It occured to me today to make a greasemonkey script to help people find XSS flaws in various forms. My idea so far:
Run through every form and insert an image like at the start of every form.
Everything is then done through a menu that appears when you click that icon.
The options on that menu would be:
1. Show details of form - Show the action of the form, as well as the method and any hidden elements, also it'd show the name of every field.
2. Duplicate form - this would open a new tab to the current page and fill the form in as it is currently filled in (I'm not sure if the filling in part is possible, but I'd try).
3. Fill in every text field with an entry from the XSS cheat sheet (the script would dynamically load and parse the file, good thing the xml version was made). Which entry to fill it in with would be picked from a sub menu.
4. Create link to PoC - If the form uses GET this would create a link to the target page with the flaws as querystrings, if POST is used it'll auto generate the url to my script, but that would be changeble in the options.

I realise a lot of this is int he web developer extension, but I don't have that and I think keeping it with this makes sense.

What do you guys think? Can you think of what should be added, removed or changed?

Edit: I'd also allow users to create their own XSS injections to be included into the list.

Edit2: Instead of always running the script I'll do:

GM_registerMenuCommand("Start XSSing forms", start);
GM_registerMenuCommand("Stop XSSing forms", stop);

which will let the user start and stop XSSing at will.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 2 time(s). Last edit at 10/19/2006 01:02PM by WhiteAcid.

I think it's a great idea. Just try not to use too many greasemonkey specific functions. I want to be able to convert it to pure javascript later for Opera usage.

- Kyran

Well... to read the cheat sheet requires GM_xmlhttpRequest as the .xml file is (most likely) on a different host (unless you're XSSing ckers.org).

To open a new tab (duplicate form) requires GM_openInTab.

I would maybe create a call home feature too, just so the script can alert() if a new version is out, haven't done that before but should be a piece of cake.

hehe, I just realised that this would give rsnake the power to maybe XSS us whenever we run this script. I'd have to be careful to parse the XML file in a way to not screw ourselves over.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 10/19/2006 12:35PM by WhiteAcid.

Excellent idea... I need to update the xml file for IE7.0 and Opera 9.0 (maybe this weekend).

If I wanted to XSS this group it would be insanely easy - trust me, it's not my thing (going after individual users or even after individual websites). What you are far more at risk of is me messing up the XML file and causing your script to die badly, so yes, error handling is a good idea.

- RSnake
Gotta love it. http://ha.ckers.org

Well... as this is a greasemonkey script it'll only find flaws that are vulnerable to firefox, but go ahead and update at will.

Ok. I'll get onto creating the menu, or googling for existing ones I can use.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

One note, I think Christopher Loomis is going to take a stab at modifying the xssAttacks.xml file to include IE7.0 changes that I made as well as changing the format of what is and isn't supported into XML rather than something that needs to be parsed by hand.

- RSnake
Gotta love it. http://ha.ckers.org

That's fine by me. I've noticed the cheat sheet is pretty damn long, I hadn't realised quite how long before. I suppose I should try to build one which is shorter (10 or less entries) and still finds the majority of XSS holes.

At the moment my function is

function parseXML(html)
{
	names = new Array()
	vectors = new Array()
	parser = new DOMParser()
	var dom = parser.parseFromString(html,"application/xml")
	var entries = dom.getElementsByTagName('attack')
	for (var i = 0; i < entries.length; i++)
	{
		names.push(entries.getElementsByTagName('name')[0].textContent)
		vectors.push(entries.getElementsByTagName('code')[0].textContent)
	}
	return {name:names,vector:vectors}
}

but if Christopher Loomis breaks that, that's fine too. I'll just fix it.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

It might not break that because the only difference between the two would be the addition of a supported field, or something similar.

Ten vectors might not be enough... the problem is there are probably 3-5 that I use regularly and then 10-20 that I use sporatically and then the rest I use only in theory or as an explanation of why something is bad. Also, lots of times I need to tweak parts of things. This is why it kills me that Jake Reynolds isn't closer to being done with his tool. It would really blow all of these ideas out of the water. Alas....

But anyway, I still think it's a good idea, even if you keep it to more like 10-20. But if you're goign to concatinate it anyway, why not just keep it in the plugin itself?

- RSnake
Gotta love it. http://ha.ckers.org

I thought I'd be future proof and grab your file instead, that way this script will get any updates automatically. I suppose I should make it easy for users to just enter their own straight into the script too.

The reason I thought I'd have another list of under 5 was because that looks much nicer to use in a drop down, as opposed to 30+ options, or however many you have.

I haven't planned on concatinating them, instead I'd keep the different sources as different submenus on the menu.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Ah, gotcha... that makes way more sense. Maybe there is a way to page through stuff quickly... Hrm... UI issues!

- RSnake
Gotta love it. http://ha.ckers.org

I've made major parts of it, the only thing is that it's got some really odd failures.

I've put the file here: http://www.whiteacid.org/misc/XSS_assistant.user.js
To start using it press tools > User Script Commands > Start. Then go to any page with a form on it (this page will do if you're signed in). An image should appear at the start of the form which bring up a menu when clicked.

Anyway... it fails on this reply box, as well as a few other random places. I have no idea why. The page I used for the majority of my testing was:

<form name="bertha" method="get" target="http://www.google.com">
	Username: <input type="text" name="username" /><br />
	password: <input type="password" name="password" /><br />
	<input type="hidden" name="shh" /><br />
	Email: <input type="text" name="email" /><br />
	<input type="submit" />
</form>
<hr>
<form name="af" method="posT">

	Username: <input type="text" name="username" /><br />
	password: <input type="password" name="password" /><br />
	Email: <input type="text" name="email" /><br />
	<input type="submit" />
</form>

fyi, applyVectors() is what gets what to inject from the select boxes and injects it. showInfo() is what goes through the form and shows all the info. Any help on what the heck is going would be nice.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Aah had some sleep, compared forms and realised that the script cannot yet deal with forms where input elements are inside another tag (table, div etc). I'll get on that issue right away.

Still... comments on usability or whatever are welcome.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 10/21/2006 09:51AM by WhiteAcid.

Ok. Finally I've managed to get the recursive function (had major problems with the scope of the variables). The script is at the same location (http://www.whiteacid.org/misc/XSS_assistant.user.js). Should work now. What do you guys suggest though? I'm not particularly fond of that it replaces the value of buttons, but that could be useful too. I could have a tick box somewhere to tell it to ignore buttons or not, what do you guys think?

Edit: To play with the script go to http://www.whiteacid.org/HTS/avatar.php (which is deliberately vulnerable to XSS). Inject the top vector and hit submit. (remember to start using the script from the tools menu)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 10/21/2006 01:44PM by WhiteAcid.

WhiteAcid, I was very excited to try this out and I'm still very much excited but when I installed it I got a flat load of nothing at all. Zero. Zilch. No button, no dropdowns, no nothing. :-/ I don't even know where to start debugging it. :( Maybe it's conflicting with something else? Do you have any plugins installed that make this work or none (and mine are maybe conflicting)? JavaScript is definitely turned on and still no go.

- RSnake
Gotta love it. http://ha.ckers.org

@rsnake: You have to go to Tools>GreaseMonkey>User Script Commands>Start XSSing forms. I don't think it interacts with any extentions. I think there is a small bug, though. screenshot: http://img183.imageshack.us/img183/1096/screenshotslackersorgwebapplicationsecurityforumprojexy0.png

It would also be nice if you could make ha.ckers.org the default source and add a little info (such as browsers they work in).
-------------------------------------------
Ok, maybe that's not a bug, just the way the forum is set up. Also, I noticed a few sites don't show the XSS FORM sign. For example: http://mpaa.org/ - http://www.demonoid.com/files/
It also messes up the title at http://digg.com and when you try to click the button it just refreshes the page because you're really clicking on the digg sign, not XSS FORM. Sorry to report minor bugs, but you asked for bug reports.



Edited 3 time(s). Last edit at 10/21/2006 11:59PM by Ghozt.

Rsnake: It doesn't depend on anything, except of course on greasemonkey. Make sure you did start the script as Ghozt pointed out.

Ghozt: That first screenshot you posted isn't a bug. The script will make any hidden elements visible, those elements were hidden, now aren't. As a sidenote when you apply any XSS vector the script will also remove any maxlength attributes.

Having a default source is a decent idea, I'll see how easy that is to do.
As for browsers they work in, sure there's already that info in the xml file, but how would I show the user that info?

I don't know why it doesn't show on some pages, if you use the DOM inspector and search for a form element then expand it and look at the first child, that's the image right there.
As for the digg thing, how would I solve that as the script is working fine, it just happens the create image at a stupid place. By default the image is placed right below the <form>, at the very first child element.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Okay, that was the part I missed. This rocks... Although there are a few things I think this might be improved by in fixing. The first is the option to overwrite single variables in POSTs instead of all of them, and the second is to XSS the page you are on currently instead of the page you are posting to, you see what I'm saying? Also check out this site: http://www.expressen.se/ (one of my Swedish speeking girlfriend's favorite sites). See the form in the left rail? I'm not sure why it isn't showing up there.

I'm eager to see this with a few more slick features - it's definitely worth posting about.

- RSnake
Gotta love it. http://ha.ckers.org

Thanks for that.

Quote

The first is the option to overwrite single variables in POSTs instead of all of them

1. I had also thought that changing a single field instead of all fields would be nice, but I don't know how to easily implement that in terms of usability.
2. Ghozt had also pointed out that the image doesn't appear on some pages. I don't know why this is as according to the DOM inspector the images are there.
3. If the form is far to the right of far down the menu can appear off screen. The user can scroll and pull it back but this shouldn't be required. I've managed to fix it if the menu is too far to the right, but not if it's too far down. I aim to fix this at some point though (note that I haven't yet updated the online code with the bit to prevent sideways scrolling)

Quote

XSS the page you are on currently instead of the page you are posting to

huh?

ooh... I've just had a thought as to point 1.
I'd have a tick box below the select boxes labelled apply globally. If it is ticked then the vector will be applied to all fields as it is now, if not ticket then start a function which captures mouse clicks. It captures the object which was focused and if that object is part of the form it'll apply the vector to it. A stop button would also be visible in the xss menu, once that's clicked the other function stops listening for mouse clicks.

I don't even know if that's possible, but does that sound good?

Expressen does have some good things... been a while since I'd read that.

Update: By XSS the current page do you mean the script should look at the current querystring and XSS those variables?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 10/22/2006 03:11PM by WhiteAcid.

Yah, sorry, in re-reading that it wasn't super clear. Yes, I meant look at the URL you are on and allow the user to modify those and re-submit to the same page they are currently on.

- RSnake
Gotta love it. http://ha.ckers.org

Yeah, that's a nice idea. I'll be sure to include something like that.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

First off, thanks for your hard work on this. It may well be a very useful tool for developers. I'm certainly happy to be able to try this on some forms I've written.

In regards to changing all the fields, I'm having a problem where the form has a token or nonce which must remain intact to submit the form. That doesn't mean the form isn't vulnerable to XSS, but it does prevent this tool from working.

WhiteAcid Wrote:
-------------------------------------------------------
> Thanks for that.
> The first is the option to overwrite single
> variables in POSTs instead of all of them
> 1. I had also thought that changing a single field
> instead of all fields would be nice, but I don't
> know how to easily implement that in terms of
> usability.

On the bug report front, I'm having trouble with the tool submitting the form, e.g. clicking submit on the tools drop down isn't working.

Is this a Greasemonkey of XSSing forms bug...

e.g. I have multiple "Start XSSing forms", "Stop XSSing forms" commands on the User Script Commands drop down after a while.

FF 2.0

http://www.suspendedexpert.com/z10klwe87_6b/XSSing_forms_multitude.gif

I've actually noticed the same behavior... maybe it has something to do with the number of forms on the page? I haven't been able to debug that issue.

- RSnake
Gotta love it. http://ha.ckers.org

Finally I'm back. I was away for the weekend rock climbing.

That's now the 2nd and 3rd time people have said that it causes multiple "Start XSSing forms" and "Stop XSSing forms", but I still can't replicate the bug. It shouldn't be due to multiple forms as

GM_registerMenuCommand("Start XSSing forms", start);
GM_registerMenuCommand("Stop XSSing forms", stop);

is only ever run once. I don't know what is causing that.


rdivilbiss: Can you post a link to the page with the form on it that can't be submitted, or provide the HTML outline for the form? The script merely called the submit() method for the form, should work. Does the forms normal submit button still work?

As for the script changing all the form fields and therefore ruining the session values, that is something I aim to fix, when I find time.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Maybe it has something to do with multiple frames/iframes on a page or something?

- RSnake
Gotta love it. http://ha.ckers.org

Great idea but when I tested that it still didn't create multiple options in the menu. Still.. I'll do something like

if (location.href == top.location)
    //add menu options

That should solve it.

I've got a bad cold at the moment and can't leave the house, perfect for working on this script.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

> rdivilbiss: Can you post a link to the page with
> the form on it that can't be submitted, (PM)

>The script merely called the submit() method for
>the form, should work. Does the forms normal
>submit button still work?

Yes the form's submit button, (albeit changed,) does submit the form. Since the form has both a nonce and a form state field being checked in the action page, the tool isn't going to help ferret out XSS unless those fields are excluded. But I can not see any reason why the form.submit() wouldn't submit the page.

BTW: I noticed the repeated start-stop menu choices after attacking a contact form repeatedly on another site than the one I PM'ed you. On that form I could submit using your script's menu.

I have no idea why that form won't submit. It's the only form on the page, so document.forms[0] refers to it. alert(document.forms[0]) shows the correct form yet document.forms[0].submit() gives:
document.forms[0].submit is not a function
Argh, the problems are mounting on this one and yet the free time I have to solve those problems just isn't there.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

how come i can only pick the xss vectors that are in intial dropdown menu without strolling down from "select a vector" to "IMG Lowsrc". if i pick any vector that is below IMG LowSrc it will skip it and go to the top of the list. any one experince this yet.

uhm.... I didn't test that all that much. Oh man, this code is so damn buggy and I just keep having to do things that pull me away from the PC.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer