[WEB SECURITY] XSS Question

pdp (architect) pdp.gnucitizen at googlemail.com
Sun Dec 3 22:11:47 EST 2006


Ok, so far there are two types of XSS: persistent and non-persistent.
They subdivide into DOM based XSS, Pure XSS and XSS in external
objects. The Pure XSS can be easily detected because it is all about
your input getting displayed as output. The DOM based XSS issues are
not that trivial to detect because they are related to JavaScript. In
this case JavaScript is responsible to display the input. And finally,
XSS issues in external objects can be trivially detected by checking
what file types are allowed to be embedded. I am not going into XSS
issues inside XML and XPATH. This topic can get quite heavy.

The most accurate way of discovering XSS is to use some kind of
browser emulation software that permute over the application input.
However, although it is better than nothing, this technique is far
from being perfect.

On 11/29/06, jfvanmeter at comcast.net <jfvanmeter at comcast.net> wrote:
> Hello everyone,
>
> I was hoping to gather some feedback on what everyone thinks the  best vulnerability detection mechanism(s) is  to discover XSS issues. I'm looking for any links, faqs, books, tools, and thoughts about that process.
>
> Thank You in advnace
> John
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list