XSS testing & general webapp testing on my hosted apps

["arian.evans" <arian.evans () anachronic com>]

I have been testing many automated scanning tools again,
and one of the testbeds I use is my own live portal
because it gives *me* the chance to play with encoded XSS
using common software that's live, production, and in the wild.

I will release the results of this data and the synthetic
tests as soon as I get my feet on the ground, but in
the mean time I have one important rule to make:

Please email me notification when you are going to perform
testing against *any* of my hosted applications. (This
will go for any applications hosted by the Paraegis group
on any of our servers). I have fairly comprehensive IDS
setup and do not appreciate returning from overseas to find
hundreds of megs of XSS-testing alerts filling my mail spool.

I do not have a problem with testing for now (this could
change, in the future, due to bandwidth costs), but *only*
if we have bi-directional dialogue prior to your starting.

Sorry to spam the list, but I was surprised to find several
people testing against my personal site without firing
off even an email requesting permission, and due to IP
netblocks I can only guess at who is doing the testing.

I will release more testing info when I am back on CST,
thanks.

-ae




-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
--------------------------------------------------------------------------