XSS Scanner

I got an email from another lurker today that I thought was pretty interesting. He’s intending to build a scanner to do some self-pen testing on his own websites and wanted some guidance. He was stuck on one of the three big questions (the others are the calendar or infinite depth issue and the login state issue). His issue was how to know what is bad and what isn’t from a web application security scanning perspective...

Read the post in ha.ckers.org.