Comments on: Tag inspector http://www.thespanner.co.uk/2007/11/22/tag-inspector/ A tool for designers dealing with programmers dealing with designers... Thu, 20 Nov 2008 22:23:37 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-900 Gareth Heyes Thu, 22 Nov 2007 20:33:56 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-900 Sorry I should have explained the code a bit more, I was going to use standard DOM functions to insert the code but I thought using a hidden div this way would be faster. I'm currently struggling with inserting external files with src and href and logging the results. Hopefully it will work but Opera's high security model is proving tough work to get around, good work Opera :) Sorry I should have explained the code a bit more, I was going to use standard DOM functions to insert the code but I thought using a hidden div this way would be faster.

I’m currently struggling with inserting external files with src and href and logging the results. Hopefully it will work but Opera’s high security model is proving tough work to get around, good work Opera :)

]]> By: thorin http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-899 thorin Thu, 22 Nov 2007 20:26:54 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-899 Ok perfect, now I'm on the same page. I did have a quick look at the source but I didn't catch the div you're talking about. Ok perfect, now I’m on the same page. I did have a quick look at the source but I didn’t catch the div you’re talking about.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-898 Gareth Heyes Thu, 22 Nov 2007 20:02:09 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-898 It inspects the tags in a hidden div layer and finds if they have javascript properties for things like src, href etc so the script creates these tags in the browser itself. The goal of the script is not to scan any web site but to simply scan the browser's HTML tags. The script will automatically be able to answer questions like "Does iframe onload work on Safari?" etc It inspects the tags in a hidden div layer and finds if they have javascript properties for things like src, href etc so the script creates these tags in the browser itself.

The goal of the script is not to scan any web site but to simply scan the browser’s HTML tags.

The script will automatically be able to answer questions like “Does iframe onload work on Safari?” etc

]]> By: thorin http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-897 thorin Thu, 22 Nov 2007 19:52:36 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-897 I still don't understand the "target" of the scan (or inspection). Is it just searching the tag namespace (er whatever you wanna call it) of my browser? Or is it just "inspecting" itself, ie: the tagInspector URL. I still don’t understand the “target” of the scan (or inspection). Is it just searching the tag namespace (er whatever you wanna call it) of my browser? Or is it just “inspecting” itself, ie: the tagInspector URL.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-896 Gareth Heyes Thu, 22 Nov 2007 15:14:51 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-896 The script now also logs Javascript execution, so it will automatically find what XSS is compatible across browsers :D The script now also logs Javascript execution, so it will automatically find what XSS is compatible across browsers :D

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-895 Gareth Heyes Thu, 22 Nov 2007 14:25:05 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-895 At the moment it's pretty basic but it will look for HTML attributes that allow Javascript execution such as "SRC" and list the ones it finds. The random and mixed modes are unlikely to return results because they are based on randomising tags. For example lets say the inspector finds the tag "image" and then finds it has a attribute "SRC" then it's likely that you've found a new XSS vector. My plan is to automate this further by allowing Javascript execution testing but it's proving tricky because of the different combinations of executing it within a tag. At the moment it’s pretty basic but it will look for HTML attributes that allow Javascript execution such as “SRC” and list the ones it finds. The random and mixed modes are unlikely to return results because they are based on randomising tags.

For example lets say the inspector finds the tag “image” and then finds it has a attribute “SRC” then it’s likely that you’ve found a new XSS vector.

My plan is to automate this further by allowing Javascript execution testing but it’s proving tricky because of the different combinations of executing it within a tag.

]]> By: thorin http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-894 thorin Thu, 22 Nov 2007 14:07:00 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-894 OMG that really came out looking like EngRish :( Please feel free to delete the previous comment. I meant to say: "I think I’m missing something here. What exactly are you “scanning”? There’s no target specification. Also I fired off all 3 options, but random and Mixed return nothing." OMG that really came out looking like EngRish :( Please feel free to delete the previous comment.

I meant to say:
“I think I’m missing something here. What exactly are you “scanning”? There’s no target specification. Also I fired off all 3 options, but random and Mixed return nothing.”

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-892 Gareth Heyes Thu, 22 Nov 2007 13:33:48 +0000 http://www.thespanner.co.uk/2007/11/22/tag-inspector/#comment-892 I've fixed a slight bug, added mixed mode which inserts a random letter before or after a standard tag. Increased the random tag amount to 200. I’ve fixed a slight bug, added mixed mode which inserts a random letter before or after a standard tag. Increased the random tag amount to 200.

]]>