XSS and Fuzzing
Friday, 3 August 2007
I’ve been doing a bit of manual testing on a project that Mario & others are creating, I don’t usually do a lot of XSS cause I find it a bit boring doing the same stuff, so I decided to come up with some new vectors which I found cool. The only problem was creating the event handlers etc because they are obviously protected by the phpids, so I decided to write a little fuzzer to save me time 🙂
Fuzzer
At the moment it’s only very basic but I plan to expand upon it, so stay tuned for updates but until then have a look:-
Basic fuzzer
New vectors
I thought I’d better save it as a text file in case they execute on any rss aggregators:-
Demo
No. 1 — August 4th, 2007 at 4:37 am
Hi,
Following is a GM script that aims at testing false +ve/-ves the IDS produces.
If you create a simple XML instead of a text file and put your vectors inside tag, you should be able to automate your stuff further.
http://php-ids.org/2007/07/17/ids-test-suite-is-avialable/
– Kishor