Friday, April 1, 2011

Screen Scraping (XSS Hunting)

I was working with Damn Vulnerable Web App (DVWA) yesterday and the XSSMe plugin for Firefox and I wondered how hard it would be to write my own.  While this is a great plugin and very useful, I'm more of a command line person.  For those of you that haven't used the XSSMe plugin, it will search for all <input> tags on the current web page and then present you will a list of pre-defined strings you can use to exploit XSS.

I wrote up a quick demo of something similar on the command line which gives a little more info than the XSSMe plugin, but still accomplishes the same goal.  Here is the code:

from HTMLParser import HTMLParser
from urllib2 import urlopen


sites = []


class Spider(HTMLParser):


 def __init__(self, url):
  HTMLParser.__init__(self)
  req = urlopen(url)
  self.feed(req.read())
 
 def handle_starttag(self, tag, attrs):
  if tag == 'form' and attrs:
   print ""
   print "---- Form Found ----"
   print "Num of attributes: " + str(len(attrs)) + "\n"


   for key, value in attrs:
    print "[" + str(key) + "] -> [" + str(value) + "]"


  if tag == 'input' and attrs:
   global sites
   for key, value in attrs:
    if key == "name" and value != "":
     sites.append(value)


print "Enter a URL (ie. http://example.com)"
start_url = raw_input()
print ""
print "***** Starting Scan *****\n"
print "URL: " + start_url + "\n"


Spider(start_url)
print ""
print "There are " + str(len(sites)) + " possible targets on this page:"
print sites
print ""

When you launch this little python script it will prompt you for a URL.  The script will connect to the URL entered and hunt for any <form> elements.  It will output the attributes associated with the elements allowing you to see what method is being used and what action is being performed.  Once all the <form> elements are collected it will then move on to <input> tags.  All entries found will then be displayed as "possible" targets.  Although this isn't a complete script XSS automation tool...it is a good start to collect possible targets on a web page.  Here is a sample:


Enter a URL (ie. http://example.com)
http://new.babbaco.com


***** Starting Scan *****


URL: http://new.babbaco.com




---- Form Found ----
Num of attributes: 5


[id] -> [search]
[class] -> [search]
[action] -> [http://babbaco.com/SearchResults/tabid/37/Default.aspx]
[method] -> [get]
[role] -> [search]


---- Form Found ----
Num of attributes: 4


[name] -> [news]
[form] -> [None]
[action] -> [/thanks]
[method] -> [GET]


---- Form Found ----
Num of attributes: 2


[action] -> [/thanks]
[method] -> [GET]


There are 4 possible targets on this page:
['Search', 'email', 'enter', 'email']

From the output here you will see that there are three forms on this page and four possible targets to examine.  Each form uses the GET method so it should be pretty easy to send a response to the server with pre-defined XSS strings to test for vulnerabilites.

You could further extend this script by allowing it to spider across the entire site recursively and/or save the output to a file.  Furthermore you could also define some XSS strings to GET/POST back to the site using the "possible" targets list generated (you will know which method to use based on the forms shown from screen scraping).

Posted by at 9:38 AM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)