Skip to content

Instantly share code, notes, and snippets.

@claudijd
Created September 16, 2014 21:29
Show Gist options
  • Save claudijd/8b76c143b001bf02c382 to your computer and use it in GitHub Desktop.
Save claudijd/8b76c143b001bf02c382 to your computer and use it in GitHub Desktop.
An adaption of NVisium's xssValidator Burp Extension to support an offline mode
var DEBUG = false
// Create xss object that will be used to track XSS information
var xss = new Object();
xss.value = 0;
xss.msg = "";
/**
* parse incoming HTTP responses that are provided via BURP intruder.
* data is base64 encoded to prevent issues passing via HTTP.
*
* This function appends the js-overrides.js file to all responses
* to inject xss triggers into every page. Webkit will parse all responses
* and alert us of any seemingly malicious Javascript execution, such as
* alert, confirm, fromCharCode, etc.
*/
parsePage = function(data) {
if (DEBUG) {
console.log("Beginning to parse page");
}
var html_response = "";
wp.content = data;
// Evaluate page, rendering javascript
xssInfo = wp.evaluate(function (wp) {
var tags = ["a", "abbr", "acronym", "address", "applet", "area", "article", "aside", "audio", "audioscope", "b", "base", "basefont", "bdi", "bdo", "bgsound", "big", "blackface", "blink", "blockquote", "body", "bq", "br", "button", "canvas", "caption", "center", "cite", "code", "col", "colgroup", "command", "comment", "datalist", "dd", "del", "details", "dfn", "dir", "div", "dl", "dt", "em", "embed", "fieldset", "figcaption", "figure", "fn", "font", "footer", "form", "frame", "frameset", "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "iframe", "ilayer", "img", "input", "ins", "isindex", "kbd", "keygen", "label", "layer", "legend", "li", "limittext", "link", "listing", "map", "mark", "marquee", "menu", "meta", "meter", "multicol", "nav", "nobr", "noembed", "noframes", "noscript", "nosmartquotes", "object", "ol", "optgroup", "option", "output", "p", "param", "plaintext", "pre", "progress", "q", "rp", "rt", "ruby", "s", "samp", "script", "section", "select", "server", "shadow", "sidebar", "small", "source", "spacer", "span", "strike", "strong", "style", "sub", "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead", "time", "title", "tr", "tt", "u", "ul", "var", "video", "wbr", "xml", "xmp"];
var eventHandler = ["mousemove","mouseout","mouseover"];
tags.forEach(function(tag) {
currentTags = document.querySelector(tag);
if (currentTags !== null){
eventHandler.forEach(function(currentEvent){
var ev = document.createEvent("MouseEvents");
ev.initEvent(currentEvent, true, true);
currentTags.dispatchEvent(ev);
});
}
});
// Return information from page, if necessary
}, wp);
if(xss) {
// xss detected, return
return xss;
}
return false;
};
/**
* After retriving data it is important to reinitialize certain
* variables, specifically those related to the WebPage objects.
* Without reinitializing the WebPage object may contain old data,
* and as such, trigger false-positive messages.
*/
reInitializeWebPage = function() {
wp = new WebPage();
xss = new Object();
xss.value = 0;
xss.msg = "";
// web page settings necessary to adequately detect XSS
wp.settings = {
loadImages: true,
localToRemoteUrlAccessEnabled: true,
javascriptEnabled: true,
webSecurityEnabled: false,
XSSAuditingEnabled: false
};
// Custom handler for alert functionality
wp.onAlert = function(msg) {
console.log("On alert: " + msg);
xss.value = 1;
xss.msg += 'XSS found: alert(' + msg + ')';
};
wp.onConsoleMessage = function(msg) {
console.log("On console.log: " + msg);
xss.value = 1;
xss.msg += 'XSS found: console.log(' + msg + ')';
};
wp.onConfirm = function(msg) {
console.log("On confirm: " + msg);
xss.value = 1;
xss.msg += 'XSS found: confirm(' + msg + ')';
};
wp.onPrompt = function(msg) {
console.log("On prompt: " + msg);
xss.value = 1;
xss.msg += 'XSS found: prompt(' + msg + ')';
};
return wp;
};
// Initialize webpage to ensure that all variables are
// initialized.
var wp = reInitializeWebPage();
// Hard code the response for simplicity
var response = "HTTP/1.1 200 OK\nContent-Type: text/xml; charset=utf-8\nContent-Length: length\n\n<HTML>\n <BODY>\n <SCRIPT>alert('Carrier Rocks!')</SCRIPT>\n </BODY>\n</HTML>\n\n";
xssResults = parsePage(response);
if(xssResults){
console.log("We discovered XSS on the page!!!");
phantom.exit();
}
// Re-initialize webpage after parsing request
wp = reInitializeWebPage();
pageResponse = null;
xssResults = null;
phantom.exit();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment