Saturday, January 12, 2008

XSS Framework?

So you don't consider yourself to be XSS savy, but you would really like to do some free testing? Well look no just might have a solution. Introducing the XSSDB by GNUCitizen.

The XSSDB (i'm assuming) is heading in the direction as the Metasploit Project, however, soley based on Cross-Site Scripting checks.

A couple of the nice[r] features (IMHO) of the database:

  • Ability to perform both GET and POST-based XSS
  • Ability to add or submit your own vulnerability checks to the DB.

So how could this be improved? Personally, while I do have several methods of testing for XSS, I would find it invaluable to have an offline solution where I could test non-internet connected applications. GNU? Perhaps some type of offline solution with a update capability?

The solution does take a bit of getting used to (for example, if you aren't terribly familiar with how GET, POST and Parameters work in web applications), but overall .... a very nice solution.