Friday 30 November 2012

Simple Unit Test to detect XSS using FuzzDB and IE automation

Here is an example of a simple Unit Test written in the Write and Execute Unit Tests v1.0.exe tool which will check for XSS on AltoroMutual website

The idea is that when the Red Boxes go Green, the vulnerability is fixed.



The web/IE automationis done using WatiN with detection for popup-windows (i.e. the XSS alert).

The fuzz payloads come from FuzzDB and are used to give the target developer multiple examples of the XSS payloads that he/she needs to mitigate (this is much better then the current practice of only providing one XSS example, which tends to promote the 'fix by making the exploit not work' practice)

Here is the UnitTest Code.