Attribute-Based XSS, ermm...

Don't get this post wrong, I really like Jeremiah blog and he is obviously good at his stuff so I'm not shooting the messenger.

This particular post in his blog shows us the current situation of funny web application security scanner market. In this post Jeremiah gave us some great news(!), WhiteHat Sentinel discovered attribute-Based XSS...

From the announcement;

Attribute-Based Cross-Site Scripting is one of the hardest types of Cross-Site Scripting to find in an automated fashion. Today, no desktop scanner does a good job at this; most don't even attempt it because false-positives skyrocket – except for the WhiteHat Sentinel Service. Naturally.

WhiteHat Sentinel implemented our second-generation attribute injections last week. Many of you have seen new XSS attack vectors being pushed on your sites, and for quite a few it is a result of these tests. The example we most often push is sourcing in JavaScript via an injected STYLE tag (attack vector for Internet Explorer).

Attribute-Based XSS is in the public around for 4-5 years now, and I wrote a small xss paper about a similar issue in 2004 which was pointing out another bad programming practice attributes without quotes (I'm sure most of the scanners can't identify these either).

If we stop and spend our valuable one moment to think about this, we can come up with this basic fact.

If current web application scanners can't find an issue which is around for 5 years now, aren't they f*** useless?

OK, I know that they are not useless but this is just ridiculous, especially if you pay bloody 10K+ $ for a license.