[Owasp-o2-platform] Help with setting up XSS Tests

dinis cruz dinis.cruz at owasp.org
Mon Sep 20 08:15:06 EDT 2010


At the OWASP AppSec USA conference I meet with Ferruh from NetSparker Black
Box <http://www.mavitunasecurity.com/> tool who agreed to become an O2
Silver Subscriber <http://www.o2-platform.com/wiki/O2_Subscriptions> (for
more details on the revised O2 Subscription model see this
presentation<http://s3.amazonaws.com/O2_MiscFiles/O2%20%20-%20Commercial%20Services%20%28AppSec%20DC%29.pdf>
)

Part of the deal was that NetSparker is going to open source a large number
of their 'vulnerable by design' test pages/scripts which they currently use
to develop and test each new release of
NetSparker<http://www.mavitunasecurity.com/>(also part of the deal is
the creation of an O2 'NetSparker version' which
will be a customized version of O2 for NetSparker users (both free and
paid-for versions))

This is very exciting since it really will allow to jumpstart the O2
BlackBox UnitTest Rule Pack and help new users to get a better feel from how
O2 could be used (in addition to creating a base-level-test-environement for
the O2 integration with other BlackBox tools)

I just uploaded the first batch of test cases to
http://s3.amazonaws.com/O2_MiscFiles/XSSTB.rar (who cover a wide number of
XSS variations) and I was looking for help in setting this up and coding the
Unit Tests.

In that file you will find 127 test cases written in PHP. The next steps
are:

   - write the scripts to set-up and decommission a server to host these
   (either IIS or Apache)
   - write an O2 Unit test for each one (so we can run them natively in O2)
   - create an 'O2 to Netsparker' API so that we can also run the O2
   UnitTests using Netsparker's engine (I'm going to focus on this)

I'm CCing Ferruh so that he can share more details on their current set-up

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20100920/0f66e48a/attachment.html 


More information about the Owasp-o2-platform mailing list