XSS and Fuzzing

Friday, 3 August 2007

I’ve been doing a bit of manual testing on a project that Mario & others are creating, I don’t usually do a lot of XSS cause I find it a bit boring doing the same stuff, so I decided to come up with some new vectors which I found cool. The only problem was creating the event handlers etc because they are obviously protected by the phpids, so I decided to write a little fuzzer to save me time 🙂

Fuzzer

At the moment it’s only very basic but I plan to expand upon it, so stay tuned for updates but until then have a look:-
Basic fuzzer

New vectors

I thought I’d better save it as a text file in case they execute on any rss aggregators:-
Demo

The entry 'XSS and Fuzzing' was posted on August 3rd, 2007 at 11:02 am and is filed under javascript, php, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to “XSS and Fuzzing”

  1. Kishor writes:
    No. 1 — August 4th, 2007 at 4:37 am

    Hi,

    Following is a GM script that aims at testing false +ve/-ves the IDS produces.

    If you create a simple XML instead of a text file and put your vectors inside tag, you should be able to automate your stuff further.

    http://php-ids.org/2007/07/17/ids-test-suite-is-avialable/

    – Kishor

«
»