[Owasp-antisamy] testing question

Serge Droganov sergei at droganov.ru
Thu Jun 12 15:48:33 EDT 2008


Hello,
I did some tests with several XSS dictionaries. AntiSamy actually  
passed well all of them.

OnsiteUrl and malformed html problems were found accidently.

IE comments problem was spotted when I ran AntiSamy with my search bot  
index.

Most of the dictionary examples are RegExp-oriented and AntiSamy is  
the new kind of XSS-preventions tools.
So, I guess, search index look-ups is probably the god direction to  
look into.

Thank you,
Serge


On Jun 12, 2008, at 11:27 PM, Arshan Dabirsiaghi wrote:

> We have not done any fuzzing. If you have a smart fuzzer and want to  
> throw it at AntiSamy, that'd be really great. No one I know of has  
> done anything similar.
>
> Thanks,
> Arshan
>
> From: owasp-antisamy-bounces at lists.owasp.org on behalf of J Irving
> Sent: Thu 6/12/2008 3:23 PM
> To: owasp-antisamy at lists.owasp.org
> Subject: [Owasp-antisamy] testing question
>
> Hello
>
> I've been poking around the code, and I see there's a set of unit
> tests which runs several known to be bad strings through AntiSamy.
> Have you guys done any fuzzing?
>
> The reason I mention this is that I spotted issue 12 in your tracker,
> and it occurred to me that it would be interesting to find any other
> similar errors or unexpected responses. It seems that the easiest way
> to do this would be to throw lots of random text at it. If someone has
> already done this work (or something similar) please respond.
>
> Thanks.
>
>    cheers, J
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080612/4262ec82/attachment.html 


More information about the Owasp-antisamy mailing list