Penetration Testing mailing list archives
Re: XSS frameworks
From: Adriel Desautels <ad_lists () netragard com>
Date: Sat, 11 Oct 2008 23:45:47 -0400
You can test against those sites, but if you do they'll capture any new methods that you're working on. I'd suggest setting up your own website to test against. Nikhil Wagholikar wrote:
Hi Lister, Foundstone (a division of McAfee) has build frameworks like Hacme Bank, Hacme Casino, Hacme Travel, Hacme Shipping etc, which are for security professionals, programmers and application developers to understand security issues and flaws in applications and accordingly then design a secured application. These frameworks include common security issues such as: 1. XSS (which you are looking out for) 2. SQL Injection 3. HTML Injection 4. Funds or cash transfers due to application bugs 5. Weak session management 6. Cookie manipulation 7. Parameter manipulation and many other security issues. Link: http://www.foundstone.com/us/resources-free-tools.asp --- Nikhil Wagholikar Practice Lead | Security Assessment & Digital Forensics NII Consulting Web: http://www.niiconsulting.com/ Security Products: http://www.niiconsulting.com/products.html On Thu, Oct 9, 2008 at 7:47 PM, <lister () lihim org> wrote:Not looking to re-invent the wheel, I'm looking for existing availability of XSS code to "gather" and "exploit" XSS tests as part of a pen-test. I'm aware of the following * AttackAPI * W3AF * XSSDB (the link is not working for some reason), is there a cached version? * rsnake cheatsheet * xss me (firefox plugin) Looking for a framework that I can use/build on, I have my own webservers/cgi available to grab session cookies, etc, but I'd like to see what frameworks already exist. Not so much interested in how to check for XSS, but rather a way to exploit a given XSS vulnerability if I have my own webserver and ability to write scripts to actively take advantage of XSS as part of a pen-test. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
-- - - Adriel T. Desautels - ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- XSS frameworks lister (Oct 09)
- Re: XSS frameworks natron (Oct 10)
- Re: XSS frameworks Marco Ivaldi (Oct 10)
- Re: XSS frameworks Nikhil Wagholikar (Oct 11)
- Re: XSS frameworks Adriel Desautels (Oct 12)
- Re: XSS frameworks natron (Oct 10)