http://www.acunetix.com/cross-site-scripting/scanner.htm - Acunetix Scanner - Free XSS scanner, does not allows saving of reports
http://kallahar.com/smallprojects/php_xss_filter_function. -
RemoveXSS php function that seems to solve
the problem.
http://chesstst.eecs.berkeley.edu/pubs/search/ and it found plenty of problems.
I tried modifying php/pubs/pubs.php so
that we called the PHP htmlentities() function:
$keywords = htmlentities(getREQUESTValue('keywords'));
However, that did not work.
What did work was adding RemoveXSS() to
php/include/utils.inc.php and then modified
pubs.php:
$keywords = RemoveXSS(getREQUESTValue('keywords'));
Rerunning the scanner showed no vulnerabilities.
Any page that has a form (field, checkbox, radio button etc) or any page that processes the URL to do something is at risk.
Pages that were ok
http://chesstst.eecs.berkeley.edu/search/
- found not vulnerable to XSS with Acunetix
http://chesstst.eecs.berkeley.edu/ptolemy/wiki/ Ptolemy wiki, uses PmWiki (http://www.pmwiki.org/
- Partially checked with Acunetix, no problems.
Offhand, these pages are publicly accessible that have forms:
http://chesstst.eecs.berkeley.edu/pubs/search/ - found vulnerable with Acunetix, fixed with
simple fix above, but what about other things passed
in URLS?
http://chesstst.eecs.berkeley.edu/people/directory/ - found vulnerable with Acunetix
http://chess.eecs.berkeley.edu/bugzilla
- partially tested with Acunetix, no vulneratbilities found
thus far
https://trustt.eecs.berkeley.edu:446/wise/apply/ (SecurIT, Superb and Wise applications, TRUST only)
- found vulnerable with Acunetix
Note that testing generates hundreds of emails
Pages that process URLS:
http://chesstst.eecs.berkeley.edu/chess/faq/?displaystyle=flat - found vulnerable with Acnetix
https://chesstst.eecs.berkeley.edu:444/chessj/resetpassword.jsp Changing password (JSP)
- found vulnerable with Acunetix