From: dhurst@spidynamics.com
Sent: Tuesday, November 27, 2001 9:34 AM
To: auto125268@hushmail.com; Mark Curphey
Cc: webappsec@securityfocus.com
Subject: RE: OWASP - WebSleuth - Cross Site Scripting

Mark,

I thought you might find this chunk of code handy.  It allows you access to
the PostData when an HTTP Post is made.  I got the code from Microsoft a few
months ago and it's come in pretty handy.  I just added it to your
wb_BeforeNavigate2 event.

'*
'* Start of code
'*
Private Sub wb_BeforeNavigate2(ByVal pDisp As Object, url As Variant, Flags
As Variant, TargetFrameName As Variant, PostData As Variant, Headers As
Variant, Cancel As Boolean)
    If mnuEditLink.Checked Then
        If mnuBlockServers.Checked Then
            For i = 0 To UBound(blockServers)
                If LCase(blockServers(i)) Like LCase(url) Then Cancel =
True: Exit Sub
            Next
        End If
        'this wont modify link browser requests though :(
        url = frmAnalyze.AnlyzeUrlAndWait(url) & " "
        If url = -1 Then Cancel = True
    End If

    '*
    '* Code added by Dennis Hurst (dhurst@spidynamics.com)
    '*

    'url will contain the URL with parameters
    'PostData has the PostData in a strange format
    'the following will convert it to a string that
    'contains the raw post data


    Dim lLen As Long
    Dim strPostData As String

    lLen = LenB(PostData) ' Use LenB to get the byte count

    If lLen > 0 Then      ' If it's a post form, lLen will be > 0
      For lCount = 1 To lLen - 1
          strPostData = strPostData & Chr(AscB(MidB(PostData, lCount, 1))) '
Use MidB to get 1 byte at a time
      Next
      Debug.Print strPostData
    End If


End Sub



'*
'* End of code
'*

God Bless & Have a great day,

Dennis Hurst
dhurst@spidynamics.com


-----Original Message-----
From: auto125268@hushmail.com [mailto:auto125268@hushmail.com]
Sent: Tuesday, November 27, 2001 3:16 AM
To: Mark Curphey
Cc: webappsec@securityfocus.com
Subject: Re: OWASP - WebSleuth - Cross Site Scripting



As you already capture the form, you could check for cross site scripting by
automatically sending in a payload to a form field target. How cool woukd
that be....oh yeah. And you could have a drop down maybe of the known
payload variants like <script> <img src> etc

That would be the best .....

On Sun, 25 Nov 2001 23:47:46 -0800, Mark Curphey <mark@curphey.com> wrote:
>WebSleuth is an early release of a tool we hope will be part of a suite of
>tools including source code analyzers, that will support the Testing
>Framework being developed at OWASP (http://www.owasp.org) next year.
>WebSleuth allows you to edit HTTP and HTML requests on the fly in
real-time.
>It is built to help a user manually understand various security issues of
>his / her system. It is not intended to replace or compete with commercial
>tools, and there is certainly no shiny red-button automating attacks.
>However it is an investigative learning tool that with some patience and
>knowledge, helps you to find and learn about issues you may have in your
web
>applications.
>
>WebSleuth can be downloaded from http://www.owasp.org/resources/tools/.
>Please save us all the bandwidth and only download the installer package if
>you don't have the VB dll's.
>
>The first releases implements many features including the ability to test
>and report:
>
>Parameter Manipulation
>-Cookies
>-Form Fields (including hidden)
>-URL Query Strings
>-HTTP Headers (referrer etc)
>
>Informational
>-Comments
>-Meta Tags
>
>Input Validation
>-Cross Site Scripting
>-Client-Side Validation
>
>WebSleuth is open source and is subject to the OWASP Software license. It
>was written in Visual Basic to take advantage of the MS Internet Explorer
>object avoiding the need for a reverse proxy. It currently only runs on
>Win32 and should be seen as proof of concept. The lead developer is David
>Zimmer who can be contacted at dzzie@owasp.org.
>
>A new release this week will automate the testing for cross site scripting
>in any user input to a web application.
>
>As with any open source projects, we welcome your ideas, input and
>improvements. Suggestions for features or to participate in developing the
>tool, please email owasp@owasp.org and dzzie@owasp.org or better still the
>webappsec@securityfocus list.
>
>If you are interested in sponsoring the further development of this open
>source project, please contact owasp@owasp.org
>
>Kind regards,
>
>owasp@owasp.org
>
>"Building Blueprints to Secure Web Applications"
>
>