From: dhurst@spidynamics.com
Sent: Tuesday, November 27, 2001 9:34 AM
To: auto125268@hushmail.com; Mark Curphey
Cc: webappsec@securityfocus.com
Subject: RE: OWASP - WebSleuth - Cross Site Scripting
Mark,
I thought you might find this chunk of code handy. It allows you access to
the PostData when an HTTP Post is made. I got the code from Microsoft a few
months ago and it's come in pretty handy. I just added it to your
wb_BeforeNavigate2 event.
'*
'* Start of code
'*
Private Sub wb_BeforeNavigate2(ByVal pDisp As Object, url As Variant, Flags
As Variant, TargetFrameName As Variant, PostData As Variant, Headers As
Variant, Cancel As Boolean)
If mnuEditLink.Checked Then
If mnuBlockServers.Checked Then
For i = 0 To UBound(blockServers)
If LCase(blockServers(i)) Like LCase(url) Then Cancel =
True: Exit Sub
Next
End If
'this wont modify link browser requests though :(
url = frmAnalyze.AnlyzeUrlAndWait(url) & " "
If url = -1 Then Cancel = True
End If
'*
'* Code added by Dennis Hurst (dhurst@spidynamics.com)
'*
'url will contain the URL with parameters
'PostData has the PostData in a strange format
'the following will convert it to a string that
'contains the raw post data
Dim lLen As Long
Dim strPostData As String
lLen = LenB(PostData) ' Use LenB to get the byte count
If lLen > 0 Then ' If it's a post form, lLen will be > 0
For lCount = 1 To lLen - 1
strPostData = strPostData & Chr(AscB(MidB(PostData, lCount, 1))) '
Use MidB to get 1 byte at a time
Next
Debug.Print strPostData
End If
End Sub
'*
'* End of code
'*
God Bless & Have a great day,
Dennis Hurst
dhurst@spidynamics.com
-----Original Message-----
From: auto125268@hushmail.com [mailto:auto125268@hushmail.com]
Sent: Tuesday, November 27, 2001 3:16 AM
To: Mark Curphey
Cc: webappsec@securityfocus.com
Subject: Re: OWASP - WebSleuth - Cross Site Scripting
As you already capture the form, you could check for cross site scripting by
automatically sending in a payload to a form field target. How cool woukd
that be....oh yeah. And you could have a drop down maybe of the known
payload variants like <script> <img src> etc
That would be the best .....
On Sun, 25 Nov 2001 23:47:46 -0800, Mark Curphey <mark@curphey.com> wrote:
>WebSleuth is an early release of a tool we hope will be part of a suite of
>tools including source code analyzers, that will support the Testing
>Framework being developed at OWASP (http://www.owasp.org) next year.
>WebSleuth allows you to edit HTTP and HTML requests on the fly in
real-time.
>It is built to help a user manually understand various security issues of
>his / her system. It is not intended to replace or compete with commercial
>tools, and there is certainly no shiny red-button automating attacks.
>However it is an investigative learning tool that with some patience and
>knowledge, helps you to find and learn about issues you may have in your
web
>applications.
>
>WebSleuth can be downloaded from http://www.owasp.org/resources/tools/.
>Please save us all the bandwidth and only download the installer package if
>you don't have the VB dll's.
>
>The first releases implements many features including the ability to test
>and report:
>
>Parameter Manipulation
>-Cookies
>-Form Fields (including hidden)
>-URL Query Strings
>-HTTP Headers (referrer etc)
>
>Informational
>-Comments
>-Meta Tags
>
>Input Validation
>-Cross Site Scripting
>-Client-Side Validation
>
>WebSleuth is open source and is subject to the OWASP Software license. It
>was written in Visual Basic to take advantage of the MS Internet Explorer
>object avoiding the need for a reverse proxy. It currently only runs on
>Win32 and should be seen as proof of concept. The lead developer is David
>Zimmer who can be contacted at dzzie@owasp.org.
>
>A new release this week will automate the testing for cross site scripting
>in any user input to a web application.
>
>As with any open source projects, we welcome your ideas, input and
>improvements. Suggestions for features or to participate in developing the
>tool, please email owasp@owasp.org and dzzie@owasp.org or better still the
>webappsec@securityfocus list.
>
>If you are interested in sponsoring the further development of this open
>source project, please contact owasp@owasp.org
>
>Kind regards,
>
>owasp@owasp.org
>
>"Building Blueprints to Secure Web Applications"
>
>