[WEB SECURITY] XSS Question

Billy Hoffman Billy.Hoffman at spidynamics.com
Fri Dec 1 16:37:30 EST 2006


It's nice to see Microsoft releasing something more than the stock
blacklisting ASP.NET does. I've actually had a Microsoft PM tell me that
the ValidateRequest page directive has all you need to stop XSS attacks.

Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845
-----Original Message-----
From: Sebastien Deleersnyder [mailto:sebastien.deleersnyder at ascure.com] 
Sent: Thursday, November 30, 2006 12:39 PM
To: jfvanmeter at comcast.net; WebSec
Subject: RE: [WEB SECURITY] XSS Question

John,

On the preventive aspect you can also check on the Anti-Cross Site
Scripting Library v1.5
(http://blogs.msdn.com/michael_howard/archive/2006/11/20/anti-cross-site
-scripting-library-v1-5-now-available.aspx)
That is, if you use ASP.Net of course.

Anyone already tested this?

Kind regards,

Sebastien
OWASP BE Chapter Lead 

-----Original Message-----
From: jfvanmeter at comcast.net [mailto:jfvanmeter at comcast.net] 
Sent: woensdag 29 november 2006 14:25
To: WebSec
Subject: [WEB SECURITY] XSS Question

Hello everyone, 

I was hoping to gather some feedback on what everyone thinks the  best
vulnerability detection mechanism(s) is  to discover XSS issues. I'm
looking for any links, faqs, books, tools, and thoughts about that
process.

Thank You in advnace
John

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

---- eMail Disclaimer ----
This message may be confidential. It is also solely for the use of the
individual or group to whom it is addressed. If you have received it 
by mistake, please let us know by e-mail reply. Ascure is not liable for
any direct or indirect damage arising from errors, inaccuracies or 
any loss in the message, from unauthorized use, disclosure, copying or
alteration of it.
For the complete version or other languages of this disclaimer see
http://www.ascure.com/disclaimer.htm

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list