Re: [Xsser-users] discrepancy between XSSme and XSSer
XSSer: Cross Site Scripter
Status: Beta
Brought to you by:
lordepsylon
From: psy <ro...@lo...> - 2010-07-18 21:31:41
|
Hi Jhon, I am sorry but i am travelling so i havent a lot of time to response emails. Did you see manually if injections with XSSme are correct? Maybe is necessary to re-code XSSer (remember that is alpha version, yet) Otherwise, thank you for your report. We can work togheter in fix it. Regards, > Hello all, > I have tested XSSME 0.4.4. and xsser 0.6a. I have launched both > on the same site, and have different results. > > XSSME shows the following: > > XSS String Test Results > Srchstr > *Submitted Form State:* > > - phrase: ALL > - phrase: ANY > - filterby: BYR > - filterby: SLR > - Search: Search > - domain: ALL > - cid: > - orderby: > > *Results:* > DOM was modified by attack string. Field appears to be very vulnerable to > XSS String. > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > DOM was modified by attack string. Field appears to be very vulnerable to > XSS String. > Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <IMG SRC="  javascript:document.vulnerable=true;"> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <BODY > onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> > > and more > > > XSSer says no vulnerabilities found. > > [*] Final Results: > =========================================================================== > > - Total: 108 > - Failed: 108 > - Sucessfull: 0 > > > Command used: XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" > --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Hex --Str > --Une --Dec > > Is there a problem with xsser? > > Thanks, > -J > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > ------------------------------------------------------------------------ > > _______________________________________________ > Xsser-users mailing list > Xss...@li... > https://lists.sourceforge.net/lists/listinfo/xsser-users > |