Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS Testing Tool
Posted by: jake.reynolds
Date: December 04, 2006 10:10AM

I've been working on a tool intended to aid in the testing of web applications for input validation/output encoding vulnerabilities (that allow XSS). This being my first attempt at development I've gotten to a point where some additional programtic assistance would help my progress exponentially.

Right now the tool is a .Net windows forms GUI that you can use to inject various attack vectors with. It just combines a lot of the different vectors and encoding options on RSnake's Cheat Sheet. Right now it's totally manual and can only create stand-alone HTTP requests. I would like to add proxy functionality so that the tool can be used more easily during testing (especially for persistent XSS). I would also like to add automation eventually as well.

Anyway, if there are any skilled developers out there that think they can contribute, drop me a line and we can talk more about it. I plan on releasing this as an open source tool eventually. Credit will be given where due obviously.

Thanks,
Jake

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: rsnake
Date: December 04, 2006 12:51PM

Jake is being way too modest. I've seen his tool. It is _very_ cool:



- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: Kyran
Date: December 04, 2006 01:45PM

Cool! I was thinking of writing a similar tool in C#, but it seems you beat me to it. When it goes open Source and I have more time I'll be sure to contribute.

- Kyran

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: jungsonn
Date: December 04, 2006 03:36PM

I've seen something like a few months ago build in Java, i can't remember it's name anymore, also with a build in HEX editor for them pesky null bytes. It connected through a proxy for privacy.

So it's already beta? anyone got a download link? i would love to test it.

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: jungsonn
Date: December 04, 2006 03:51PM

Maybe offtopic:

I was planning to build a firefox extension for this, could be cool 'cause u can use it in combination with Tor. But i already found such extension: https://addons.mozilla.org/firefox/3899/

But, i'm not satified with this "hackbar"
it has less options, and no pre build XSS vectors in it.

Anyone interested in build a "better" one together? would be great to combine the XSS knowledge you guys have into an extension.
i have already experience with building a firefox extension,
so that would be no problem.

see: https://addons.mozilla.org/firefox/3208/

Lemme know if you are interested in building this together.

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: jake.reynolds
Date: December 04, 2006 04:57PM

It isn't released yet. I was hoping to add some more features and implement some proxy functionality before I release. That's where this thread comes in.

Thanks,
Jake

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: rsnake
Date: December 05, 2006 10:31AM

Jungsonn, honestly, I'd rather have this as a stand alone tool than something built into Firefox for one simple reason - I need it for more than Firefox. I do lots of testing in Internet Explorer, Netscape and Opera too. I'd rather have a standalone proxy that works with any modern browser than a completely integrated tool that only works in one browser. Not to say I wouldn't use something like a Firefox version of Jake's tool, but if I had to have one or the other, I'd much rather have Burp Proxy + HTMangle built together.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: jungsonn
Date: December 05, 2006 12:12PM

Yes i agree, it's pretty limited.

However, I think i'm going to build one as an extension, i'm running FF only on my Linux box for testing cause it gives me much info, like the error console, server info, Tor, and other usefull ext.

i had some ideas:

Like switching the extension on, will highlight all forms and submit objects in the document for direct insertion (dropdown). Should save some amounts of time by looking in the source e.d.

pretty busy now so don't expect much soon though.

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: vandread
Date: December 14, 2006 04:36PM

Personally i'd like a xss testing tool to be able to be able to do some smart guesses about how it should `escape' the tags and stuff, so basically it should check where the strings submitted to the page end up, and see wether they're in text, attributes, javascript or anything else and construct the attack vector accordingly. Of course you'd need html parsing for this, and yes, you want to mimic the browsers behaviour, so it won't be perfect, but at least it'll be a good guess.

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: rsnake
Date: December 14, 2006 06:00PM

Those feedback loops are interesting. I know more than one company is working on that concept. It's just really really difficult to know how one input parameter affects another. Especially when you may be talking about hundreds of variants on a single page. The logic gets really complex really fast. Take Hong's onmouseover XSS fragmentation attack against Microsoft. Eesh! Show me the program that can find that!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: Anonymous User
Date: December 18, 2006 11:10AM

This tool dfntly looks very promising. Unfortunately there seems to be no way for getting valuable debug output - also the requests don't work already.

I especially like the possibility to chose the payload and watch the query string for that - just like cal9000 but more powerful. I will check out the tool more intensively when back at home...

Greetings,
.mario

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: rsnake
Date: March 14, 2007 10:47AM

I'd love to see this project come back to life. Jakkkkkeeeee!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: hackathology
Date: March 16, 2007 09:30AM

I am so so so jealous. Most of you can code here and i can't. :(

http://hackathology.blogspot.com

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: SW
Date: March 17, 2007 02:09AM

vandread Wrote:
-------------------------------------------------------
> Personally i'd like a xss testing tool to be able
> to be able to do some smart guesses about how it
> should `escape' the tags and stuff, so basically
> it should check where the strings submitted to the
> page end up, and see wether they're in text,
> attributes, javascript or anything else and
> construct the attack vector accordingly. Of course
> you'd need html parsing for this, and yes, you
> want to mimic the browsers behaviour, so it won't
> be perfect, but at least it'll be a good guess.

I agree. One that tries to cause an error and analyzes the results, then tries to close in on the error based on what is escaped, etc, etc. It would spider the site and identify forms and php variables and try to inject them each individually. Would take a few minutes probably to run and then output all detected xss holes with working strings as well as any that caused errors but it was unable to get to xss.

:)

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: kogir
Date: March 17, 2007 02:33AM

I'd be interested in helping if the project is still alive. I'm familiar with .NET and HTTP. I'd also love to make it proxy SSL as well, as I could use such a tool.

PM me if interested.

-kogir

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: jake.reynolds
Date: March 26, 2007 04:45PM

> I'd love to see this project come back to life. Jakkkkkeeeee!

Thanks to Kogir the project has gotten revived again and hopefully we'll have something more useful out in the future.

Jake



Edited 1 time(s). Last edit at 03/26/2007 04:47PM by jake.reynolds.

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: hackathology
Date: March 27, 2007 04:53AM

cool, i am looking forward to love to see the final tool when it comes out

http://hackathology.blogspot.com

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: rsnake
Date: March 27, 2007 11:37AM

Ditto! This tool has been long awaited!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: hackathology
Date: March 27, 2007 11:40AM

Today rsnake posted a topic about iterative scanning, how about this, implement smart scanning options with this tool?

http://hackathology.blogspot.com

Options: ReplyQuote
Re: XSS Testing Tool
Date: March 30, 2007 02:15AM

I too have decided to begin work on a standalone XSS tool mostly based off of rsnake's cheatsheet, but mostly because any other program I'd write would more than likely just become a DoS aide.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: hackathology
Date: March 30, 2007 03:40AM

Nice one Awesome, i am so so so eager to see the finished product..:)

http://hackathology.blogspot.com

Options: ReplyQuote
Re: XSS Testing Tool
Date: March 31, 2007 01:12AM

I don't use .Net but I know that it allows for Visual Basic 6 events using some procedural call, and I'm currently writing an obfuscation and deobfuscation module in Visual Studio for character and IP Address encoding (based off of rsnake's XSS cheat sheet, but coded by hand) that might aide you in your work if that's what you're going to add to your project. So far I've written an assortment of error-proof functions allowing for conversions from ASCII to Decimal, HTML entities, Hexidecimal HTML entities, obfuscated URL form, and back (a little more than available on the XSS cheat sheet), but no Base64 as I haven't quite read up on the algorithm, and refuse to use anything but code I've personally written. It also allows for IPs to be converted from and to Decimal form, but not currently using DWORD only because I didn't place it on the Form. Should I?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: XSS Testing Tool
Posted by: kogir
Date: March 31, 2007 10:10PM

This test post was routed through the proxy. It may yet work.

-kogir

Options: ReplyQuote


Sorry, only registered users may post in this forum.