Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous123Next
Current Page: 2 of 3
Re: Greasemonkey XSS assistant
Posted by: rdivilbiss
Date: November 03, 2006 10:09AM

WhiteAcid Wrote:
-------------------------------------------------------
> I have no idea why that form won't submit. It's
> the only form on the page, so document.forms[0]
> refers to it. alert(document.forms[0]) shows the
> correct form yet document.forms[0].submit()
> gives:
> document.forms[0].submit is not a function
> Argh, the problems are mounting on this one and
> yet the free time I have to solve those problems
> just isn't there.

Strange. I appreciate your looking. I did not intentionally do anything to mess with the DOM on that page. I'll look at it.

I had a similar problem with form fields once were document.forms[0].field returned the correct reference but document.forms[0].field.focus() returned not a function.

I was able to work around that with;

tmp = document.forms[0].field;
tmp.focus();

I still to this day don't know why I had to do that but it worked.

Maybe

tmp = document.forms[0];
tmp.submit();

would work?

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: November 03, 2006 01:02PM

OK, I've fixed stuff, I know there are still things to fix, but what are your opinions so far?

1. If the form is far to the left, the box will no longer appear off screen
2. There may be a yellow bar at the top centre of the screen, that "XSS form" image represents XSSing the current page's querystrings. The bar is only visible if there are any querystrings.
3. As rdivilbiss just suggested, I've edited the submitForm function so it'll hopefully work better.
4. Even though I couldn't reproduce the bug I've hopefully prevented the command being added to the tools menu multiple times per page.
5. You can now apply XSS vectors globally (within a form) or to only a specific field in that form.

Still to do:
1. Escape the vector, especially when XSSing the querystring
2. Move the menu upwards if it was created off the bottom of the screen.
3. Fix issue when using more than one XML file which can result in the vectors and their source not matching up.
4. Make the yellow bar look nicer.
5. Figure out why the button isn't visible for all forms on all pages.

Edit: so you don't need to load the previous page, the script is here: http://www.whiteacid.org/misc/XSS_assistant.user.js

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 11/03/2006 01:04PM by WhiteAcid.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: noobreally
Date: November 05, 2006 07:27AM

ok this script stopped working now. it wont load anyvectors from the xml file.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: November 05, 2006 09:10AM

Thanks for that. The XML file is malformed. It's up to RSnake to fix this.

I have uploaded a new, very slightly changed, version though. I've set the xss image's url to:
data:image/gif,GIF89aP%00%0F%00%91%00%00%00%00%00%FFf%00%FF%FF%FF%00%00%00!%F9%04%00%00%00%00%00%2C%00%00%00%00P%00%0F%00%40%02
%86%84%8F%A9%CB%ED%0F%8F%084%CCY%B3%D5%14%5B%01%86!%20%0A%A4)%92%E7%C8%96%AE%E1q%F2%9C%B9%F6%8D%E78L%F7%B4%0E%0C%06y%BEbM%88L%8EH%B5
%8D%26V%81~n%2B%D0%A9zM%A9%AAT%A6%F1%AB%0C%0B%23%E4%B2%F9%BC%10%AB%D7a%E2%B7%C8%8Ek%3DtN%E8%09%8A%EE%60%CB%92%24%D5%92%E3%D61%93%87w
%D4%B5%92%B5%C4%A5%82%A2%E3V%87%88%17%23%F8%D2h%05%98%09%E9%F5%E6%23%07%CA%07%3A%1AZ%00%00%3B

This means that it's not creating all those requests to my server.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 11/05/2006 09:18AM by WhiteAcid.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: rdivilbiss
Date: November 05, 2006 06:03PM

WhiteAcid Wrote:
-------------------------------------------------------
> OK, I've fixed stuff, I know there are still
> things to fix, but what are your opinions so far?

Much easier to use and I like that I can skip nonce fields. Even found a leftover debug line in one of my forms, which I would of missed otherwise...so thank you.


> 3. As rdivilbiss just suggested, I've edited the
> submitForm function so it'll hopefully work
> better.

Still didn't submit the problem form I PM'ed you about, but since I didn't hose the submit button, it was easy enough to work around.

> 4. Even though I couldn't reproduce the bug I've
> hopefully prevented the command being added to the
> tools menu multiple times per page.

Sorry...still there, at least for me.

> 5. You can now apply XSS vectors globally (within
> a form) or to only a specific field in that form.

If that was a select multiple textbox this would be so much nicer, not that it isn't very good already.

Very good work so far!

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: rsnake
Date: November 05, 2006 06:35PM

Yah, sorry again about breaking the XML file. And btw, thanks for making it not download from your server. That was actually one of the few reasons I surfed with it turned off by default.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: November 05, 2006 07:04PM

Thanks a million to virus from CriticalSecurity for fixing the bug with the vector select box.

Quote

It's because of the dragging code in the menu, if you remove the onmousedown from the menu father it'll work normally but then you can't drag it anymore. You can get it fixed by changing
	father.setAttribute("style","display: none; position: absolute; z-index: 10; top: 0px; left: 0px; style; cursor: move;")
	father.setAttribute("onmousedown","dragStart(event)")
	
	//the title bar (empty but allows the box to be dragged)
	title = document.createElement('span')
	father.appendChild(title)
	father.appendChild(document.createElement('br'))
To
	father.setAttribute("style","display: none; position: absolute; z-index: 10; top: 0px; left: 0px; style;")

	//the title bar (empty but allows the box to be dragged)
	title = document.createElement('div')
	title.setAttribute("onmousedown","dragStart(event,'menu_father')")
	title.appendChild(document.createElement('br'))
	title.setAttribute("style", "cursor: move; border: none;")
	father.appendChild(title)
Of course that'll limit the dragging to the top of the menu but that's acceptable for me :).

Also currently there doesn't seem to be a way around the multiple menu entries some users might have, what I found much easier was to remove them all together and just make the script do it's thing if it's activated. It's much faster to disable it from the GM bottom menu too :P

I've changed the online copy so that you can actually use any of the options in the select box. If you want to do what virus does and simply disable the whole menu thing, just comment out the lines
if (location.href == top.location)
{
	GM_registerMenuCommand("Start XSSing forms", start)
	GM_registerMenuCommand("Stop XSSing forms", stop)
}

Edit: I'm talking to him on IRC and we've (mainly he) figured out why the image doesn't always show. Essentially it's due to that people are unable to code correct (X)HTML.

He's also made it so that if the form only has one input, then it doesn't add the #GLOBAL# option to the select box, something I haven't thought of. He also fiddled with some CSS so the menu doesn't inherit some formatting from the form. I'll edit the online copy later, at least you know it's coming.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 11/05/2006 07:24PM by WhiteAcid.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: rsnake
Date: November 05, 2006 11:54PM

Very cool! Yah, let us know. Or get him on here. Or both!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: November 06, 2006 06:24AM

I was tired last night, if you want to enable/disable the script like virus described, remove the following code (this is all near the end of the file)
//If this is the main page (not an iframe), add the buttons to the toolbar allowing user to start/stop
if (location.href == top.location)
{
	GM_registerMenuCommand("Start XSSing forms", start)
	GM_registerMenuCommand("Stop XSSing forms", stop)
}

//Create functions those buttons call
function start() { GM_setValue("live", true) }
function stop() { GM_setValue("live", false) }
and change:
//Start the whole thing off, if we're live
if (GM_getValue('live', false) == true)
{
	getRemoteXMLFiles()
	
	//If there is a querystring, add the bar
	if (location.href.indexOf("?") > 0)
	{
		try
		{
			x = v_GET_init()
		}
		catch (err) {x = 'ERROR'}
		createGETBar(x)
	}
	findForms()
	createMenu()
}
to:
//Start the whole thing off
getRemoteXMLFiles()

//If there is a querystring, add the bar
if (location.href.indexOf("?") > 0)
{
	try
	{
		x = v_GET_init()
	}
	catch (err) {x = 'ERROR'}
	createGETBar(x)
}
findForms()
createMenu()

Anyway... virus was up late fixing bugs. I'll test them, upload the changed and edit this post in a sec.

Edit: I've updated the online copy. The menu will now move back onto the screen if the button is so low down or so far to the right that the menu would appear off screen. Also, and more importantly, the image should now be visible for all forms.
It will quite seriously mess up the form, but that's better than the image not even being there. If you want to see what virus did, read his post here

Another edit: I've uploaded yet another copy which changes type="hidden" to type="text" when you apply the vector to a single element as opposed to globally.

And another: Now if there is only one element in the form the #GLOBAL# option won't be there. Also there was some small tidying up of the code, found one duplicate line, small stuff like that.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 3 time(s). Last edit at 11/06/2006 12:50PM by WhiteAcid.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: dyz-lektik
Date: November 07, 2006 05:29PM

Thanks for your inventiveness in making an automated script to run XSS. I use about 3-5 basic scripts and about 10 at the most. Do you plan to add this as a FF extension?

Sign me, too dyz-lektik to code worth a dman.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: November 08, 2006 01:12PM

No, but you can do that yourself if you want. There is something out there to convert greasemonkey scripts to extensions. I don't want to do that as having it as a greasemonkey script means it uses less resources than having each of my own scripts as extensions. Also keeping them as .user.js files means they are simpler to edit.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: Anonymous User
Date: February 18, 2007 07:31PM

Hi!

I created another xml file which carries some more (mostly reflective) xss vectors. I use XSS assistant on a daily basis for my job because i think of it as an awesome time saver and i think it could be improved by giving it more vectors to use..

File lies here:
http://mario.heideri.ch/xss.xml

Installation via:
vectorsURL = new Array("http://ha.ckers.org/xssAttacks.xml","http://mario.heideri.ch/xss.xml")

Greetings,
.mario

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: February 19, 2007 01:09PM

Nice one. I've been thinking about making an SQL injection one but never really got around to it.

BTW, for purposes of PoCs there's not much point in using String.fromCharCode(..), instead just alert a number. Now my script looks better with more than one source.

I'll probably release another version in a few weeks with a few minor improvements, now included in those improvements is having this as one of the default sources :)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: Anonymous User
Date: February 20, 2007 01:18AM

Hi WhiteAcid - thanx alot! I will add some more vectors the next days i guess - especially the fragmented XSS section still lacks some material.

I am looking forward for the coming version.

Greetings,
.mario

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: May 15, 2007 04:46PM

It's taken way too long, but I finally got around to making the new version.
1. Works with xssed.com, allowing you to report PoCs straight to their DB
2. Uses .mario's XML file too
3. Cleaned code just a little

The new version still hasn't been tested by anyone but me and Kevin, the owner of xssed.com so I would greatly appreciate testing, note though that Kevin would not appreciate spamming his DB.

As always the script is located here: http://www.whiteacid.org/greasemonkey/#xss_assistant

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: Kyran
Date: May 15, 2007 08:55PM

Glad you got the thing with XSSed.com setup. :D

- Kyran

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: ntp
Date: May 15, 2007 09:42PM

WhiteAcid Wrote:
-------------------------------------------------------
> It's taken way too long, but I finally got around
> to making the new version.

I've used this tool since you first released it (on real, very serious web application vulnerability assessments). Can't wait to try out the new version. The plug for XSS Assistant in "XSS Attacks" is great.

However, in "XSS Attacks", they [probably pdp] seem to promote using Technika to autoload bookmarklets over the Greasemonkey [autoload] approach, citing bookmarklets as portable and Greasemonkey as Firefox only. However, I know otherwise that Greasemonkey scripts work in Opera and can also be made to work in other browsers. I haven't tried XSS Assistant in Opera, although that would be interesting.

> 2. Uses .mario's XML file too

Oh how I wish that CAL9000 also used .mario's XSS XML file as well (it should be easy to import). Speaking to Opera above, CAL9000 seems to work best in Opera (although I do use multiple versions of IE, FF, and Opera when testing for XSS). The autoattack features in CAL9000 are great, but the reporting and use is kind of weak.

With the new version of your tool, WhiteAcid, I really think you have the best tool for testing for XSS out there (having tried a huge number myself), although writeups on Greasemonkey automation and integration with other tools would be nice. I found myself copying from XSS Assistant and into Burp a lot way back when - so I'll have to come up with a faster method, probably based off of other ideas from the book, "XSS Attacks".

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: May 15, 2007 11:09PM

Thanks for those comments ntp.
I do know that some greasemonkey scripts can be imported straight into Opera, but do to so with this script would mean loosing functionality if it's even possible. I use functions specific to GM that allow for cross domain AJAX. I use this to load the XML files and to submit stuff to XSSed.com. Beside that, the way you start or stop activation of this tool is GM specific, but that part could of course just be re-written.

Perhaps it could be made without GM specific functions if it had the XML files inside itself and instead of automated submission to XSSed it'd just redirect you to the form and pre-fill all the values by adding the variables to the querystring (we'd need to get the folks who run XSSed to set that functionality up for us).

You have the book XSS Attacks? I pre-ordered that thing back in February and it's still not here. Due date for amazon.co.uk is 1 Jun 2007 *sigh*.

What specifically do you mean by "writeups on Greasemonkey automation"?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: Anonymous User
Date: May 16, 2007 02:54AM

Hi WhiteAcid!

Great new release and thanks for embedding my xml ;)

@ntp: I use cal9000 only for encoding issues - never tried the auto attack feature. Unfortunately the project seems stalled since end of 2006. The Wiki page seems to wait for user feedback though...

http://www.owasp.org/index.php/OWASP_CAL9000_Project_Roadmap

Greetings,
.mario

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: kirke
Date: May 16, 2007 02:58PM

CAL9000 will not be continued, unfortunately
The major problem is that modern browsers are to restrictive in using XMLHttpRequest. My experiance is that latest mozilla (1.7.x) works fine.
Beside the XSS cheat seat, the En-/Decoder is one of its best features, AFAIK someone builds a new tool about that. Input welcome.



Edited 1 time(s). Last edit at 05/16/2007 03:11PM by kirke.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: ntp
Date: May 16, 2007 02:59PM

.mario Wrote:
-------------------------------------------------------
> @ntp: I use cal9000 only for encoding issues -
> never tried the auto attack feature. Unfortunately
> the project seems stalled since end of 2006. The
> Wiki page seems to wait for user feedback
> though...

i don't think any more work is planned, so it looks DOA. the owasp spring of code allotments were already announced and I don't see anything about CAL9000 or any of the project leaders named. i'll try to find out more.

WhiteAcid Wrote:
-------------------------------------------------------
> What specifically do you mean by "writeups on
> Greasemonkey automation"?

It would be nice if your scripts (or similar ones) were able to detect parameters/forms, add the xss tests, submit the request, watch the response (and/or crawl the site for responses showing the xss, etc), et al. iow: do all the work for me.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: May 16, 2007 03:10PM

Ah. I had actually thought about that myself. I figured I could have a GM function such as xss_test() { alert('xss works') }, write that into the page using GM (before even the onload event would fire). Then it'd have an edited version of the XSS location in rsnake's XML file which instead or running an alert() tries to run that function. It'd then inject this into a form (inside a hidden iframe). It is probably very possible.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: May 16, 2007 09:31PM

Due to crappy testing the reportPoC() didn't actually work properly. I just had to escape() some values, I've reuploaded. Please update the script.

Edit: slightly later I made another fix. I really should implement something in this so it calls home to check for new versions, but I know you guys don't want me to be able to track what sites you use this on.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 05/16/2007 11:01PM by WhiteAcid.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: June 04, 2007 06:34PM

Truly the peak of irony; this tool was vulnerable to XSS itself. It was possible for a web admin (who is able to create forms) to create one which runs JS when you try to XSS his forms. Create a page with the following form on it:
<form name="asd<img src=fail onerror=alert(1)>">a</form>
Then hit the little icon to bring up the window for this tool and you'll be XSSed. This same bug existed in more than one place, also in the form's action attribute which executes when you hit "Show form information". It'd able work in the form's children's name attributes as it uses that to build the select box.

I've now used the JS function escape() to protect you. Please update the script.

Yes this was bad, yes, I shouldn't have done this. I do apologize. At least to my knowledge this hasn't been abused and if it has at least the attacker didn't get access to the GM API allowing cross domain requests.

Edit: It's here (to save you scrolling up)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 06/04/2007 06:37PM by WhiteAcid.

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: Anonymous User
Date: June 05, 2007 01:37AM

http://127.0.0.1/xssAttacks.xml ???
http://sid.selfip.org/xss.xml ???

;)

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: June 05, 2007 07:37AM

Oops. I've re-uploaded.
I have copies of the .xml files at those locations to speed up the loading times and so that you guys don't see the requests from the sites I browse :p.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: Anonymous User
Date: June 05, 2007 07:46AM

K - works fine now!

Thx!

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: Anonymous User
Date: June 19, 2007 11:44AM

Hi!

I added new vectors - precisely Kishor's solutions - to the xss.xml - give it a try!

Greetings,
.mario

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: June 19, 2007 02:52PM

Which are the new ones? I really should know this, unfortunately I didn't memorise the vectors :p

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Greasemonkey XSS assistant
Posted by: WhiteAcid
Date: June 19, 2007 03:00PM

Which are the new ones? I really should know this, unfortunately I didn't memorise the vectors :p
There's a really bad storm here atm cutting my Internet off every few minutes, for once I'm happy this forum doesn't bind my session to an IP or I'd have to keep logging back in all the time.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Pages: Previous123Next
Current Page: 2 of 3


Sorry, only registered users may post in this forum.