XSS Vulnerability Scanner
While looking at Jaimie Sirovich’s site, I “found” an interesting link to an XSS vulnerability scanner he’s building. I don’t think it’s public yet, and I don’t know exactly how it works but it appears to only work in Internet Explorer at the moment and only checks form submissions as possible injection points. Still, pretty interesting. For instance, if you input:
http://www.internic.net/whois.html
You end up seeing, “UH OH; pontentially viable injection on: http://www.internic.net/whois.html; form 1″ pointing to the actual injection point. Pretty cool! It’s probably a hell of a liability to have a scanner on your site, so I don’t know how long this will be there, but it’s still interesting for some lightweight pen-testing.
August 25th, 2006 at 2:04 pm
Um… It keeps saying that my code is invalid. I have tried 20 times.
August 26th, 2006 at 4:09 am
sounds like a great thing to have for your own site, but if you’ve got the option to check other sites outside of your domain, then any site (i.e. PayPal) can be checked and then exploited!! good idea in theory, but maybe not so good in practice.
August 26th, 2006 at 9:39 am
Dude, try in Internet Explorer, I haven’t been able to get it working in Firefox myself… not sure what the problem is nor do I really care to investigate, but switching to Internet Explorer seemed to do the trick.
August 26th, 2006 at 11:39 am
It worked fine in Firefox 1.5.0.6 for me.
August 27th, 2006 at 10:27 am
Ah, thank you. It works perfectly in Internet Explorer.
Now I will post more at this website.
June 1st, 2007 at 8:33 am
I have made my own in python, it used http response and “source” searching to determine if its a potential XSS. Let me know what you think.
http://darkcode.ath.cx/scanners/XSSscan.py