Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.
NAME
excess2 - A script for testing webmail systems for cross-site scripting
problems
DESCRIPTION
This script sends a number of HTML-formatted email messages to a
specified email address. In order to test a webmail system you need to
have an email account on the system, run this script to send messages
to that account, and then view the received messages through the
webmail interface. If you get a popup box saying "XSS!" it means that
your webmail system failed to block the attack.
Try viewing the messages in several different browsers, including
Internet Explorer and Mozilla Firefox. Some attacks work in one
browser, but don't work in another.
The script downloads RSnake's XSS Cheat sheet from
http://ha.ckers.org/xssAttacks.xml. This way we always have the latest
and greatest XSS attacks. Thanks, RSnake.
OPTIONS
-t you@webmail.example.com The destination email address
-f return-address@example.com From email address. Replies and
rejects will go to that address.
-s mymailserver.example.com SMTP server to use for sending
messages.
-u SMTP server username (if it requires authentication)
-p SMTP server password (if it requires authentication)
