http://www.gnucitizen.org/blog/xssdb-elite http://www.gnucitizen.org/xssdb
XSSDB is a advanced application that uses the latest Web2.0 Engineering practices in order to create a full features cross-site scripting database. I would like to call the new version of XSSDB: XSSDB Elite, since it is lighter, smaller, better, and a lot more featureful. XSSDB started as a simple interface to RSnake's Cross-site Scripting Cheat Sheet, which is still one of the most accurate resources for Cross-site Scripting attacks up to date. This status however, may change. Soon after I published the first version of XSSDB, I realized that we need to give the power back to the community in order to keep up with the latest Cross-site scripting attack vectors. At that time RSnake was the only one that was handling all changes for his cheat sheet and this is the reason why updates were coming rather slow. There were (there still are) tones of attack vectors that were not properly documented. The cheat sheet, although the best, was just not enough. How do you expect developers to come up with good enough anti-xss solutions when there is no single entry point to cover the vast topic of Cross-site scripting Attacks? There was a problem and no one was around to handle it. I was planning to integrate a simple database backend into XSSDB based on Wordpress. However, due to resource limitations, I had to leave the project for the latter. Meanwhile, another organization, XSSED.com took the initiative to collect various Cross-site scripting holes that are found within real websites. IMHO, the idea was interesting but not very well implemented. The purpose of XSSED.com should have been to protect the website owners by providing an early warning system. This is the reason why I targeted this website in particular in my research on hacking Web2.0 services/applications (Advanced Web Hacking Revealed), presented at OWASP, Italy 2007. During the conference, I discussed how attackers can use Dapper in combination with Yahoo Pipes to dynamically fetch entries from XSSED.com and exploit the affected sites. A XSS worm that implements similar functionalities has the potential to propagate across the entire Web. Obviously, this is quite dangerous. After OWASP, I promised to myself to come back and work on XSSDB to provide the best possible community driven XSS Database service. I was planning to use all my skills and knowledge in client side hacking to implement this system. The main goal was to keep the database decentralized so no one is in charge. This is how XSSDB Elite was born. The current version of XSSDB is entirely client-side based (i.e. it is a mashup). The database is handled by Zoho Creator and anyone who is willing to become maintainer/moderator is welcome to drop us an email. At the moment XSSDB allows you to add new XSS exploits and Site specific exploits. The GNUCITIZEN group is currently working on the warning system which will be implemented soon. The database is backed up on a regular basis by several aggregator which include: Securls.com, Google Reader and Feed Burner. We encourage users to subscribe to both XSSDB feeds so the community can recover if the database fail at some point in the future. So, this is it. XSSDB is one pretty good proof of concept that shows what can be achieved with minimal efforts and good understanding of Web2.0 engineering. Drop us an email or leave a comment on post, to tell us what do you think. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/