Whiteacid built a pretty remarkable XSS Greasemonkey assistant script. It’s got a few kinks left to work out as we’ve been discussing but on the whole this is feeling like a possible right approach to by-hand penetration testing for XSS vulnerability assessment. I still think something like this should be built into burp suite but Whiteacid’s approach is pretty slick.

After installation and going to Tools->Greasemonkey->User Script Commands->Start XSS Forms you see an icon that looks like this:

When clicked that button allows you to run all the commands that the XSS cheatsheet XML file has in them against all form elements. Interesting tool that helps diagnose some of the problems out there. It’s really no substitute to doing it the old fashioned way, but it’s a nice crutch when you’re in a hurry.

This entry was posted on Friday, October 27th, 2006 at 10:19 am and is filed under XSS, Webappsec. You can leave a response as well.