[Owasp-testing] Article content

Daniel Cuthbert daniel.cuthbert at owasp.org
Thu Oct 12 10:34:09 EDT 2006


examples are good. Ideally they should give an introduction of what  
the tester is testing for, a brief explanation and the actual method  
used to test and desired output


=======================================================
Topic:

XSS IFRAME Test

Explanation:

HTML frames allow authors to present documents in multiple views,  
which may be independent windows or subwindows. These are commonly  
found to be vulnerable, and if the web application allows iframes,  
there could be further XSS vulnerabilities present

Testing for IFRAME vulnerabilities:
Using a proxy, recreate the IFRAME code with following code
<IFRAME SRC="javascript:alert(;'OWASP IFRAME XSS Test');"></IFRAME>

Result Expected:
A alert box with the caption "OWASP IFRAME XSS Test" should appear

=======================================================




On 12 Oct 2006, at 21:21, Matteo Meucci wrote:

> Yep,
> Eoin is right. We don't need to write down all the theory about a
> particular attack, but just a brief description. The added value of
> this guide is our experience on how to test. Focus on real
> case-studies will be great. IMHO this concept has to be our guideline
> in writing new articles.
> Other feed back?
>
> Mat
>
> On 10/12/06, Eoin <eoin.keary at owasp.org> wrote:
>> Guys,
>>
>> when doing these articles can we ensure that the articles are  
>> practical and
>> pragmatic?
>> I.e. Examples of the test discussed and less academic theory.
>> Just that, there are many books out there on the "theory" but what  
>> we need
>> is examples of "how to test"..
>>
>> What do y'all think?
>>
>>
>> --
>> Eoin Keary OWASP - Ireland
>> http://www.owasp.org/local/ireland.html
>>  http://www.owasp.org/index.php/OWASP_Testing_Project
>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>
>
> -- 
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> site: http://www.owasp.org/index.php/Italy
> mail: matteo.meucci at owasp.org
> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing




More information about the Owasp-testing mailing list