Hi everyone,
I'm the maintainer of info2www at the moment and have tried to fix the
XSS vulnerability reported here earlier [1] (with lots of help from
Justin Pryzby).
My question is whether anyone knows of an automated tool (similar to
rats or flawfinder) which can check if a web application is vulnerable
to (at least some specific forms of) XSS or not.
I know that rats can check PHP and Perl source code for functions which
can be potentially harmful, but a program which really checks a running
version of a web application and reports whether it's vulnerable would
be nice.
In my case, I would like to know if the patch I applied to info2www
really fixed the XSS problems or not, and if it fixed _all_ problems.
On a related note, I intend to do some auditing of packages (Debian, as
well as non-Debian) myself in the nearer future.
What is the usual procedure you use when finding security issues and
what do you do first:
Inform the Security Team? Report a bug? Try to find a patch?
Publish the issue on Bugtraq etc?
Apropos Bugtraq: Which mailing lists or other forums, websites etc. do
you use to publish security issues which also affect non-Debian systems?
[1] http://shellcode.org/pipermail/debian-audit/2004-November/000050.html
Thanks in advance, Uwe.
--
Uwe Hermann <uwe@xxxxxxxxxxxxxx>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de
|
