[WEB SECURITY] WAF XSS Fuzzer?!

Andre Gironda andreg at gmail.com
Thu Feb 3 14:07:14 EST 2011


On Thu, Feb 3, 2011 at 10:43 AM, Chris Weber <chris at casabasecurity.com> wrote:
> x5s tests for encoding issues that lead to XSS by using what could be
> qualified as some obfuscation techniques.  It’s not doing all of the
> obfuscation techniques you’d find in the new book
> http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049/.

Any plans to produce a tool (or update an existing one) that has these
techniques?

> It’s more focused on charset and Unicode such as overlong utf-8, Unicode
> characters that normalize and best-fit map to lower range ASCII.  It also
> does injects straight up ASCII probes.  We have a new version with much
> better approach awaiting some beta testing if you’re interested let me know.

I was definitely thinking the same thing, Chris -- x5s would be ideal
to test WAFs, but perhaps not perfect.

I'd also be curious to test for div overlays/hijacking and base/form
hijacking (and other issues with HTMLi). I will probably get some
opportunity to test everything mentions on a few WAFs soon. Feel free
to ping me about test cases or tool benchmarking.

So, I'm certainly interested in your beta projects. What's with
webappsec tool these days where the dev versions are significantly
more advanced than the releases? Whoever said that webappsec isn't
innovating obviously isn't involved in webappsec. It's just the stupid
appsec commercial product vendors that aren't innovating!

Cheers,
Andre




More information about the websecurity mailing list