[WEB SECURITY] XSS testing & general webapp testing on my hosted apps

arian.evans arian.evans at anachronic.com
Fri Mar 10 18:29:09 EST 2006


I have been testing many automated scanning tools again,
and one of the testbeds I use is my own live portal
because it gives *me* the chance to play with encoded XSS
using common software that's live, production, and in the wild.

I will release the results of this data and the synthetic
tests as soon as I get my feet on the ground, but in
the mean time I have one important rule to make:

Please email me notification when you are going to perform
testing against *any* of my hosted applications. (This
will go for any applications hosted by the Paraegis group
on any of our servers). I have fairly comprehensive IDS
setup and do not appreciate returning from overseas to find
hundreds of megs of XSS-testing alerts filling my mail spool.

I do not have a problem with testing for now (this could
change, in the future, due to bandwidth costs), but *only*
if we have bi-directional dialogue prior to your starting.

Sorry to spam the list, but I was surprised to find several
people testing against my personal site without firing
off even an email requesting permission, and due to IP
netblocks I can only guess at who is doing the testing.

I will release more testing info when I am back on CST,
thanks.

-ae




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list