[WEB SECURITY] WAF XSS Fuzzer?!
chris at casabasecurity.com
Thu Feb 3 12:43:39 EST 2011
x5s tests for encoding issues that lead to XSS by using what could be
qualified as some obfuscation techniques. It's not doing all of the
obfuscation techniques you'd find in the new book
It's more focused on charset and Unicode such as overlong utf-8, Unicode
characters that normalize and best-fit map to lower range ASCII. It also
does injects straight up ASCII probes. We have a new version with much
better approach awaiting some beta testing if you're interested let me know.
From: websecurity-bounces at lists.webappsec.org
[mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Ryan Dewhurst
Sent: Wednesday, February 02, 2011 1:37 PM
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] WAF XSS Fuzzer?!
I was wondering if such a thing existed and if not, would such a thing be
Or does WAF evasion always need some degree of intelligence to produce a
I must admit my WAF evasion knowledge is quite poor. I am awaiting The Web
Application Obfuscation book as a starting point.
projects www.dvwa.co.uk | www.webwordcount.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity