion. That project now has its own
> Sourceforge site btw.
>
> OWASP WebMaven will be released in the first week of
> September. WebMaven is an intentionally broken web
> application written in Perl you can run on your own
> Apache web server and investigate web appsec
> security holes and issues in the safetly of your own
> machines. The first release has a SQL injection bug,
> a XSS and some other problems, and the future
> releases are likely to support skins, dynamic
> vulnerabilities, more holes and other cool features.
> We also hope to integrate it into the HoneyD
> application at the HoneyNet Project. There is a
> project page at Sourceforge and the page at
> owasp.org will go up in a few weeks.
>
> Filters had several false starts but I recently saw
> a cool design document and know code is very hot on
> its heels. The OWASP filters project will create a
> set of "stackable" rule sets that address various
> boundary conditions that exist in programs. Each
> rule set will address a boundary or target
> environment, specifically allowing certain types of
> data that should be allowed for each environment.
> Probably available in Java, PHP and C initially but
> to be decided.
>
> VulnXML is moving along nicely but needs to wait til
> the portal is done before it can really come into
> its own. We will be building a web based application
> to allow people to both report vulnerabilites in the
> format and to author / QA current checks in the
> queue with work flow.  Anyone will be able to
> consume the checks and WebScarab will be certainly
> right up there in the queue. If you havent read the
> vision doc on the site its well worth it.
>
> A last but not least is the OWASP Testing Project.
> David "securitypimp" Endler (don't belive me check
> out www.securitypimps.com) is doing a great job of
> getting people to author all sorts of things for
> this project. There will be flowcharts of how to
> logically test things, templates for planning and a
> whole bunch more cool stuff.  I won't steal his
> thunder but its going to be very cool and drafts due
> in August 19th if I recall.
>
> As always we always need serious Java developers, a
> profesional graphics person and anyone else with a
> skill and some spare time as well as sposnsorship
> etc. The web site www.owasp.org has more details and
> vision documents for most projects, the
> corresponding Sourceforge page has the code trees etc
>
> And on that note I owe the pimpadaddy some text !


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/