-
-
Save NBG0x1/37addcc3c511567be4157a9af8f9b4ec to your computer and use it in GitHub Desktop.
An adaption of NVisium's xssValidator Burp Extension to support an offline mode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var DEBUG = false | |
| // Create xss object that will be used to track XSS information | |
| var xss = new Object(); | |
| xss.value = 0; | |
| xss.msg = ""; | |
| /** | |
| * parse incoming HTTP responses that are provided via BURP intruder. | |
| * data is base64 encoded to prevent issues passing via HTTP. | |
| * | |
| * This function appends the js-overrides.js file to all responses | |
| * to inject xss triggers into every page. Webkit will parse all responses | |
| * and alert us of any seemingly malicious Javascript execution, such as | |
| * alert, confirm, fromCharCode, etc. | |
| */ | |
| parsePage = function(data) { | |
| if (DEBUG) { | |
| console.log("Beginning to parse page"); | |
| } | |
| var html_response = ""; | |
| wp.content = data; | |
| // Evaluate page, rendering javascript | |
| xssInfo = wp.evaluate(function (wp) { | |
| var tags = ["a", "abbr", "acronym", "address", "applet", "area", "article", "aside", "audio", "audioscope", "b", "base", "basefont", "bdi", "bdo", "bgsound", "big", "blackface", "blink", "blockquote", "body", "bq", "br", "button", "canvas", "caption", "center", "cite", "code", "col", "colgroup", "command", "comment", "datalist", "dd", "del", "details", "dfn", "dir", "div", "dl", "dt", "em", "embed", "fieldset", "figcaption", "figure", "fn", "font", "footer", "form", "frame", "frameset", "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "iframe", "ilayer", "img", "input", "ins", "isindex", "kbd", "keygen", "label", "layer", "legend", "li", "limittext", "link", "listing", "map", "mark", "marquee", "menu", "meta", "meter", "multicol", "nav", "nobr", "noembed", "noframes", "noscript", "nosmartquotes", "object", "ol", "optgroup", "option", "output", "p", "param", "plaintext", "pre", "progress", "q", "rp", "rt", "ruby", "s", "samp", "script", "section", "select", "server", "shadow", "sidebar", "small", "source", "spacer", "span", "strike", "strong", "style", "sub", "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead", "time", "title", "tr", "tt", "u", "ul", "var", "video", "wbr", "xml", "xmp"]; | |
| var eventHandler = ["mousemove","mouseout","mouseover"]; | |
| tags.forEach(function(tag) { | |
| currentTags = document.querySelector(tag); | |
| if (currentTags !== null){ | |
| eventHandler.forEach(function(currentEvent){ | |
| var ev = document.createEvent("MouseEvents"); | |
| ev.initEvent(currentEvent, true, true); | |
| currentTags.dispatchEvent(ev); | |
| }); | |
| } | |
| }); | |
| // Return information from page, if necessary | |
| }, wp); | |
| if(xss) { | |
| // xss detected, return | |
| return xss; | |
| } | |
| return false; | |
| }; | |
| /** | |
| * After retriving data it is important to reinitialize certain | |
| * variables, specifically those related to the WebPage objects. | |
| * Without reinitializing the WebPage object may contain old data, | |
| * and as such, trigger false-positive messages. | |
| */ | |
| reInitializeWebPage = function() { | |
| wp = new WebPage(); | |
| xss = new Object(); | |
| xss.value = 0; | |
| xss.msg = ""; | |
| // web page settings necessary to adequately detect XSS | |
| wp.settings = { | |
| loadImages: true, | |
| localToRemoteUrlAccessEnabled: true, | |
| javascriptEnabled: true, | |
| webSecurityEnabled: false, | |
| XSSAuditingEnabled: false | |
| }; | |
| // Custom handler for alert functionality | |
| wp.onAlert = function(msg) { | |
| console.log("On alert: " + msg); | |
| xss.value = 1; | |
| xss.msg += 'XSS found: alert(' + msg + ')'; | |
| }; | |
| wp.onConsoleMessage = function(msg) { | |
| console.log("On console.log: " + msg); | |
| xss.value = 1; | |
| xss.msg += 'XSS found: console.log(' + msg + ')'; | |
| }; | |
| wp.onConfirm = function(msg) { | |
| console.log("On confirm: " + msg); | |
| xss.value = 1; | |
| xss.msg += 'XSS found: confirm(' + msg + ')'; | |
| }; | |
| wp.onPrompt = function(msg) { | |
| console.log("On prompt: " + msg); | |
| xss.value = 1; | |
| xss.msg += 'XSS found: prompt(' + msg + ')'; | |
| }; | |
| return wp; | |
| }; | |
| // Initialize webpage to ensure that all variables are | |
| // initialized. | |
| var wp = reInitializeWebPage(); | |
| // Hard code the response for simplicity | |
| var response = "HTTP/1.1 200 OK\nContent-Type: text/xml; charset=utf-8\nContent-Length: length\n\n<HTML>\n <BODY>\n <SCRIPT>alert('Carrier Rocks!')</SCRIPT>\n </BODY>\n</HTML>\n\n"; | |
| xssResults = parsePage(response); | |
| if(xssResults){ | |
| console.log("We discovered XSS on the page!!!"); | |
| phantom.exit(); | |
| } | |
| // Re-initialize webpage after parsing request | |
| wp = reInitializeWebPage(); | |
| pageResponse = null; | |
| xssResults = null; | |
| phantom.exit(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment