Foundstone (a division of McAfee) has build frameworks like Hacme
Bank, Hacme Casino, Hacme Travel, Hacme Shipping etc, which are for
security professionals, programmers and application developers to
understand security issues and flaws in applications and accordingly
then design a secured application. These frameworks include common
security issues such as:
1. XSS (which you are looking out for)
2. SQL Injection
3. HTML Injection
4. Funds or cash transfers due to application bugs
5. Weak session management
6. Cookie manipulation
7. Parameter manipulation
---
Nikhil Wagholikar
Practice Lead | Security Assessment & Digital Forensics
NII Consulting
Web: http://www.niiconsulting.com/
Security Products: http://www.niiconsulting.com/products.html
On Thu, Oct 9, 2008 at 7:47 PM, <lister (at) lihim (dot) org [email concealed]> wrote:
>
> Not looking to re-invent the wheel, I'm looking for existing availability
> of XSS code to "gather" and "exploit" XSS tests as part of a pen-test.
>
> I'm aware of the following
> * AttackAPI
> * W3AF
> * XSSDB (the link is not working for some reason), is there a cached version?
> * rsnake cheatsheet
> * xss me (firefox plugin)
>
> Looking for a framework that I can use/build on, I have my own webservers/cgi available
> to grab session cookies, etc, but I'd like to see what frameworks already exist.
>
> Not so much interested in how to check for XSS, but rather a way to exploit a given
> XSS vulnerability if I have my own webserver and ability to write scripts to
> actively take advantage of XSS as part of a pen-test.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
Foundstone (a division of McAfee) has build frameworks like Hacme
Bank, Hacme Casino, Hacme Travel, Hacme Shipping etc, which are for
security professionals, programmers and application developers to
understand security issues and flaws in applications and accordingly
then design a secured application. These frameworks include common
security issues such as:
1. XSS (which you are looking out for)
2. SQL Injection
3. HTML Injection
4. Funds or cash transfers due to application bugs
5. Weak session management
6. Cookie manipulation
7. Parameter manipulation
and many other security issues.
Link: http://www.foundstone.com/us/resources-free-tools.asp
---
Nikhil Wagholikar
Practice Lead | Security Assessment & Digital Forensics
NII Consulting
Web: http://www.niiconsulting.com/
Security Products: http://www.niiconsulting.com/products.html
On Thu, Oct 9, 2008 at 7:47 PM, <lister (at) lihim (dot) org [email concealed]> wrote:
>
> Not looking to re-invent the wheel, I'm looking for existing availability
> of XSS code to "gather" and "exploit" XSS tests as part of a pen-test.
>
> I'm aware of the following
> * AttackAPI
> * W3AF
> * XSSDB (the link is not working for some reason), is there a cached version?
> * rsnake cheatsheet
> * xss me (firefox plugin)
>
> Looking for a framework that I can use/build on, I have my own webservers/cgi available
> to grab session cookies, etc, but I'd like to see what frameworks already exist.
>
> Not so much interested in how to check for XSS, but rather a way to exploit a given
> XSS vulnerability if I have my own webserver and ability to write scripts to
> actively take advantage of XSS as part of a pen-test.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
[ reply ]