Cross Site Scripting Persistent, Persistent-Prime and Persistent-Spider
234 views
Skip to first unread message
Jason Ang
Jul 30, 2015, 5:53:16 PM7/30/15
to OWASP ZAP User Group
Hi,
I would like to know the difference between Cross Site Scripting Persistent, Persistent-Prime and Persistent-Spider so that I can decide if I need to include them all during active scanning.
Thanks!
Jason
kingthorin+owaspzap
Jul 30, 2015, 7:40:34 PM7/30/15
to OWASP ZAP User Group, angme...@gmail.com
Yes you do, that one is kind of unique. Since you're looking for persistent (or stored) XSS it was built slightly different versus the reflected XSS scanner. Basically it works something like:
Persistent-Prime -> Inject (safe values)
Persistent-Spider -> Look around for those safe values
Cross Site Scripting Persistent -> Test real injections in those locations and alert if valid
(https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html)
(IIRC)
Persistent-Prime -> Inject (safe values)
Persistent-Spider -> Look around for those safe values
Cross Site Scripting Persistent -> Test real injections in those locations and alert if valid
(https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html)
(IIRC)
Reply all
Reply to author
Forward
0 new messages