Cross Site Scripting Scanning ("XSSS")

XSSS Logo XSSS Software

xsss is a brute force cross site scripting scanner

Download v0.40 beta. License: GPL

WTH Wiki Tree Agenda of the lecture "Cross Site Scripting Scanning" @ WTH

The lecture will be divided into three parts:

  1. Introduction to Cross Site Scripting (aka XSS)
  2. Safe coding practices
  3. Scanning for vulnerabilities

The introduction tries to cover all aspects of the problem, starting with its impact, followed by a discussion of the browser's JavaScript security model and browser cookies that are relevant to the problem. This part ends with a live step-by-step session hijacking demonstration.

The second part, "Safe coding practices" targets mostly web developers. I will show typical vulnerable code and talk about perl's taint mode and PHP's functions for sanitizing data. Making session cookies more theft-resistant is also a topic.

Finally, XSS scanning is discussed, illustrated by a live demonstration of a new, free scanning tool which I am releasing at What The Hack. Scan your site before others do it for you!

What The Hack 2005 slides

Download PDF (V3)

Cross Side Scripting (XSS) links

Valid XHTML 1.0 Strict © 2005 Sven Neuhaus
Last update: Thu Mar 16 11:12:30 CET 2006