Re: [W3af-develop] XSS ideas
Status: Beta
Brought to you by:
andresriancho
From: Taras <ox...@ox...> - 2012-06-30 09:43:41
|
2all, just want to say that now we are passed all our XSS tests. ./test.sh nose.config: INFO: Ignoring files matching ['^\\.', '^_', '^setup\\.py$'] w3af is officially supported under Python 2.6 test_all (core.data.context.tests.test_context.TestContext) ... passed test_html_inside_js (core.data.context.tests.test_context.TestContext) ... passed test_payload (core.data.context.tests.test_context.TestContext) ... passed test_payload_double_script (core.data.context.tests.test_context.TestContext) ... passed test_payload_html_inside_comment (core.data.context.tests.test_context.TestContext) ... passed test_payload_html_inside_script_with_comment (core.data.context.tests.test_context.TestContext) ... passed test_payload_script_broken_double_close (core.data.context.tests.test_context.TestContext) ... passed test_payload_script_broken_double_open (core.data.context.tests.test_context.TestContext) ... passed test_payload_script_single_quote (core.data.context.tests.test_context.TestContext) ... passed test_payload_text_can_break (core.data.context.tests.test_context.TestContext) ... passed ----------------------------------------------------------------------------- 10 tests run in 0.3 seconds (10 tests passed) Now time for WAVSEP! :) On 06/27/2012 11:31 AM, Taras wrote: > Steve, > >> You may wish to look at how both arachni and ZAP handle this problem, as >> they both now detect 100% of the XSS part of the WAVSEP benchmark. > I will look on these tools, thanks! > >> >> (I must admit I have some concerns with using REGEX to do the job >> instead of a real parser for both false positives and false negatives.) >> >> Steve >> > > -- Taras http://oxdef.info GPG: C8D1F510 |