Are there cross-platform tools to write XSS attacks directly to the database?

Posted by Joachim Sauer on Stack Overflow See other posts from Stack Overflow or by Joachim Sauer
Published on 2010-03-16T10:19:55Z Indexed on 2010/03/24 9:33 UTC
Read the original article Hit count: 293

Filed under:

xss

|

security-testing

|

tools

I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications.

I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development).

Is anyone aware of a similar tool? Preferably it should be:

cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok)
open source (I really like being able to audit my security tools)
able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)

© Stack Overflow or respective owner

Related posts about xss

A way around XSS?

as seen on Stack Overflow - Search for 'Stack Overflow'
In my page I have an script reference to the autoHeight.js file below. I also have an iframe that I want to resize using this code. In firebug I get this error Error: Permission denied for <http://www.siena.edu> to get property HTMLDocument.body from <https://siteframework.siena.edu>… >>> More
XSS filtering function in PHP

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, Does anyone know of a good function out there for filtering generic input from forms? Zend_Filter_input seems to require prior knowledge of the contents of the input and I'm concerned that using something like HTML Purifier will have a big performance impact. What about something like : http://snipplr… >>> More
Why isn't ValidateRequest="true" enough for XSS prevention?

as seen on Stack Overflow - Search for 'Stack Overflow'
In the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation." Why isn't it enough? >>> More
Why Google Wave & iGoogle cannot be XSS injected by a widget

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, If you've used google wave or iGoogle you probabely seen that you can insert widgets that are made by third parties without approval. the Question is : How this widgets can't inject XSS or steal the cookies, Are the widgets loaded in an <iframe> ? if yes, then how they can't redirect… >>> More
How Google Wave cannot be XSS injected by a widget

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, If you've used google wave you probabely seen that you can insert widgets that are made by third parties without approval. the Question is : How this widgets can't inject XSS or steal the cookies, Are the widgets loaded in an <iframe> ? if yes, then how they can't redirect google wave… >>> More

Related posts about security-testing

Are there cross-platform tools to write XSS attacks directly to the database?

as seen on Stack Overflow - Search for 'Stack Overflow'
I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications. I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System… >>> More
Test Your Web Application Using Free Web Apps Security Tools

as seen on Ezine Articles - Search for 'Ezine Articles'
The budget restrictions and time to test are common factor, and this is where a handful of free and open source web application security testing tools proves to be practical. The following are tools that must be in your toolkit or at least on your radar, particularly if you're not able to rationalize… >>> More
Testing HTTP status codes

as seen on Server Fault - Search for 'Server Fault'
I'm running an Apache Tomcat server. Making some security testing I'd noticed than my server is returning a 200 HTTP status code of the default error page when I try to access to a non-existent element instead of return a 404 status code and redirect me to the default error page. I suspect that this… >>> More
What is involved in upgrading from SSL 2.0 to SSL 3.0 in IIS 6?

as seen on Server Fault - Search for 'Server Fault'
I am using a site security testing suite and it says SSL 2.0 has known vulnerabilities and I should change it to SSL 3.0. Will my current certificates still work once I switch to SSL 3.0? How do I make the switch? Is it only in IIS or could I need to change anything on my web application? Thanks >>> More
Is there a tool that can test what SSL/TLS cipher suites a particular website offers?

as seen on Super User - Search for 'Super User'
Is there a tool that can test what SSL/TLS cipher suites a particular website offers? I've tried openssl, but if you examine the output: $ echo -n | openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable… >>> More