Posts

Showing posts from April, 2011

Scanners are scanners

When scanning the XSS-Game site http://xss.progphp.com/ with various XSS scanners, I found most scanners are similiar in missing XSS in the following pages. Apparently, no scanners can detect all XSSes. Scanners are limited to their developers' skills and experience in security testing.

This post might be of help to scanner developers to improve their scan engines or let them alone for the human analysis part.

1. http://xss.progphp.com/xss12.html
solution: javascript:alert(/XSS/)
Some real-world applications parse our GET/POST requests and put them in the links. It's likely that Scanner XYZ thinks javascript:alert(/XSS/) which is not its own submitted payload.

2.  http://xss.progphp.com/xss11.html
solution: http://xss.progphp.com/xss11.html?bar=%2522%253E%27%253E%253Cscript%2520%253Ealert%28/XSS/%29%253B%253C%252Fscript%2520%253E%250A
This is a double-encoding XSS but it's likely that Scanner XYZ focused only on non-vulnerable parameter 'foo' and missed vulnerable parameter &…

Storing both CHECKSUM data and files on the same server

Problem:


A lot of people store their application source files and respective check-sum files on the same servers. Users will not notice even if their files and checksum data files become changed.


Suggestion:

- Separate CheckSum file and downloadable files on separate servers.
- Use PGP Signature.