1. Cross-Site Scripting
One of the major vulnerabilities you will come across is Cross-Site Scripting or XSS. These type of flaws occur when an application takes untrusted data and sends it to the browser without proper validation. This could allow attackers to inject scripts into the victims browser causing web defacement, session hijacking etc. As you can imagine checking for a hundred or more XSS flaws manually is not much fun.
In order to reduce the number of false positives during automated scanning the team @ nVisium created the xssValidator extender. Along with creating the extension they also created a custom PhantomJS server. PhantomJS is a headless (no browser required) WebKit scriptable with a JavaScript API. The purpose of the server is to process and build a DOM from HTTP responses. The DOM is then used to check if the JavaScript has executed.
2. Requirements
There are three requirements for using xssValidator:
- Java 7.0 or higher installed
- PhantomJS
- BurpSuite - Pro or Free (I used the free version and it worked fine)
3. Installing The Extension
The first thing we need to do is download the extender here. Next we need to install it in Burp:
Navigate to the extender tab at the top. Click on the add button, ensure extension type is Java and select the location of the JAR file:
When you click next you should see the screen below. If it has installed correctly there should be no errors in the output below.
4. Setting Up Our Target And BurpSuite Intruder
The next thing to do is set up Intruder and our target. For our target we will be using the bWAPP vulnerable web application. It has a number of XSS vulnerabilities, for this demo we will use the vulnerable POST page.
You need to configure your browser so that it is going through BurpSuite. You should see a request like below:
If you right click on the request a number of options will appear. Select 'Send to Intruder'. We need to configure a few options in the Intruder tab. In Payload Sets select Payload Type - Extension-generated. Then select Generator and select XSS Validator Payloads and ok.
Click the add button under Payload Processing, and select Invoke Burp
Extension from the dropdown menu. Select the XSS Validator processor,
and click ok.
Now under the positions tab select the payload positions by using the add button. We are focusing on the firstname and lastname parameters.
Under the options tab, browse down to the Grep – Match section, and enter the string “fy7sdufsuidfhuisdf”. This string is returned by the Burp Extender if the payload successfully triggers an XSS.
5. Installing And Starting PhantomJS Server
We also need to install the PhantomJS server. This link will take you through the steps if you are using Windows. You can try phantomjs --version to ensure it is working. Before running the Intruder attack you need to start phantomjs with the xss.js script (wherever you have placed it).
6. Start The Attack
If you check the phantomjs server you should see the alerts displayed:
7. Verify The Findings
If you want to verify the XSS finding, simply right click the specific
payload, and select navigate to request in browser -> original
session
No comments:
Post a Comment