I found this link today and it looked pretty interesting from an auditing standpoint. Grazr is using a OPML attack library based off the XSS Cheat Sheet. Grazr is a quick online RSS aggregator for webpages. Pretty slick tool, and probably has been prone to lots of the XSS vulnerabilities out there until recently.

But the Grazr team did something smart by attempting to use every attack string on the Cheat Sheet against themselves for regression testing. Slick! I’ve thought of this before - how can you include all the attacks against every variable passed to the application. It’s a tough job since most applications take lots of different forms of input. In this case Grazr only has one user facing input - the RSS feed itself, so it’s an easy choak point. Clever way to apply these toolsets that I’ve only seen in filter testing platforms before. It’s good to see people taking the time to find out the right way to do these sorts of tests.

This entry was posted on Monday, September 25th, 2006 at 12:56 pm and is filed under XSS, Webappsec. You can leave a response as well.