You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Tatsuhiko Miyagawa <mi...@edge.co.jp> on 2002/08/05 16:47:42 UTC
RFC: HTML::XSSLint
I've made a tiny XSS (Cross Site Scripting) auditing utility and now
it can be downloaded from:
http://bulknews.net/lib/archives/HTML-XSSLint-0.01.tar.gz
Here's the way this module works:
* fetches HTML from an URL
* finds Forms in the HTML
* fill "<>foobar" value for inputs in the form
* then submit and fetch the response
* examine the response HTML and check if it leaves unescaped HTML chunks
Any suggestions and requests highly appreciated.
NAME
HTML::XSSLint - audit XSS vulnerability of web pages
SYNOPSIS
use HTML::XSSLint;
my $agent = HTML::XSSLint->new;
# there may be multiple forms in a single HTML
# if there's no from, @result is empty
my @result = $agent->audit($url);
for my $result (grep { $_->vulnerable } @result) {
my $action = $result->action;
my @names = $result->names;
my $example = $result->example;
}
DESCRIPTION
HTML::XSSLint is a subclass of LWP::UserAgent to audit Cross Site
Scripting (XSS) vulnerability by generating random input against HTML
forms in a web page.
Note that the way this module works is not robust, so you can't say a
web page is XSS free because it passes HTML::XSSLint audit.
This module is a backend for command line utility "xsslint" bundled in
the distribution. See the xsslint manpage for details.
AUTHOR
Tatsuhiko Miyagawa <mi...@bulknews.net>
This library is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.
SEE ALSO
the xsslint manpage, the HTML::XSSLint::Result manpage, the LWP manpage,
the HTML::Form manpage