Fugitif
14.03.2009, 12:14
OWASP Scrubbr v1.0 for XSS scanning
Scrubbr is a BSD-licensed database scanning tool that checks numerous database technologies for the presence of possible stored cross-site scripting attacks. The tool was partially inspired by "Scrawlr", a trimmed-down version of HP’s WebInspect which was released for free after the so-called "asprox" mass-SQL injection bot exploited hundreds of thousands of insecure ASP sites.
http://img3.imageshack.us/img3/1149/66081457.jpg
What can Scrubbr do for me?
If you can tell Scrubbr how to access your database, it will search through every field capable of holding strings in the database for malicious code. If you want it to, it will search through every table, every row, and every column. This will be very slow on large enterprise databases, but its very useful to have assurance that there is no malicious data anywhere in the system.
Scrubbr can detect input that doesn't match up with an AntiSamy policy file. There is a subtle difference between "matching an AntiSamy policy" and being "detected as an attack."
There are numerous tools out that *detect* XSS attacks in different contexts better than AntiSamy. The most prominent and peer-reviewed are NoScript (http://noscript.net) and PHPIDS (http://php-ids.org/category/PHPIDS/). However, detection is not strictly what AntiSamy does. AntiSamy checks if rich input that is passed in is allowed according to a policy file.
Chances are that there is some input in your database that looks like rich input how we in the web world think about it, but actually isn't. For example, if someone writes the following in their profile comment:
"Hey, I sure am gonna miss seeing Sarah Palin on TV all the time <g>".
Obviously the user intended the <g> string to express a grin emotion, but that unfortunately looks like rich input, and since AntiSamy uses a whitelist for higher assurance, it will be flagged.
We are always looking to improve our engine, and we are working with the PHPIDS group to possibly invoke their ruleset in order to provide less false positives.
With all of that being said, AntiSamy does an excellent job in most situations and will still detect the vast majority of stored XSS attacks, depending on the injection context.
Download:
http://code.google.com/p/owaspscrubbr/downloads/list
Scrubbr is a BSD-licensed database scanning tool that checks numerous database technologies for the presence of possible stored cross-site scripting attacks. The tool was partially inspired by "Scrawlr", a trimmed-down version of HP’s WebInspect which was released for free after the so-called "asprox" mass-SQL injection bot exploited hundreds of thousands of insecure ASP sites.
http://img3.imageshack.us/img3/1149/66081457.jpg
What can Scrubbr do for me?
If you can tell Scrubbr how to access your database, it will search through every field capable of holding strings in the database for malicious code. If you want it to, it will search through every table, every row, and every column. This will be very slow on large enterprise databases, but its very useful to have assurance that there is no malicious data anywhere in the system.
Scrubbr can detect input that doesn't match up with an AntiSamy policy file. There is a subtle difference between "matching an AntiSamy policy" and being "detected as an attack."
There are numerous tools out that *detect* XSS attacks in different contexts better than AntiSamy. The most prominent and peer-reviewed are NoScript (http://noscript.net) and PHPIDS (http://php-ids.org/category/PHPIDS/). However, detection is not strictly what AntiSamy does. AntiSamy checks if rich input that is passed in is allowed according to a policy file.
Chances are that there is some input in your database that looks like rich input how we in the web world think about it, but actually isn't. For example, if someone writes the following in their profile comment:
"Hey, I sure am gonna miss seeing Sarah Palin on TV all the time <g>".
Obviously the user intended the <g> string to express a grin emotion, but that unfortunately looks like rich input, and since AntiSamy uses a whitelist for higher assurance, it will be flagged.
We are always looking to improve our engine, and we are working with the PHPIDS group to possibly invoke their ruleset in order to provide less false positives.
With all of that being said, AntiSamy does an excellent job in most situations and will still detect the vast majority of stored XSS attacks, depending on the injection context.
Download:
http://code.google.com/p/owaspscrubbr/downloads/list