WebApp Sec mailing list archives
XSS testing & general webapp testing on my hosted apps
From: "arian.evans" <arian.evans () anachronic com>
Date: Fri, 10 Mar 2006 17:29:09 -0600
I have been testing many automated scanning tools again, and one of the testbeds I use is my own live portal because it gives *me* the chance to play with encoded XSS using common software that's live, production, and in the wild. I will release the results of this data and the synthetic tests as soon as I get my feet on the ground, but in the mean time I have one important rule to make: Please email me notification when you are going to perform testing against *any* of my hosted applications. (This will go for any applications hosted by the Paraegis group on any of our servers). I have fairly comprehensive IDS setup and do not appreciate returning from overseas to find hundreds of megs of XSS-testing alerts filling my mail spool. I do not have a problem with testing for now (this could change, in the future, due to bandwidth costs), but *only* if we have bi-directional dialogue prior to your starting. Sorry to spam the list, but I was surprised to find several people testing against my personal site without firing off even an email requesting permission, and due to IP netblocks I can only guess at who is doing the testing. I will release more testing info when I am back on CST, thanks. -ae ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- XSS testing & general webapp testing on my hosted apps arian.evans (Mar 10)