From: dhurst@spidynamics.com Sent: Tuesday, November 27, 2001 9:34 AM To: auto125268@hushmail.com; Mark Curphey Cc: webappsec@securityfocus.com Subject: RE: OWASP - WebSleuth - Cross Site Scripting Mark, I thought you might find this chunk of code handy. It allows you access to the PostData when an HTTP Post is made. I got the code from Microsoft a few months ago and it's come in pretty handy. I just added it to your wb_BeforeNavigate2 event. '* '* Start of code '* Private Sub wb_BeforeNavigate2(ByVal pDisp As Object, url As Variant, Flags As Variant, TargetFrameName As Variant, PostData As Variant, Headers As Variant, Cancel As Boolean) If mnuEditLink.Checked Then If mnuBlockServers.Checked Then For i = 0 To UBound(blockServers) If LCase(blockServers(i)) Like LCase(url) Then Cancel = True: Exit Sub Next End If 'this wont modify link browser requests though :( url = frmAnalyze.AnlyzeUrlAndWait(url) & " " If url = -1 Then Cancel = True End If '* '* Code added by Dennis Hurst (dhurst@spidynamics.com) '* 'url will contain the URL with parameters 'PostData has the PostData in a strange format 'the following will convert it to a string that 'contains the raw post data Dim lLen As Long Dim strPostData As String lLen = LenB(PostData) ' Use LenB to get the byte count If lLen > 0 Then ' If it's a post form, lLen will be > 0 For lCount = 1 To lLen - 1 strPostData = strPostData & Chr(AscB(MidB(PostData, lCount, 1))) ' Use MidB to get 1 byte at a time Next Debug.Print strPostData End If End Sub '* '* End of code '* God Bless & Have a great day, Dennis Hurst dhurst@spidynamics.com -----Original Message----- From: auto125268@hushmail.com [mailto:auto125268@hushmail.com] Sent: Tuesday, November 27, 2001 3:16 AM To: Mark Curphey Cc: webappsec@securityfocus.com Subject: Re: OWASP - WebSleuth - Cross Site Scripting As you already capture the form, you could check for cross site scripting by automatically sending in a payload to a form field target. How cool woukd that be....oh yeah. And you could have a drop down maybe of the known payload variants like <script> <img src> etc That would be the best ..... On Sun, 25 Nov 2001 23:47:46 -0800, Mark Curphey <mark@curphey.com> wrote: >WebSleuth is an early release of a tool we hope will be part of a suite of >tools including source code analyzers, that will support the Testing >Framework being developed at OWASP (http://www.owasp.org) next year. >WebSleuth allows you to edit HTTP and HTML requests on the fly in real-time. >It is built to help a user manually understand various security issues of >his / her system. It is not intended to replace or compete with commercial >tools, and there is certainly no shiny red-button automating attacks. >However it is an investigative learning tool that with some patience and >knowledge, helps you to find and learn about issues you may have in your web >applications. > >WebSleuth can be downloaded from http://www.owasp.org/resources/tools/. >Please save us all the bandwidth and only download the installer package if >you don't have the VB dll's. > >The first releases implements many features including the ability to test >and report: > >Parameter Manipulation >-Cookies >-Form Fields (including hidden) >-URL Query Strings >-HTTP Headers (referrer etc) > >Informational >-Comments >-Meta Tags > >Input Validation >-Cross Site Scripting >-Client-Side Validation > >WebSleuth is open source and is subject to the OWASP Software license. It >was written in Visual Basic to take advantage of the MS Internet Explorer >object avoiding the need for a reverse proxy. It currently only runs on >Win32 and should be seen as proof of concept. The lead developer is David >Zimmer who can be contacted at dzzie@owasp.org. > >A new release this week will automate the testing for cross site scripting >in any user input to a web application. > >As with any open source projects, we welcome your ideas, input and >improvements. Suggestions for features or to participate in developing the >tool, please email owasp@owasp.org and dzzie@owasp.org or better still the >webappsec@securityfocus list. > >If you are interested in sponsoring the further development of this open >source project, please contact owasp@owasp.org > >Kind regards, > >owasp@owasp.org > >"Building Blueprints to Secure Web Applications" > >