Welcome Guest! To enable all features please Login. New Registrations are disabled.



Go to last post Go to first unread
#1 Posted : Friday, May 24, 2013 11:12:05 AM(UTC)

Rank: Sienn Developer


Groups: Administration
Joined: 10/8/2008(UTC)
Posts: 25
Location: Netherlands

Thanks to Ryszard!

There are some words about anti-XSS tools.

XSS - Some theory:

And tools to check if forms and query strings are safe:
TamperIE - integrated with IE simple and old tool: http://www.bayden.com/tamperie/ XSS-Me - Firefox Plugin: http://labs.securitycompass.com/exploit-me/


There are two windows: "TamperIE Control Panel" and "TamperIE Edit Request".
In "Control Panel" we can filter POST, GET, Query string parameters and choose request to test.
With '*' we test all requests.
In "Edit Request" we can manipulate request data: modify existing data, remove and add new one.
There are few predefined values to choose from dropdown to try "standard" XSS attacks.

XSS-Me is comfortable plugin - just open XSS Me Sidebar.
It shows recognized forms with their fields and allow change values or even run all tests against chosen fields.

As long as we use ASP.NET with strong models the ASP.NET infrastructure takes care of proper encoding and validating fields.

We can use that tools to check applications against another kind of attacks.
Their works as "man in the middle". Even authorized user should not get access to data does not belongs to him.
Every action have to check input data against business rules. And use view models adequate to expected results.

Wanna join the discussion?! Login to your Sienn Forum forum account. New Registrations are disabled.

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.