Taras wrote: > Hi, Martin! > > Thanks for answer! Hi, sorry I forgot to answer until now!
> > >> I don't know of selenium, but testing for dom-based xss can be done >> passively by checking for use (assignments) using any of the following: >> window.location,window.top.location document.URL document.location >> document.URLUnencoded > Yes, I also thought about simply grepping response for such patterns. > But what I want is processing whole page with all scripts on it and > find real vulnerability. Yes, it is browser behaviour =) Because as > you already mentioned false positives for such vulnerability are > possible. > So we need either JavaScript engine like Google Chrome V8 or some > mechanism to use real web browser like Selenium. > >> The source for that functionality in Webscarab can be viewed at >> >> http://martin.swende.se/gitweb.cgi?p=webscarab;a=blob;f=src/org/owasp/webscarab/plugin/fragments/Fragments.java;hb=HEAD >> > > How can I import this code into webscarab? Rogan imported it from my git repo pretty quickly, so it should be there if you git it from him : html : http://dawes.za.net/gitweb.cgi?p=rogan/webscarab/webscarab.git;a=summary or clone his repo by : git clone http://dawes.za.net/rogan/webscarab/webscarab.git/ The latest snapshot if you don't want to git the repo, is located at http://dawes.za.net/rogan/webscarab/webscarab-current.zip (but I have no idea if it is updated) I don't know how it works with the jnlp, supposedly it downloads latest source and runs it. If you see a column named Domxss in the summary pane, it is the correct build. /Martin ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop