Why do I need it?
The answer to this question is quite simple. Anyone who has ever made a web site or wrote an
application for the web probably thought about security of their code at some point or another.
After all, no one wants to see their site defaced or private information extracted by a third party
from their application's database.
At the same time finding security problems is not an easy process, especially so on a large code base.
XSSOOPS simplifies the process by automating the detection of most common types of vulnerabilities, the ones
external attackers will usually try first. By identifying those problems and providing information on where
are they located and how they can be triggered the developer is virtually handed a solution to the problem.
It is highly important to remember that XSSOOPS is not a replacement to a security audit performed by a security
professional. This is still an essential component of securing an application, however XSSOOPS can get the
common problems out of the way quickly, allowing the auditor to focus on complex code-logic problems rather
wasting valuable time on a search for things that can be detected automatically.
In many instances even the best auditor will miss some things while analyzing thousands lines of code,
after all they are only human. An automated tool can often help them catch problems that otherwise would've
gone unnoticed. Even after numerous security audits XSSOOPS was able to find cross site scripting
vulnerabilities in
Serendipity, a popular bloging software
as well as cross site scripting and file overwrite vulnerabilities in
Gallery, one of the most common
online photo albums.
Ultimately, XSSOOPS reports are the security auditor's best friend allowing them to quickly identify many
problems and after developers have addressed them ensure that they indeed have been fixed and new problems
have not been introduced in their place.
