GNUCITIZEN

On this page you will find a POC of a JavaScript XSS (Cross-site Scripting) Scanner which I promised to realize after I publish the Yahoo Site Explorer Spider discussed in detail over here. Before going any further, I must say a few words about the legal side of using this tool. Basically:

If you notice, the scanner is a bit restricted. It is not exhaustive and it can be definitely improved in a number of areas. However, all restrictions were introduced on purpose for a number of reasons. The first reason is that this tool is just a Proof of Concept - it is not intended to be part of any XSS/AJAX worm, attack toolkit or other type of malicious software. Also, the tool should only be used for educational purposes only. Learn from it and come up with creative solutions that solve interesting problems. Don’t be evil. Last but not least, this tools is written just to prove that AJAX worms can propagate across several domains by scanning for new vulnerabilities on their own. That used to be considered theoretical attack vector. With this example we put the theory into practice.

The XSS Scanner relays on an external proxy server to locate the XSS holes. The proxy in use is called Palary and you can find more information about it over here. Here is what the developers of the Palary have to say about their product:

The Palary Browser is a cutting-edge, web application that delivers a secure, personalized surfing experience. The main advantages of the Browser over classical technologies are as follows:

Security - The Palary Browser by default disables Javascript in webpages. Javascript is a useful technology in many circumstances, but is also insecure and opens your computer up to innumerable web based attacks. These attacks are impossible when using the Palary Browser.

Privacy - The Palary Browser increases your privacy on multiple fronts. On a wide front, the Browser prevents your ISP, your government, or another body from tapping your web-surfing. All data is routed through the Browser’s servers so that is impossible for these bodies to see what information you are accessing or sending. (The above assumes that you have media disabled on webpages.)

On a more local front, the Browser prevents history files, cache files, and cookie files from being saved to your computer. This means that no one with access to your computer will be able to see where you have been surfing.

Palary.org

Once you open the POC application there are two options that are given to you. The first one is to use the XSS scanner together with the Yahoo Site Explorer Spider. The spider is restricted in terms of depth and number of results per page. You can spider only the top 50 results. Again, this is done on purpose. Concurrently with the spider, the scanner will test for the XSS issues and deliver via a callback.

The second option scans only one URL. The scanner will grab your input and mutate it into various XSS vectors. Then it will try each one of them. On success the scanner returns a callback and displays on the screen the results. If for any reasons there are no results on the page, this means that no XSS was found. Again, keep in mind that the scanner was crippled on purpose.

For the curious ones, here is the scanner source code:

scanner.js

and this is how I use it:

scanner.js

I hope that this was helpful and quite educational. If you are interested in this subject, I highly recommend to subscribe to this blog and check out some of the previous articles. You can also have a look on Billy Hoffman’s Jikto.