[WEB SECURITY] WAF XSS Fuzzer?!

Chris Weber chris at casabasecurity.com
Thu Feb 3 12:43:39 EST 2011


x5s tests for encoding issues that lead to XSS by using what could be
qualified as some obfuscation techniques.  It's not doing all of the
obfuscation techniques you'd find in the new book
http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert
/dp/1597496049/.  

 

It's more focused on charset and Unicode such as overlong utf-8, Unicode
characters that normalize and best-fit map to lower range ASCII.  It also
does injects straight up ASCII probes.  We have a new version with much
better approach awaiting some beta testing if you're interested let me know.

 

http://xss.codeplex.com 

 

-CWeber

 

 

 

From: websecurity-bounces at lists.webappsec.org
[mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Ryan Dewhurst
Sent: Wednesday, February 02, 2011 1:37 PM
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] WAF XSS Fuzzer?!

 

Hi list,

I was wondering if such a thing existed and if not, would such a thing be
possible? 

Or does WAF evasion always need some degree of intelligence to produce a
viable payload?

I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
Application Obfuscation book as a starting point.

Thanks,
Ryan

Ryan Dewhurst

blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110203/8252db48/attachment-0003.html>


More information about the websecurity mailing list