Cenzic 232 Patent
Paid Advertising
web application security lab

XSSFuzz Released

Well, I am finally doing it, I’m releasing my stupid XSS fuzzer (duly named XSSFuzz). I’ve talked about it, fretted about it, and hated it long enough, and now it’s time to let you see for yourself how crappy it is. Yup, this is just about the worst contribution I’ve ever made to the web application security field, but it does have one valuable purpose. It’s particularly useful for identifying variable width encoding issues - a part of XSS that has had not nearly enough research done. Here’s the XSSFuzz screenshot.

What XSSFuzz is for: It’s for finding new vectors and testing those within the context of multiple encoding methods. One of my least favorite thing is to edit, save, alt-tab, f5, alt-tab, repeat. This dramatically speeds up my own testing, so if anyone else is working on this they should find this useful too.

What XSSFuzz is not for: It’s not for anyone who doesn’t really know their way around XSS. It’s not for testing many different chars and enumerating them against eachother - sorry, I just didn’t have time to build that. It’s also not for testing encoding methods that don’t support HTML properly (UTF-16 and UTF-7) because those mess up the HTML required to verify the tests in the first place.

There is no manual. If you can’t figure out how the program works you probably shouldn’t use it anyway. It’s really a pretty advanced and pretty difficult to use program, but you should be able to figure it out without editing the source code. It is written in PERL due to the rapid prototyping, and it is definitely vulnerable to XSS (so don’t throw it on a production machine without securing it somehow). Anyway, download the zip file here and feel free to give me feedback. No promises that I’ll do anything about any feedback I get.

One Response to “XSSFuzz Released”

  1. ha.ckers.org web application security lab - Archive » Variable Width Encoding Now Safe for US-ASCII and UTF-8 In IE7.0 Says:

    […] The encoding methods that have not been fixed so far (that I can tell using my fuzzer) are BIG5, EUC-JP, EUC-KR, GB2312 and SHIFT_JIS. Of course this is not necessarily a complete list, but it’s the best we’ve got so far with the research I’ve put in (non-security related day job getting in the way of good security research and development again). […]