dmitris / yuiconftalk2012 Goto Github PK

This is the code for the XSS testing demo of the YUIConf 2012 talk "Security Testing of YUI-Powered Applications" (http://www.youtube.com/watch?v=EsTAJt29C_g)

The slides are on http://www.slideshare.net/dimisec/security-testingofyui-poweredapplications

To try the demo code, you need to put the code in the "yui" directory into your webserver root - on Mac with the default webserver setup, you can copy or symlink it to your Sites directory.

Below are brief descriptions of the directories and files and usage instructions:

webdriver_java/ - WebDriver code in Java

cd webdriver_java/todo_bad "mvn install" should produce failures as it tests vulnerable version of the app

cd webdriver_java/todo_good "mvn install" should succeed (no test failures) as it tests fixed version of the app mvn install

webdriver_python - WebDriver code in Python

webdriver_js/ - demo of the Javascript binding for WebDriver To use it, download selenium-server-standalone-2.29.0.jar from http://code.google.com/p/selenium/downloads/list (use the latest version available), and start the server with:

java -jar selenium-server-standalone-2.29.0.jar

then you can run the demo examples:

cd webdriver_js node webdriver_bad.js (generates an alert) node webdriver_good.js (no alert)

yui/src/ src/todo.html (vulnerable app) src/todo_good.html (fixed version)

yui/tests tests/xsstest06.html - YUI Test pointing to the vulnerable version (with failures) tests/xsstest07.html - same test pointing to the fixed version (all tests pass)