XSSDB Elite
It took me 3 hours to put together the newest version of XSSDB, an award winning GNUCITIZEN application. I would like to call this version: XSSDB Elite, since it is lighter, smaller, better, and a lot more featureful.
XSSDB started as a simple interface to RSnake’s Cross-site Scripting Cheat Sheet, which is still one of the most accurate resources for Cross-site Scripting attacks up to date. This status however, may change.
Soon after I published the first version of XSSDB, I realized that we need to give the power back to the community in order to keep up with the latest Cross-site scripting attack vectors. At that time RSnake was the only one that was handling all changes for his cheat sheet and this is the reason why updates were coming rather slow. There were (there still are) tones of attack vectors that were not properly documented. The cheat sheet, although the best, was just not enough. How do you expect developers to come up with good enough anti-xss solutions when there is no single entry point to cover the vast topic of Cross-site scripting Attacks?
There was a problem and no one was around to handle it. I was planning to integrate a simple database backend into XSSDB based on Wordpress. However, due to resource limitations, I had to leave the project for the latter.
Meanwhile, another organization, XSSED.com took the initiative to collect various Cross-site scripting holes that are found within real websites. IMHO, the idea was interesting but not very well implemented. The purpose of XSSED.com should have been to protect the website owners by providing an early warning system. This is the reason why I targeted this website in particular in my research on hacking Web2.0 services/applications (Advanced Web Hacking Revealed), presented at OWASP, Italy 2007. During the conference, I discussed how attackers can use Dapper in combination with Yahoo Pipes to dynamically fetch entries from XSSED.com and exploit the affected sites. A XSS worm that implements similar functionalities has the potential to propagate across the entire Web. Obviously, this is quite dangerous.
After OWASP, I promised to myself to come back and work on XSSDB to provide the best possible community driven XSS Database service. I was planning to use all my skills and knowledge in client side hacking to implement this system. The main goal was to keep the database decentralized so no one is in charge. This is how XSSDB Elite was born.
The current version of XSSDB is entirely client-side based (i.e. it is a mashup). The database is handled by Zoho Creator and anyone who is willing to become maintainer/moderator is welcome to drop us an email over here. At the moment XSSDB allows you to add new XSS exploits and Site specific exploits. The GNUCITIZEN group is currently working on the warning system which will be implemented soon. The database is backed up on a regular basis by several aggregator which include: Securls.com, Google Reader and Feed Burner. We encourage users to subscribe to both XSSDB feeds so the community can recover if the database fail at some point in the future.
So, this is it. XSSDB is one pretty good proof of concept that shows what can be achieved with minimal efforts and good understanding of Web2.0 engineering. Drop us an email or leave a comment bellow this post, to tell us what do you think.
comments
off-topic somewhat but it appears that this “underground” site is listing attackapi along with crimeware. note how they don’t link to your site - i wonder if the original code is modified.
it is my suggestion to readers of this post that they make sure http referers are off and that they are using an adequately anonymous proxy before copy, pasting, and properly modifying this url (there are extra dots in the domain name)
http://www..v.e.n.o.m.-.i.n.c......showuser=1
I am Charles from Zoho Creator Team.
Thanks for choosing Zoho Creator as the database for maintaining the DB for XSS. We will make sure Zoho Creator is fool proof against all the xss vulnerabilities. We assure you will have the best and a secured service from Zoho Creator.
Regards,
Charles
Zoho Creator
If people want to ‘try’ some of these vectors, http://h4k.in/xssinexcess can be one of the choices.
You need to enable javascript ofcourse and popups in order to be able to use UI.
Mario has his XML version of XSS vectors at http://mario.heideri.ch/xss.xml
ntp, it is funny that AttackAPI is considered crimeware. I mean, the library does not provide any specific facilities to steal credit cards, etc. It is a research project and so far, I haven’t seen anyone using it to compromise browsers or vulnerable web applications.
Charles, thanks for that. Short after this response, I will email you guys the details of the XSS vulnerability I stumbled across while developing for your platform. I hope that you find the XSSDB project as noble as we do. Zoho Creator is a great service. Good job!
Kishor, yes I’ve seen your page but single page cheat sheets are quite hard to work with. This is exactly the same problem I had with RSnake’s cheat sheet as well. Moreover, how do we contribute new attack vectors? How can we inform website owners that their applications are vulnerable to whatever XSS attacks? This is the reason why we work so hard on XSSDB at the moment. By mashing up Zoho Creator with several other online tools we are planning to produce a decentralized Cross-site scripting warning system that everyone can use. Security researcher will benefit from the system by helping them perform better test and design more accurate XSS scanners. Website owners will benefit from the instant feedback. It is open and it is free. Everyone is welcome to mashup this service with their data. In fact, we encourage it.
Hi!
Nice one - but I am not sure if it makes sense to allow user generated content for the XSSDB (or are new vectors moderated?).
I would very much like to add my vectors, kishors solutions and the stuff that came up during pentesting the PHPIDS. Is there another interface that I can access?
Greetings,
.mario
pdp, the XSSDB doesn’t render correctly in Safari 2 :(
I’ll have a dig later why, but right now i have a report to do!
Daniel, yes the application was developed primarily for Firefox which is the only browser that follows the W3C standards at the moment. Why other browsers are not like Firefox? The world would have been much better place.
.mario, yes. The database is moderated and I was thinking to add you and Kishor as top moderators. So, you guys will be in charge of the entire XSSDB machina. We can use the database for PHPIDS project as well. We can easily add another field into the database to provide a facilities for user to supply regex which can be used to match the discussed exploit. Or maybe we can create another mashup just for PHPIDS. I can help you out with these types of projects, since I have a large portion of the work already done, and now with the help of securls.com, the entire process will be even easier.
Let me know what do you think!
Charles,
when do you think the XSS bugs will be fixed?
Charles (from Zoho),
Since the XSSDB project will largely utilise Zoho, it’ll be great for you guys to get some free security testing :)
pdp,
We had a minor update today. It is a mere coincidence to have captcha field in today’s update. You can specify it in the “Form Properties” under “More Actions” in the Form Editor. So there you go.
And regarding the other xss vulnerabilities, we are yet to assess the amount of effort involved(though it seems to be small). I will update you tomorrow on this.
BTW, Thanks for sharing your tips in our forums. I will share my views at the earliest.
David,
I couldn’t agree more on that. It will be of immense value for Zoho to be served as the database. We are really excited to be part of your community.
Charles
Charles,
great. thanks for that.
Dear pdp,
We need to handle this in more than one place in Zoho Creator. We might have to replace those characters in Form Input, deluge scripting, and in View Search. And we will have to test it in lot of places. So to get this done at the earliest, it might take next week end for us.
Thanks,
Charles
Charles,
JSON feeds are also affected :). Also, if you provide a callback parameter for each feed, it will be great. For now, we have to abandon JSON and use Yahoo pipes to fetch XML from the database since it is the only safe option at the moment. Is there are a way to filter database entries on the fly by using a REST like interface or something? I also wonder how to fetch more then one JSON page at the time, since the maximum we can get at the moment is 100 entries. There are some tricks that we can use to get more but we are looking for a clean solution that is compatible with your application.
thanks
Yes, JSON, RSS and others were the ones that I meant for testing. Right now we have not handled them properly. They will also be fixed and thoroughly tested in the update.
For the normal json feed, you get all the data by default and not the first 100 entries alone. We do have the REST API and the callback function already but they are not yet documented.
I will explain here in detail
Consider this JSON feed http://creator.zoho.com/charles/json/266/ , of the view http://creator.zoho.com/charle...../view/266/
1. For Getting the raw data without any JavaScript variable,
http://creator.zoho.com/charles/json/266/raw=true
2. For call back functionality in javascript, you need to add an extra parameter callback=fnToCall where fnToCall is the callback function
http://creator.zoho.com/charle.....myfunction
3. As far as the REST API for filtering is concerned, it is kind of not human readable right now. But you can get the filtered JSON url by doing the following steps.
a) Filter the data in the List view by using Search feature.
b) After getting the results in the view, click “Export Data”
c) In the pop up dialog, copy the JSON feed link in the “Filtered Records” tab. This will give the filtered data of the view as JSON feed.
We will make the url human readable and writable in the near future so that it can be used as widely.
Hope this helps.
Thanks,
Charles
Thanks Charles,
yes this helps a lot. We are looking forward to get our hands on Zoho Creator as soon as you fix the bugs. keep us informed about any updated. Meanwhile, we are going to come up with a temporary solution for the application on our side.
cheers
Sure, We will update you once it is in place. Thanks once again.
Charles
Charles,
Keep up the great work, Zoho is a great service.