Penetration Testing mailing list archives

Re: XSS frameworks

From: Adriel Desautels <ad_lists () netragard com>
Date: Sat, 11 Oct 2008 23:45:47 -0400

You can test against those sites, but if you do they'll capture any new
methods that you're working on. I'd suggest setting up your own website
to test against.

Nikhil Wagholikar wrote:

Hi Lister,

Foundstone (a division of McAfee) has build frameworks like Hacme
Bank, Hacme Casino, Hacme Travel, Hacme Shipping etc, which are for
security professionals, programmers and application developers to
understand security issues and flaws in applications and accordingly
then design a secured application. These frameworks include common
security issues such as:

1. XSS (which you are looking out for)
2. SQL Injection
3. HTML Injection
4. Funds or cash transfers due to application bugs
5. Weak session management
6. Cookie manipulation
7. Parameter manipulation

and many other security issues.

Link: http://www.foundstone.com/us/resources-free-tools.asp

---
Nikhil Wagholikar
Practice Lead | Security Assessment & Digital Forensics
NII Consulting
Web: http://www.niiconsulting.com/
Security Products: http://www.niiconsulting.com/products.html

On Thu, Oct 9, 2008 at 7:47 PM, <lister () lihim org> wrote:

Not looking to re-invent the wheel, I'm looking for existing  availability
of XSS code to "gather" and "exploit" XSS tests as part of a pen-test.

I'm aware of the following
* AttackAPI
* W3AF
* XSSDB (the link is not working for some reason), is there a cached version?
* rsnake cheatsheet
* xss me (firefox plugin)

Looking for a framework that I can use/build on, I have my own webservers/cgi available
to grab session cookies, etc, but I'd like to see what frameworks already exist.

Not so much interested in how to check for XSS, but rather a way to exploit a given
XSS vulnerability if I have my own webserver and ability to write scripts to
actively take advantage of XSS as part of a pen-test.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



-- 

-
- Adriel T. Desautels
-


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

XSS frameworks lister (Oct 09)
- Re: XSS frameworks natron (Oct 10)
  - Re: XSS frameworks Marco Ivaldi (Oct 10)
- Re: XSS frameworks Nikhil Wagholikar (Oct 11)
  - Re: XSS frameworks Adriel Desautels (Oct 12)