Jump to content

Tool To Preform Cross-site Scripting Test


McBob

Recommended Posts

Hello all,

I'm looking for something that will help me with peforming a Cross-Site Scripting test on one of my Applications. We had the site scanned and it reported back that a few of the URLs were susceptible to the Microsoft Windows MHTML Cross-Site Scripting vulnerability. I'm pretty sure this is a false postive because it only reported it on 3 URLs that have input boxes, where there are several other pages that have the same input boxes but it didn't indicate an issue with them. Also we've already applied the patch from Microsoft back in April, Vulnerability in MHTML Could Allow Information Disclosure (2503658). But I need to be certain so I need to perform the test manually.

I'm not sure excatly how to manually perform a Cross Site scripting attack and I've looked at Firefox's addon XSS ME, but that doesn't appear to be be specific to the MHTML vulnerability. So I'm hoping there is a tool/app or some utility out there that I can use for this test, and possible future test if it pops up again in the next scan. The App is built off the .NET framework, if that helps.

Thanks,

Bob

Link to comment
Share on other sites

  • 11 months later...

check out http://sectools.org/

i personally test my own apps with w3af

http://w3af.sourceforge.net/

it's a RIDICULOUS tool. works with http/https,

live session/header modifications, and a plugin

system with a huge library of addons.

hope that helps.

If its the same tool I am thinking off, make sure you change the user agent too though, or sets off all kinds of IDS rules and blocks it.

Link to comment
Share on other sites

If its the same tool I am thinking off, make sure you change the user agent too though, or sets off all kinds of IDS rules and blocks it.

you can set your UA to whatever you like. use the defaults like ff, chrome, ie... or potentially use it to leverage an attack vector.

Link to comment
Share on other sites

you can set your UA to whatever you like. use the defaults like ff, chrome, ie... or potentially use it to leverage an attack vector.

Yeah, just wanted to mention though, default settings I think show up as w3af on access logs if you don't change it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...