[Owasp-leaders] Pentesting: Is there a collection of REs for HTTP response analysis?

Andrew Petukhov petand at lvk.cs.msu.su
Fri Nov 20 11:15:09 EST 2009


Leaders,
does any one know, if there is a database of regular expression for
testing HTTP responses while doing a pentest?

Let me outline the problem (in a simplistic way):
- a black-box scanner can detect successful XSS by noticing the code it
had injected in subsequent pages;
- a black-box scanner can detect SQLI blindly;
- other possible manifestations of an exploited vulnerability are 5xx
codes and error mesages.

I know only about ModSecurity Core Rule Set. It can be used to detect
error messages.

Does anyone know other sources?

Thanks in advance!

Andrew Petukhov,
Moscow State University


More information about the OWASP-Leaders mailing list