Add automatic tests for XSS

[phihag]

In the wake of #105, we should add automatic tests for XSS in the obvious places.

We could do this with the integration tests in adhocracy_buildout/src/adhocracy/adhocracy/test/use_cases, but running them is nontrivial.

[phihag]

We should use an existing XSS/security checker and have a way to run it during the tests.

[rliebig]

A small sum-up of already tested "solutions":

• Skipfish
  • Pro: Detects some vulnerabilities(XSS, XSRF)
  • Con: Extremly slow, machine-unreadable output, unmantained
• w3af
  • Pro: Is capable of detecting some XSS and XSRF vulnerabilites, machine-readable output
  • Con: Very slow(36 Seconds for (vulnsrv)[https://github.com/phihag/vulnsrv/blob/master/vulnsrv.py]), SQLi module isn't even able to detect simple SQL-Injections, installation issues
• xsser
  • Pro: Detects XSS vulnerabilties
  • Con: Only detects XSS vulnerabilities, hard parseable output, Twitter function.
• wapiti
  • Pro: Python, claims to detect serveral critical vulnerabilites.
  • Con: Broken, unmantained
• nikto
  • Pro: Easy to install(packages for every distribution are avaible.
  • Con: Relies on a vulnerability database, permanetly wants to scan /CGI/
• xsssniper
  • Pro: Detecs XSS vulnerabilites, reliable crawler, very modificable, fast
  • Con: No Pypi-Package, doesn't detect anything than XSS vulnerabilities, need modifications for machine-readble output
• ratproxy
  • Pro: Can detect non critical warnings(wrong Headers, charset), can detect XSRF vulnerabilites.
  • Con: Can detect XSRF vulnerabilities better there, were aren't any. Written in C.
• sqlmap
  • Pro: Detects SQLi injections.
  • Con: The Pro argument.
• arachni
  • Pro: Claims to use machine-learning, nice webinterface, finds SQLi, XSS and path traversal.
  • Con: Output is really hard to parse, there are even SQLis in Pages that don't even use SQL or a database at all. Other results let me believe that there is in fact machine learing in use, as example, it considers the default answer as of / as "intresting".
• wfuzz: unmaintained since 2011
• Grendel-Scan: unmaintained since 2012
• webvulscan: unmaintained since 2012
• WebScarab: unmaintained since 2007
• WPScan: Only wordpress