Finding 500 errors and XSS attacks in Jenkins through fuzzing
This recipe describes using a fuzzer to find server-side errors and XSS attacks in your Jenkins servers.
A fuzzer goes through a series of URLs, appends different parameters blindly, and checks the response from servers. The inputted parameters are variations of scripting commands such as
<script>alert("random string");</script>. An attack vector is found if the server's response includes the unescaped version of the script.
Cross Site Scripting attacks are currently one of the more popular forms of attack (http://en.wikipedia.org/wiki/Cross-site_scripting). The attack involves injecting script fragments into the client's browser so that the script runs as if it comes from a trusted ...