You can test against those sites, but if you do they'll capture any new
methods that you're working on. I'd suggest setting up your own website
to test against.
Nikhil Wagholikar wrote:
> Hi Lister,
>
> Foundstone (a division of McAfee) has build frameworks like Hacme
> Bank, Hacme Casino, Hacme Travel, Hacme Shipping etc, which are for
> security professionals, programmers and application developers to
> understand security issues and flaws in applications and accordingly
> then design a secured application. These frameworks include common
> security issues such as:
>
> 1. XSS (which you are looking out for)
> 2. SQL Injection
> 3. HTML Injection
> 4. Funds or cash transfers due to application bugs
> 5. Weak session management
> 6. Cookie manipulation
> 7. Parameter manipulation
>
> and many other security issues.
>
> Link: http://www.foundstone.com/us/resources-free-tools.asp
>
> ---
> Nikhil Wagholikar
> Practice Lead | Security Assessment & Digital Forensics
> NII Consulting
> Web: http://www.niiconsulting.com/
> Security Products: http://www.niiconsulting.com/products.html
>
> On Thu, Oct 9, 2008 at 7:47 PM, <lister (at) lihim (dot) org [email concealed]> wrote:
>> Not looking to re-invent the wheel, I'm looking for existing availability
>> of XSS code to "gather" and "exploit" XSS tests as part of a pen-test.
>>
>> I'm aware of the following
>> * AttackAPI
>> * W3AF
>> * XSSDB (the link is not working for some reason), is there a cached version?
>> * rsnake cheatsheet
>> * xss me (firefox plugin)
>>
>> Looking for a framework that I can use/build on, I have my own webservers/cgi available
>> to grab session cookies, etc, but I'd like to see what frameworks already exist.
>>
>> Not so much interested in how to check for XSS, but rather a way to exploit a given
>> XSS vulnerability if I have my own webserver and ability to write scripts to
>> actively take advantage of XSS as part of a pen-test.
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Security Trends Report from Cenzic
>> Stay Ahead of the Hacker Curve!
>> Get the latest Q2 2008 Trends Report now
>>
>> www.cenzic.com/landing/trends-report
>> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
methods that you're working on. I'd suggest setting up your own website
to test against.
Nikhil Wagholikar wrote:
> Hi Lister,
>
> Foundstone (a division of McAfee) has build frameworks like Hacme
> Bank, Hacme Casino, Hacme Travel, Hacme Shipping etc, which are for
> security professionals, programmers and application developers to
> understand security issues and flaws in applications and accordingly
> then design a secured application. These frameworks include common
> security issues such as:
>
> 1. XSS (which you are looking out for)
> 2. SQL Injection
> 3. HTML Injection
> 4. Funds or cash transfers due to application bugs
> 5. Weak session management
> 6. Cookie manipulation
> 7. Parameter manipulation
>
> and many other security issues.
>
> Link: http://www.foundstone.com/us/resources-free-tools.asp
>
> ---
> Nikhil Wagholikar
> Practice Lead | Security Assessment & Digital Forensics
> NII Consulting
> Web: http://www.niiconsulting.com/
> Security Products: http://www.niiconsulting.com/products.html
>
> On Thu, Oct 9, 2008 at 7:47 PM, <lister (at) lihim (dot) org [email concealed]> wrote:
>> Not looking to re-invent the wheel, I'm looking for existing availability
>> of XSS code to "gather" and "exploit" XSS tests as part of a pen-test.
>>
>> I'm aware of the following
>> * AttackAPI
>> * W3AF
>> * XSSDB (the link is not working for some reason), is there a cached version?
>> * rsnake cheatsheet
>> * xss me (firefox plugin)
>>
>> Looking for a framework that I can use/build on, I have my own webservers/cgi available
>> to grab session cookies, etc, but I'd like to see what frameworks already exist.
>>
>> Not so much interested in how to check for XSS, but rather a way to exploit a given
>> XSS vulnerability if I have my own webserver and ability to write scripts to
>> actively take advantage of XSS as part of a pen-test.
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Security Trends Report from Cenzic
>> Stay Ahead of the Hacker Curve!
>> Get the latest Q2 2008 Trends Report now
>>
>> www.cenzic.com/landing/trends-report
>> ------------------------------------------------------------------------
>>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
>
--
-
- Adriel T. Desautels
-
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
[ reply ]