« Watcher: a free web-app security testing and compliance auditing tool | Main | Paper: "Tracking GhostNet: Investigating a Cyber Espionage Network" »

Tool: XSS Rays

"I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make sure you’ve filtered XSS correctly on your application.

It works as a bookmarklet and scans any links, paths or forms on the target scanning page (even cross domain). You can add vectors to it quite easily and it includes some of the most common injections I’ve found on sites over the years. I’ve tested it on IE7/IE8 and Firefox but it could work in other browsers."


"The code works by creating connections to the target links/paths using iframes, each iframe is assign a name which is the url to return to on successful execution (the originating url). This allows cross domain links to be checked.

The vectors are stored in a simple object, each vector has the following properties:- input, name, browser, form, url, path (there’s a optional second input). Input is the XSS vector, the string “XSS” is used to replace with a logger or a poc url and is required by all vectors.

Name is just a meaningful name applied to the vector, browser supports ALL|FF|IE and helps to save time when testing specific browser vectors as XSS Rays will only target those versions for the vector." - The Spanner

Read more: http://www.thespanner.co.uk/2009/03/25/xss-rays/


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

Can you please provide me the link trough which I can download the tool!!!

The download link is @ thespanner link above.