- WIKI page with technical details and the script's source code: http://www.o2platform.com/wiki/O2_Script/UnitTest_Twitter_XSS_Vuln_in_ManageDomains.cs
- YouTube Video that shows this script in action: http://www.youtube.com/watch?v=DpDiGpzaVw0
Actions executed by this UnitTest:
- Open a new Instance of IE in a separate window
- Check if there is a logged in user (and if so, logout)
- Login with a test account
- Go to dev.twitter.com
- Add an random application
- Asks the user to resolve the Captcha
- Go to the "Manage Domains" page
- Asserts that that the encoded payload does NOT exist on the current page
- Submits a couple paylods
- Asserts that the endoded DOES exist on the page
- Close IE after 2 seconds
The developers can also use these UnitTests to make sure their fix is working and add them as regression tests to be executed before any major code push (for regression tests one should run also the entire FuzzDB XSS list on the affected field). Note the Green result of the UnitTest (if the Asserts had failed, we would have a Red result)
The objective for the O2 Power User is to be be able to create these complex web workflows during a security engament (using the powerful O2's Browser Automation APIs and the dynamic and semi-real-time 'O2 Script Development Environment')
