Greasemonkey XSS assistant

Re: Greasemonkey XSS assistant

xyberpix — Sun, 19 Jul 2009 17:12:00 -0500

What's it going to take to make this script FF3 compatable, as I'm willing to try and sort it out, but I'm not too sure where to even start?

Re: Greasemonkey XSS assistant

ted — Fri, 17 Jul 2009 22:25:31 -0500

I want the firefox 3.5 version

Re: Greasemonkey XSS assistant

asilvermtzion — Thu, 14 Aug 2008 14:15:43 -0500

This is made of win and awesome. Do want ff3 version

Re: Greasemonkey XSS assistant

Anonymous User — Sun, 03 Aug 2008 10:08:38 -0500

There are some issues with the GM eval() method. I recently talked to someone who said he wanted to try to fix it. If done I will post here with credits.

Re: Greasemonkey XSS assistant

straylight — Thu, 31 Jul 2008 08:43:28 -0500

Great tool, keeps me from memorizing all those vectors! :) Any plans to update for FF3? Any idea what happened in FF3 that broke the script?

-straylight

Re: Greasemonkey XSS assistant

Anonymous User — Wed, 30 Jul 2008 17:00:38 -0500

Nup

But love the porn spam.

Re: Greasemonkey XSS assistant

macguffin — Wed, 30 Jul 2008 06:55:12 -0500

Does it work in Firefox 3?

I have some problems with it, the image (xss) does not appear.

Re: Greasemonkey XSS assistant

Anonymous User — Sat, 09 Feb 2008 05:07:22 -0600

You can find it here:
http://groups.google.com/group/xss-assistant/browse_thread/thread/369dd328249d77ba

Re: Greasemonkey XSS assistant

mstampar — Sat, 09 Feb 2008 05:02:23 -0600

that last message was with purpose of preserving the script - i just can't find it anywhere on net (http://www.whiteacid.org/greasemonkey/ is inaccessible).

Re: Greasemonkey XSS assistant

mstampar — Sat, 09 Feb 2008 04:59:15 -0600

// ==UserScript==
// @name XSS assistant
// @description This will help people find Cross site scripting flaws in forms as well and ease making a PoC from the XSS which is easy to show people.
// @include *
// ==/UserScript==

/*
How to use:
Install this script into greasemonkey. To start XSSing forms select tools > Greasemonkey > User script commands > Start XSSing forms.
From now on all forms on all pages will have an image by them, clicking that image will bring up a menu with plenty of options to help
you speedily find flaws in the form.
To stop XSSing forms (which means the image won't appear anymore) select tools > Greasemonkey > User script commands > Stop XSSing forms.

Don't forget you can change some variables just below this block of comments
*/

//USER SETINGS START
//list of xml files to read to get the XSS vectors from
//vectorsURL = new Array("http://ha.ckers.org/xssAttacks.xml","http://127.0.0.1/xss.xml")
vectorsURL = new Array("http://ha.ckers.org/xssAttacks.xml")
//The url of the page which can showcase XSSes using POST. default = "http://www.whiteacid.org/misc/xss_post_forwarder.php"
setting_PoC_POST = "http://www.whiteacid.org/misc/xss_post_forwarder.php"
//USER SETTINGS END

glb_xss = new Array()
glb_forms = new Array()

//Load the remote XML files with all the XSSes in them
function getRemoteXMLFiles()
{
for (i=0; i {
GM_xmlhttpRequest
(
{
method:"GET",
url:vectorsURL,
headers:
{
"User-Agent":"XSS assistant",
"Accept":"text/xml",
},
onload:function(details)
{
add2glb_xss(this.url,parseXML(details.responseText))

//As a one time thing we need to set the default list of values in the second select box
//We can only do this after the first AJAX request has been returned, so this is where we do it
if (glb_xss.length == 1)
{
changeVectors(this.url)
}
}
}
)
}
}

//Given the remote XML files, store that data
function add2glb_xss(url,xml)
{
glb_xss.push(new Array(url,xml.name,xml.vector))
}

//Find all forms on the page and add the relevant image button by them
function findForms()
{
xss_images = new Array() //array of all images
frms = document.forms //array of all forms
for (i=0; i {
xss_images.push(createButton(i)) //create a new image
frms.insertBefore(xss_images[xss_images.length-1],document.forms.firstChild) //insert image as first thing inside form
glb_forms.push(new Array(i,frms.innerHTML))
}
}

//creates the button which when clicked brings up the menu
function createButton(n)
{
x = document.createElement('img')
x.src = "data:image/gif,GIF89aP%00%0F%00%91%00%00%00%00%00%FFf%00%FF%FF%FF%00%00%00!%F9%04%00%00%00%00%00%2C%00%00%00%00P%00%0F%00%40%02%86%84%8F%A9%CB%ED%0F%8F%084%CCY%B3%D5%14%5B%01%86!%20%0A%A4)%92%E7%C8%96%AE%E1q%F2%9C%B9%F6%8D%E78L%F7%B4%0E%0C%06y%BEbM%88L%8EH%B5%8D%26V%81~n%2B%D0%A9zM%A9%AAT%A6%F1%AB%0C%0B%23%E4%B2%F9%BC%10%AB%D7a%E2%B7%C8%8Ek%3DtN%E8%09%8A%EE%60%CB%92%24%D5%92%E3%D61%93%87w%D4%B5%92%B5%C4%A5%82%A2%E3V%87%88%17%23%F8%D2h%05%98%09%E9%F5%E6%23%07%CA%07%3A%1AZ%00%00%3B"
x.alt = n //Just for holding the form number
x.setAttribute("onclick","openMenu(this)")
x.setAttribute("style","display: block; z-index: 9")
return x
}

//Opens the menu and places it at the button which called this function
function openMenu(getter)
{
father = document.getElementById('menu_father')
coords = findPos(getter)

father.style.top = coords.top+"px"
father.style.display = 'block'
//If the box is off the bottom or off too far to the right, bring it home (this can only be done after we've set father.style.display = "block"
while (coords.left+getter.offsetWidth+5+father.offsetWidth > screen.width)
{
coords.left--
}
father.style.left = coords.left+getter.offsetWidth+5+"px"
//And now for height - broken (hence commented out)
/*
while (coords.top+father.offsetHeight > (screen.height)+coords.top)
{
coords.top--
}
father.style.top = coords.top+getter.offsetHeight+"px"
*/

//Enter the form info in the menu's heading
heading = document.getElementById('menu_heading')

heading.innerHTML = "Form "+getter.alt
try
{
heading.innerHTML += " ["+getter.parentNode.name+"]"
} catch (err) {}

//shove the correct options into the menu_target_select select box
targets = document.getElementById('menu_target_select')
//remove existing elements
while (targets.childNodes.length != 0)
targets.removeChild(targets.childNodes[0])

children = getChildren(document.forms[getFormNumber()])

//Add the global option
tmp = document.createElement('option')
tmp.value = ""
tmp.innerHTML = "#GLOBAL#"
targets.appendChild(tmp)

//Loop through named elements and add them
for (i=0; i {
try
{
if (children.hasAttribute('name'))
{
tmp = document.createElement('option')
tmp.value = children.name
tmp.innerHTML = children.name
targets.appendChild(tmp)
}
}
catch(err) {}
}
}

//Function to create the menu
function createMenu()
{
//Create top level of menu
father = document.createElement('div')
father.id = "menu_father"
father.setAttribute("style","display: none; position: absolute; z-index: 10; top: 0px; left: 0px; style;")

//the title bar (empty but allows the box to be dragged)
title = document.createElement('div')
title.setAttribute("onmousedown","dragStart(event,'menu_father')")
title.appendChild(document.createElement('br'))
title.setAttribute("style", "cursor: move; border: none;")
father.appendChild(title)

//The heading with the info of the form that currently being looked at
heading = document.createElement('div')
heading.id = "menu_heading"
father.appendChild(heading)

//Create the options
//Show info will show all the info about the form including the forms target and method as well as the name attribute of every element
showInfo = document.createElement('div')
showInfo.innerHTML = "Show form information"
showInfo.setAttribute("onclick","showInfo()")
father.appendChild(showInfo)

//A couple of select boxes allowing the user to apply certain XSS vectors.
vectors_div = createVectors()
father.appendChild(vectors_div)

//The create PoC function will supply the user with a ready-to-copy-n-paste link to showcase their XSS.
PoC = document.createElement('div')
PoC.innerHTML = "Generate PoC link"
PoC.setAttribute("onclick","createPoC()")
father.appendChild(PoC)

//The reset function sets the form back to how it was when the page loaded.
reset = document.createElement('div')
reset.innerHTML = "Reset form"
reset.setAttribute("onclick","resetForm()")
father.appendChild(reset)

//Create a submit form button
submit = document.createElement('div')
submit.innerHTML = "Submit form"
submit.setAttribute("onclick","submitForm()")
father.appendChild(submit)

//The close button, closes the menu
close_button = document.createElement('input')
close_button.type = "button"
close_button.value = " [ close ] "
close_button.setAttribute("onclick","hideMe(document.getElementById('menu_father'))")
father.appendChild(close_button)

//And shove the whole box onto the document.
document.body.appendChild(father) //hehe, semantics went out the window there
}

//Function which creates the bar which lets you XSS the querystrings
function createGETBar(GET)
{

bar = document.createElement('div')
bar.className = "GETBar"
//An error may have occured when reading the querystring
if (GET == 'ERROR')
{
bar.innerHTML = "Error, cannot read the querystring variables and corresponding values"
document.body.appendChild(bar)
return
}

//An easy way to let people XSS these variables is by creating a hidden form and then just letting the rest of the script treat it as such
form = document.createElement('form')
form.method = "get"
form.action = location.href.substring(0,location.href.indexOf("?"))
form.id = "xss_querystring"

//Start looping through each GETed variable and add that to this form
for (i=0; i {
tmp = document.createElement('input')
tmp.type = 'hidden'
tmp.setAttribute('name',GET.list_name)
tmp.setAttribute('value',GET.list_value)
form.appendChild(tmp)
}

bar.appendChild(form)

document.body.appendChild(bar)
}

//Given the returned code from a remote location, turn it into usable XML
function parseXML(html)
{
names = new Array()
vectors = new Array()
parser = new DOMParser()
var dom = parser.parseFromString(html,"application/xml")
var entries = dom.getElementsByTagName('attack')
for (var i = 0; i < entries.length; i++)
{
names.push(entries.getElementsByTagName('name')[0].textContent)
vectors.push(entries.getElementsByTagName('code')[0].textContent)
}
return {name:names,vector:vectors}
}

//Show the info about a form
showInfoDone = new Array()
function showInfo()
{
x = getFormNumber()
//Check if already done
for (i=0; i {
if (showInfoDone == x)
{
alert("Already shown information on this form.\nIf you want to run it again reset the status and run this again.")
return false;
}
}
showInfoDone.push(x)

f = document.forms[x]
//Add the forms info
x = document.createElement('span')
x.setAttribute("class","form_info")
x.innerHTML = "name: "+f.name+"
target: "+f.target+"
"
f.insertBefore(x,f.childNodes[1])

//Go through all nodes with a name attribute and add info about them
children = getChildren(f)
for (i=0; i {
try
{
if (children.hasAttribute('name'))
{
x = document.createElement('span')
x.setAttribute("class","form_info")
x.innerHTML = children.name
children.parentNode.insertBefore(x,children)
}
//Show any hidden elements
if (children.type == "hidden")
children.type = "text"
}
catch(err) {}
}
}

//Create the select boxes and return their objects.
function createVectors()
{
holder = document.createElement('div')

url_list = document.createElement('select')
url_list.setAttribute('onchange','changeVectors(this.value)')

vector_list = document.createElement('select')
vector_list.id = "menu_vector_select"

target_list = document.createElement('select')
target_list.id = "menu_target_select"

apply_button = document.createElement('input')
apply_button.type = "button"
apply_button.value = "apply"
apply_button.setAttribute('onclick','applyVectors(document.getElementById("menu_target_select").value,document.getElementById("menu_vector_select").value)')

for (i=0; i {
x = document.createElement('option')
x.value = vectorsURL
x.innerHTML = getDomain(vectorsURL)
url_list.appendChild(x)
}

x = document.createElement('option')
x.innerHTML = "Select a vector"
x.value = ""
vector_list.appendChild(x)
holder.appendChild(url_list)
holder.appendChild(vector_list)
holder.appendChild(document.createElement("br"))
holder.appendChild(target_list)
holder.appendChild(apply_button)
return holder
}

//Function will change which vectors are visible in the second select box, shows the vectors from the source supplied as parameter.
function changeVectors(val)
{
for (i=0; i {
if (glb_xss[0] == val)
{
o = document.getElementById('menu_vector_select')
o.innerHTML = "" //clear any old data
x = document.createElement('option')
x.innerHTML = "Select a vector"
x.value = ""
o.appendChild(x)
for (j=0; j[1].length; j++)
{
x = document.createElement('option')
x.value = glb_xss[2][j]
x.innerHTML = glb_xss[1][j]
o.appendChild(x)
}
}
}
}

//Apply a certain vector to all elements in form which have a name attribute
function applyVectors(target,vector)
{
f = document.forms[getFormNumber()]

children = getChildren(f)

//If we are to apply globally
if (target == "")
{
for (i=0; i {
try
{
if (children.hasAttribute('name'))
{
if (children.hasAttribute('maxlength'))
children.removeAttribute('maxlength')
children.value = vector
}
//Show any hidden elements
if (children.type == "hidden")
children.type = "text"
}
catch(err) {}
}
}
else //If we are to apply only to one element
{
for (i=0; i {
if (children.name == target)
{
children.removeAttribute('maxlength')
children.value = vector
}
}
}
}

//Create a prompt box which allows users to easily copy paste PoC links
function createPoC()
{
f = document.forms[getFormNumber()]
method = f.method.toLowerCase()
target = f.target
if (target == "")
target = location.href
if (method != "post") //incase they are odd, or didn't supply one then default to get
method = "get"
if (method == "get")
{
//Scrap any existing querystring variables in the target
if (target.indexOf("?") > -1)
{
target = target.substring(0,target.indexOf("?"))
}

target += "?"
children = getChildren(f)
target = addToTarget(target,children)
//Chop off the last &
target = target.substr(0,target.length-1)

prompt("Copy the below url",target)
}
else
{
//Esacpe any existing querystring variables in the target
if (target.indexOf("?") > -1)
{
target = target.substring(0,target.indexOf("?")) + escape(target.substring(target.indexOf("?"),target.length))
}
target = setting_PoC_POST+"?xss_target="+target+"&"
children = getChildren(f)
target = addToTarget(target,children)
//Chop off the last &
target = target.substr(0,target.length-1)

prompt("Copy the below url",target)
}

}

//Reset form to how it was when the page loaded
function resetForm()
{
x = getFormNumber()
f = document.forms[x]
f.innerHTML = glb_forms[x][1]

//Find and remove from the showInfoDone array
for (i=0; i if (showInfoDone == x)
{
showInfoDone.splice(i,1)
return true //End function so we don't do unnecessary work
}
}

//Submit the form, useful if the submit button isn't there, for whatever reason
function submitForm()
{
//Why am I using a variable at all? cos rdivilbiss said:
/*
I had a similar problem with form fields once were document.forms[0].field returned the correct reference but document.forms[0].field.focus() returned not a function.
I was able to work around that with;
tmp = document.forms[0].field;
tmp.focus();
I still to this day don't know why I had to do that but it worked.
*/
tmp = document.forms[getFormNumber()]
tmp.submit()
}

//Using the "Form 1 [form_name]" field, we'll get the forms number
function getFormNumber()
{
x = document.getElementById('menu_heading').innerHTML
x = parseInt(x.substring(4,x.length))
return x
}

//Given a url, get that urls domain
function getDomain(url)
{
url = url.substring(7,url.length)
url = url.substr(0,(url.search("/") > -1)? url.search("/"):url.length)
return url
}

//Recusively find all children of one node minus the text nodes
function getChildren(obj)
{
var children = new Array()
for (var i=0; i {
if (obj.childNodes.type != 3) //type 3 is a text node
{
children.push(obj.childNodes)
if (obj.childNodes.hasChildNodes())
{
x = getChildren(obj.childNodes)
for (j=0; j children.push(x[j])
}
}
}
return children
}

//Hide an object
function hideMe(obj)
{
obj.style.display = "none"
}

function addToTarget(target,children)
{
for (i=0; i {
try
{
if (children.hasAttribute('name'))
{
target += children.name+"="+children.value+"&"
}
}
catch(err) {}
}
return target
}

//Function to find the X and Y co-ordinates of where the menu should go. Returns both within a struct, of sorts
function findPos(obj)
{
var curtop = 0;
var curleft = 0;
if (obj.offsetParent)
{
while (obj.offsetParent)
{
curtop += obj.offsetTop
curleft += obj.offsetLeft
obj = obj.offsetParent
}
}
return {left:curleft,top:curtop}
}

//A crap load of functions for dragging from http://www.brainjar.com/dhtml/drag/demo.html
//Removed browser checking

//*****************************************************************************
// Do not remove this notice.
//
// Copyright 2001 by Mike Hall.
// See http://www.brainjar.com for terms of use.
//*****************************************************************************

// Determine browser and version.

function Browser() {

var ua, s, i;

this.isNS = false;
this.version = null;

ua = navigator.userAgent;

// Treat any other "Gecko" browser as NS 6.1.
s = "Gecko";
if ((i = ua.indexOf(s)) >= 0) {
this.isNS = true;
this.version = 6.1;
return;
}
}

var browser = new Browser();

// Global object to hold drag information.

var dragObj = new Object();
dragObj.zIndex = 0;

function dragStart(event, id) {

var el;
var x, y;

// If an element id was given, find it. Otherwise use the element being
// clicked on.

if (id)
dragObj.elNode = document.getElementById(id);
else {
dragObj.elNode = event.target;

// If this is a text node, use its parent element.

if (dragObj.elNode.nodeType == 3)
dragObj.elNode = dragObj.elNode.parentNode;
}

// Get cursor position with respect to the page.

x = event.clientX + window.scrollX;
y = event.clientY + window.scrollY;

// Save starting positions of cursor and element.

dragObj.cursorStartX = x;
dragObj.cursorStartY = y;
dragObj.elStartLeft = parseInt(dragObj.elNode.style.left, 10);
dragObj.elStartTop = parseInt(dragObj.elNode.style.top, 10);

if (isNaN(dragObj.elStartLeft)) dragObj.elStartLeft = 0;
if (isNaN(dragObj.elStartTop)) dragObj.elStartTop = 0;

// Update element's z-index.

dragObj.elNode.style.zIndex = ++dragObj.zIndex;

// Capture mousemove and mouseup events on the page.

document.addEventListener("mousemove", dragGo, true);
document.addEventListener("mouseup", dragStop, true);
event.preventDefault();
}

function dragGo(event) {

var x, y;

// Get cursor position with respect to the page.

x = event.clientX + window.scrollX;
y = event.clientY + window.scrollY;

// Move drag element by the same amount the cursor has moved.

dragObj.elNode.style.left = (dragObj.elStartLeft + x - dragObj.cursorStartX) + "px";
dragObj.elNode.style.top = (dragObj.elStartTop + y - dragObj.cursorStartY) + "px";

event.preventDefault();
}

function dragStop(event) {

// Stop capturing mousemove and mouseup events.

document.removeEventListener("mousemove", dragGo, true);
document.removeEventListener("mouseup", dragStop, true);
}
///////////////////////////////ENDETH THE DRAGGING FNUCTIONS

//Function to read the querystring
function v_GET_init()
{
v_GET = new Object()
v_GET.list_name = new Array()
v_GET.list_value = new Array()

v_GET.raw = location.href.substring(location.href.indexOf('?')+1,location.href.length)
getted_var = v_GET.raw.split("&")
for (i=0; i {
getted_var_name = getted_var.substring(0,getted_var.search('='))
getted_var_value = getted_var.substring(getted_var.search('=')+1,getted_var.length)
v_GET.list_name.push(getted_var_name)
v_GET.list_value.push(getted_var_value)
}
return v_GET
}

//If this is the main page (not an iframe), add the buttons to the toolbar allowing user to start/stop
if (location.href == top.location)
{
GM_registerMenuCommand("Start XSSing forms", start)
GM_registerMenuCommand("Stop XSSing forms", stop)
}

//Create functions those buttons call
function start() { GM_setValue("live", true) }
function stop() { GM_setValue("live", false) }

//Add some CSS
GM_addStyle('#menu_father {background-color:#BCD2EE; padding: 2px;}')
GM_addStyle('#menu_father div {display:block; border: solid #000; border-width: 1px; cursor: pointer;}')
GM_addStyle('.form_info {color:red; background-color:#ffe4c4; font-size:small; font-family:Courier New, arial;}')
GM_addStyle('.GETBar {color:black; background-color:#ffff00; text-align:center; position: absolute; top: 0px; left: 40%; width: 20%; padding: 3px; cursor: pointer; font-size:small; font-family:Courier New, arial;}')
GM_addStyle('.GETBar * {display: inline !important;}')

//Write some function onto the page
unsafeWindow.eval(openMenu.toString())
unsafeWindow.eval(findPos.toString())
unsafeWindow.eval(hideMe.toString())
unsafeWindow.eval(showInfo.toString())
unsafeWindow.eval(resetForm.toString())
unsafeWindow.eval(submitForm.toString())
unsafeWindow.eval(changeVectors.toString())
unsafeWindow.eval(applyVectors.toString())
unsafeWindow.eval(createPoC.toString())
unsafeWindow.eval(addToTarget.toString())
//And the dragging functions
unsafeWindow.eval(Browser.toString())
unsafeWindow.eval(dragStart.toString())
unsafeWindow.eval(dragGo.toString())
unsafeWindow.eval(dragStop.toString())

//Start the whole thing off, if we're live
if (GM_getValue('live', false) == true)
{
getRemoteXMLFiles()

//If there is a querystring, add the bar
if (location.href.indexOf("?") > 0)
{
try
{
x = v_GET_init()
}
catch (err) {x = 'ERROR'}
createGETBar(x)
}
findForms()
createMenu()
}

Re: Greasemonkey XSS assistant

WhiteAcid — Wed, 20 Jun 2007 05:47:10 -0500

That's a good idea.
http://groups.google.com/group/xss-assistant/
RSS feed: http://groups.google.com/group/xss-assistant/feed/rss_v2_0_msgs.xml

Re: Greasemonkey XSS assistant

Anonymous User — Wed, 20 Jun 2007 02:41:17 -0500

Jep - if you want em out just drop me a line. What about bringing the project to google code/ creating a google group? I think it would be way easier to maintain those issues that way.

Greetings,
.mario

Re: Greasemonkey XSS assistant

WhiteAcid — Tue, 19 Jun 2007 16:44:11 -0500

aah, good stuff. I couldn't see those things due to cache issues. Now I see you also have HTML tags in the name element. I'm not sure if I should render those in the script. I don't see how a user could be exploited without manually adding the evil .xml file to the list, but what if your domain was hacked and someone else edited the xml file. Then suddenly a lot of users of this script will be vulnerable.

Now, how to filter this? If I use JS's escape() the it uglifies the whole thing by changing spaces to %20 etc. If I filter < and > then it could work, but as the charset depends on the parent page (I imagine) it's possible that variablel width encoding would be possible. Or should I just leave the HTML enabled and write a note on the site to tell people to download a copy of the XML file locally and use that to prevent any tampering.

I really should have an announcement mailing list for this script.

Re: Greasemonkey XSS assistant

Anonymous User — Tue, 19 Jun 2007 15:03:18 -0500

the xml below line 359 is new

http://mario.heideri.ch/xss.xml

Re: Greasemonkey XSS assistant

WhiteAcid — Tue, 19 Jun 2007 15:00:16 -0500

Which are the new ones? I really should know this, unfortunately I didn't memorise the vectors :p
There's a really bad storm here atm cutting my Internet off every few minutes, for once I'm happy this forum doesn't bind my session to an IP or I'd have to keep logging back in all the time.

Re: Greasemonkey XSS assistant

WhiteAcid — Tue, 19 Jun 2007 14:52:17 -0500

Which are the new ones? I really should know this, unfortunately I didn't memorise the vectors :p

Re: Greasemonkey XSS assistant

Anonymous User — Tue, 19 Jun 2007 11:44:22 -0500

Hi!

I added new vectors - precisely Kishor's solutions - to the xss.xml - give it a try!

Greetings,
.mario

Re: Greasemonkey XSS assistant

Anonymous User — Tue, 05 Jun 2007 07:46:29 -0500

K - works fine now!

Thx!

Re: Greasemonkey XSS assistant

WhiteAcid — Tue, 05 Jun 2007 07:37:44 -0500

Oops. I've re-uploaded.
I have copies of the .xml files at those locations to speed up the loading times and so that you guys don't see the requests from the sites I browse :p.

Re: Greasemonkey XSS assistant

Anonymous User — Tue, 05 Jun 2007 01:37:11 -0500

http://127.0.0.1/xssAttacks.xml ???
http://sid.selfip.org/xss.xml ???

;)

Re: Greasemonkey XSS assistant

WhiteAcid — Mon, 04 Jun 2007 18:34:07 -0500

Truly the peak of irony; this tool was vulnerable to XSS itself. It was possible for a web admin (who is able to create forms) to create one which runs JS when you try to XSS his forms. Create a page with the following form on it:

Then hit the little icon to bring up the window for this tool and you'll be XSSed. This same bug existed in more than one place, also in the form's action attribute which executes when you hit "Show form information". It'd able work in the form's children's name attributes as it uses that to build the select box.

I've now used the JS function escape() to protect you. Please update the script.

Yes this was bad, yes, I shouldn't have done this. I do apologize. At least to my knowledge this hasn't been abused and if it has at least the attacker didn't get access to the GM API allowing cross domain requests.

Edit: It's here (to save you scrolling up)

Re: Greasemonkey XSS assistant

WhiteAcid — Wed, 16 May 2007 21:31:49 -0500

Due to crappy testing the reportPoC() didn't actually work properly. I just had to escape() some values, I've reuploaded. Please update the script.

Edit: slightly later I made another fix. I really should implement something in this so it calls home to check for new versions, but I know you guys don't want me to be able to track what sites you use this on.

Re: Greasemonkey XSS assistant

WhiteAcid — Wed, 16 May 2007 15:10:01 -0500

Ah. I had actually thought about that myself. I figured I could have a GM function such as xss_test() { alert('xss works') }, write that into the page using GM (before even the onload event would fire). Then it'd have an edited version of the XSS location in rsnake's XML file which instead or running an alert() tries to run that function. It'd then inject this into a form (inside a hidden iframe). It is probably very possible.

Re: Greasemonkey XSS assistant

ntp — Wed, 16 May 2007 14:59:23 -0500

.mario Wrote:
-------------------------------------------------------
> @ntp: I use cal9000 only for encoding issues -
> never tried the auto attack feature. Unfortunately
> the project seems stalled since end of 2006. The
> Wiki page seems to wait for user feedback
> though...

i don't think any more work is planned, so it looks DOA. the owasp spring of code allotments were already announced and I don't see anything about CAL9000 or any of the project leaders named. i'll try to find out more.

WhiteAcid Wrote:
-------------------------------------------------------
> What specifically do you mean by "writeups on
> Greasemonkey automation"?

It would be nice if your scripts (or similar ones) were able to detect parameters/forms, add the xss tests, submit the request, watch the response (and/or crawl the site for responses showing the xss, etc), et al. iow: do all the work for me.

Re: Greasemonkey XSS assistant

kirke — Wed, 16 May 2007 14:58:23 -0500

CAL9000 will not be continued, unfortunately
The major problem is that modern browsers are to restrictive in using XMLHttpRequest. My experiance is that latest mozilla (1.7.x) works fine.
Beside the XSS cheat seat, the En-/Decoder is one of its best features, AFAIK someone builds a new tool about that. Input welcome.

Re: Greasemonkey XSS assistant

Anonymous User — Wed, 16 May 2007 02:54:47 -0500

Hi WhiteAcid!

Great new release and thanks for embedding my xml ;)

@ntp: I use cal9000 only for encoding issues - never tried the auto attack feature. Unfortunately the project seems stalled since end of 2006. The Wiki page seems to wait for user feedback though...

http://www.owasp.org/index.php/OWASP_CAL9000_Project_Roadmap

Greetings,
.mario

Re: Greasemonkey XSS assistant

WhiteAcid — Tue, 15 May 2007 23:09:40 -0500

Thanks for those comments ntp.
I do know that some greasemonkey scripts can be imported straight into Opera, but do to so with this script would mean loosing functionality if it's even possible. I use functions specific to GM that allow for cross domain AJAX. I use this to load the XML files and to submit stuff to XSSed.com. Beside that, the way you start or stop activation of this tool is GM specific, but that part could of course just be re-written.

Perhaps it could be made without GM specific functions if it had the XML files inside itself and instead of automated submission to XSSed it'd just redirect you to the form and pre-fill all the values by adding the variables to the querystring (we'd need to get the folks who run XSSed to set that functionality up for us).

You have the book XSS Attacks? I pre-ordered that thing back in February and it's still not here. Due date for amazon.co.uk is 1 Jun 2007 *sigh*.

What specifically do you mean by "writeups on Greasemonkey automation"?

Re: Greasemonkey XSS assistant

ntp — Tue, 15 May 2007 21:42:53 -0500

WhiteAcid Wrote:
-------------------------------------------------------
> It's taken way too long, but I finally got around
> to making the new version.

I've used this tool since you first released it (on real, very serious web application vulnerability assessments). Can't wait to try out the new version. The plug for XSS Assistant in "XSS Attacks" is great.

However, in "XSS Attacks", they [probably pdp] seem to promote using Technika to autoload bookmarklets over the Greasemonkey [autoload] approach, citing bookmarklets as portable and Greasemonkey as Firefox only. However, I know otherwise that Greasemonkey scripts work in Opera and can also be made to work in other browsers. I haven't tried XSS Assistant in Opera, although that would be interesting.

> 2. Uses .mario's XML file too

Oh how I wish that CAL9000 also used .mario's XSS XML file as well (it should be easy to import). Speaking to Opera above, CAL9000 seems to work best in Opera (although I do use multiple versions of IE, FF, and Opera when testing for XSS). The autoattack features in CAL9000 are great, but the reporting and use is kind of weak.

With the new version of your tool, WhiteAcid, I really think you have the best tool for testing for XSS out there (having tried a huge number myself), although writeups on Greasemonkey automation and integration with other tools would be nice. I found myself copying from XSS Assistant and into Burp a lot way back when - so I'll have to come up with a faster method, probably based off of other ideas from the book, "XSS Attacks".

Re: Greasemonkey XSS assistant

Kyran — Tue, 15 May 2007 20:55:30 -0500

Glad you got the thing with XSSed.com setup. :D

Re: Greasemonkey XSS assistant

WhiteAcid — Tue, 15 May 2007 16:46:34 -0500

It's taken way too long, but I finally got around to making the new version.
1. Works with xssed.com, allowing you to report PoCs straight to their DB
2. Uses .mario's XML file too
3. Cleaned code just a little

The new version still hasn't been tested by anyone but me and Kevin, the owner of xssed.com so I would greatly appreciate testing, note though that Kevin would not appreciate spamming his DB.

As always the script is located here: http://www.whiteacid.org/greasemonkey/#xss_assistant