Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Injecting javascript into a page
Posted by: trix
Date: August 23, 2006 02:50PM

Does anyone have a program that can do that for you? I just need it to test the effects of javascript variables on a page etc. and run scripts on a certain page =p

uhh i found greasemonkey :p i knew there was a reason why everyone had it.

trix



Edited 1 time(s). Last edit at 08/23/2006 03:06PM by trix.

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: rsnake
Date: August 23, 2006 04:40PM

I actually preferr the WebDeveloper plugin (Under Miscellaneous click Edit HTML) for that kind of thing (or burpproxy since it lets you edit the actual request itself, which is often handy).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: trix
Date: August 23, 2006 05:19PM

yea i used burp proxy to intercept, it worked like a charm :p

trix

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: rsnake
Date: August 23, 2006 09:46PM

Personally, I love burp proxy. I've been recommending it for some time. It's particularly good for newbie users I think because they generally don't even really understand HTTP which can really help their thinking. It's really fun to watch someone work on it for the first time. For pro users writing your own tools is really the best way to go, but not many people have the time for that.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: trix
Date: August 24, 2006 08:09AM

well you can develop plugins for burp proxy and you could basically decompile the program and get a gist of how it works anyhow-- not sure about the disclaimers or what not SO im not advising you do take it apart but it should be interesting.

trix

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: rsnake
Date: August 24, 2006 10:12AM

I've been thinking about that exact idea for a while. There actually is a project underway as we speak to build most of my cheatsheet into a tool that could eventually work it's way into a proxy. I'm dying for it to be built! I've seen the early prototypes and it works really well. I really shouldn't spill the beans until it gets closer to being done, but thus far it's really powerful.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: trix
Date: August 24, 2006 10:32AM

Is it the current one being built at OWASP or is it in the works with someone else. If you need help developing it im down.

trix

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: rsnake
Date: August 24, 2006 10:55AM

It's a private thing outside of OWASP. I'll let the guy know and see if he wants to post about it. It's his gig, not mine, so I don't want to speak for him.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: jake.reynolds
Date: August 24, 2006 08:01PM

Yeah so currently I've got a .NET Windows forms application that implements RSnake's cheatsheet (well most of the basics at least right now). It's got GUI options for most of the encoding obfuscation techniques, tags, and other tricks you'll find on the cheatsheet. The cool thing is that you can just select a tag, select options related to the tag, then select whatever script payload you want and select options related to the payload.

Right now it only uses a .NET browser (IE) object so it's kind of target browser dependent. You can copy/paste the attacks into whatever browser you want to attack but that's not as slick.

Eventually I will have it function as a proxy so it will work with any browser. I'd also like to automate it as well. Anyway I'm working on digging up a resource here at FishNet Security to help take it to where I want it to be. Anyways I look forward to releasing it hopefully by the end of the year.

Jake

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: rsnake
Date: August 24, 2006 10:33PM

Having seen the preliminary version, I think it has a lot of what the community needs built into it, as far as taking a lot of the guesswork out of it. For those who already know everything about the task it's still helpful because it takes some of the error prone work out of the mix. Thus far I am really happy with the output, and very much looking forward to the future versions.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: trix
Date: August 25, 2006 09:51AM

thats pretty neat I was thinking more along the lines of writing one in java so i could port it to a different OS, but in the case for it being browser dependent, I would say it is a good idea for testing IE apps. Will this become open source after you finish developing it?

trix

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: jake.reynolds
Date: August 29, 2006 01:01PM

That's the plan as of now, to release as open source.

Options: ReplyQuote
Re: Injecting javascript into a page
Posted by: rsnake
Date: August 29, 2006 01:47PM

Do you know what you're going to attach it to or are you going to write your own proxy?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.