Leon It seems to me the only true way to test if a site is vulnerable is by entering one of those special characters that should be filtered out (i.e., <>) in a form and see whether the field is returned with the special character included. The best explanation regarding CSS vulnerabilties I found is at http://www.jmu.edu/computing/info-security/engineering/issues/cross.shtml.
Merely accepting the character without returning it would not lead to the vulnerability. Mike --- leon <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > I don't really have much programming skill, (ok, you > got me, I have > none at all) and > I was wondering if some of the people on the list > who understand how > to test for Cross > Site Scripting could help me. I understand what it > is but not how to > test for it. Does > Anyone have some generic syntax that I could tack on > to the end of a > url to test if it is vulnerable? > What I mean is > www.testsite.com/whatevercomes/yadda/some/blah/etc. > > There are a few sites that I have responsibility for > that I would > like to test > but I really don't know how (obviously or I would > not be writing this > post :). > Can anyone share some simple syntax? It does not > have to be in-depth > (as far as stealing cookies or anything like that) > all I have to be > able to > do is confirm whether or not the sites are > vulnerable. > > Thanks again and I hope everyone on the list has a > great weekend. > > Cheers, > > Leon > Icq 8031369 if anyone ever wants to reach me via > chat. > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > <http://www.pgp.com> > > iQA/AwUBPD8qDNqAgf0xoaEuEQKuvgCfQMtREsr87B3bTPzsi63TBw2kpK0AoJVj > GxATJRCuEogkJTECDnJsWqIY > =QSRx > -----END PGP SIGNATURE----- > __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
