IntroductionXSS attacks are becoming more and more sophisticated these days and are being used in pair with spear phishing, social engineering and drive-by attacks.
- According to OWASP Top 10 XSS Related on Top 3 (A3)
- 80% of all the security incidents in the financial sector have been attributed to cross site scripting
So what is XSS?XSS attacks are a type of injection, in which you send malicious scripts to inject a website, it occur when web application uses inputs from a user within the output it generates without validating or encoding it
Penetration Testers & Bug Hunters Freaky time!
While you start doing Penetration testing for certain domain you use Automatic scanners to see how far the domain is Vulnerable especially when you seek to find XSS but one of the challenges you face is False positive: Which is something when you think a specific vulnerability exist in the Domain and it may Occur because of weak static checks that security scanner detect, Sometime a security Scanner when it tries to detect vulnerability it may use the algorithm to find one or more predefined Signature pattern within an HTTP response and that might go wrong due to which the scanner will deduce that the vulnerability exists (which actually doesn't exist in real)
XSS Here – XSS There – XSS Everywhere
In this Research we will talk about XSSYA which is a tool I wrote by Python to Confirm XSS (Cross site scripting) Vulnerability that being produced form the scanners without using the browser. But let’s start from the beginning how to confirm XSS in normal way when you scan website using scanners it give you a lot of XSS exist in the domain so you start to confirm that Vulnerability by the following steps
- You open your browser and start to inject the payload in the given URL to see if alert box will pop up or not
- No Pop up box ! that mean not vulnerable ? may be, there is a WAF (web application firewall ) exist so you start to view the source code of the page after excuting the payload to see if there HTML Escaping Characters so you need change your payload or you need to encode your payload
- Imagine that happened in hug domain and the scanner give you 200 XSS exist in different 40 input in that domain it take a looooooooooooooooooooot of time to confirm them one by one
XSSYA – XSS Confirmation
XSSYA -> I decided to make XSSYA doing many steps in one time but the main function of XSSYA is XSS Vulnerability Confirmation without using the browser and even without using other tools for example URL Shorten, identifying Web application firewall and other function will be discussed in next pages.
XSSYA – V 1.0 – How It Works?Scanners give you vulnerable URL with XSS like this http://demo.testfire.net/search.aspx?txtSearch= Now XSSYA Come. Take that URL and put it as INPUT in XSSYA first it will give you Server Response information Choose your Timeout or delay for sending requests: by (seconds) and that will be useful for not be banned, it will be good if you choose from 6to 10 seconds
Start ATTACK …..Now XSSYA will send a Library of different 28 Encrypted Payloads for the same URL to bypass different types of WAF’s (Web Application Firewall)
All in One (2 Methods - 4 Steps)The confirmation done by using two methods it first execute the encrypted payload if the response return (200) start using method 2 which is search for the same payload decoded in page HTML source code – if found, it shorten the URL with the encrypted payload finally execute the cookie payload to get the cookies è (for Lan Networks )
- Executing it’s library of Different Encoded Payloads to bypass WAF (Method 1 => Request & Response)
- Search for the same payload decoded in the web page HTML code. If Method 1 Return 200) (Method 2)
- If the 2 pervious Methods Meet give Shorten URL (Link + Payload)
- Last Step execute document. Cookie to Get the Cookies (Local Network)
- Support Get Request
XSSYA V 1.0 – Detect WAF How?
XSSYA Identified WAF (Web Application firewall) through response, it sends payloads and checks the response for any WAF detected and it Identify 3 Types of WAF (Mod_Security, WebKnight & F5 BIG IP)Mod_Security: if you send A malicious request to an application running behind mod_security returns a “406 Not acceptable” error along with it inside the response body
Webknight: Very easy to fingerprint a malicious request returns a “999 No Hacking” response.
F5 BIG IP: Returns a response of “419 Unknown”, this could also be used to fingerprint F5; if in case the cookie values have hidden from the request.
XSSYA V 1.0 - FeaturesXSSYA support HTTPS, can be run under Windows –Linux, you can save the HTML code of the URL in the terminal before executing the payload and save them into the hard desk
- Support HTTP – HTTPS
- Can be run in (Windows – Linux)
- Support Saving the Web HTML Code before Executing the Payload Viewing the Web HTML Code into the Screen or Terminal
Available for Download https://github.com/yehia-mamdouh/XSSYA
XSSYA – V 2.0What have been changed?
- (XSSYA v 2.0 has more payloads; library contains 41 payloads to enhance detection level
- XSS scanner is now removed from XSSYA to reduce false positive
- URLs to be tested used to not allow any character at the end of the URL except (/ - = -?) but now this limitation has been removed
What’s new in XSSYA V2.0 ?
1 – You have the ability to Choose your Custom Payload Ex: and you can encode your custom payload with different types of encodings like
(B64 – HEX – URL_Encode –- HEX with Semi Columns)
(HTML Entities à Single & Double Quote only - brackets – And – or Encode all payload with HTML Entities) This feature will support also XSS vulnerability confirmation method which is you choose you custom payload and custom Encoding execute if response 200 check for same payload decoded in HTM code page.
What’s new in XSSYA V2.0? HTML5 Payloads
XSYSA V2.0 contains a library of 44 HTLM5 payloads What’s New in XSSYA V 2.0?
XSSYA have a Library for the most vulnerable application with XSS – Cross site scripting and this library counting (Apache – WordPress – PHPmy Admin)
If you choose apache application it give the CVE Number version of Apache which is affected and the link for CVE for more details so it will be easy to search for certain version that is affected with XSS
XSSYA has the feature to convert the IP address of the attacker to (Hex, Dword, Octal) to bypass any security mechanism or IPS that will be exist on the target Domain
What’s Has Been Added Now?
XSSYA check is the target is Vulnerable to XST (Cross Site Trace) which it sends custom Trace Request and check if the target domain is Vulnerable the request will be like this:
TRACE / HTTP/1.0
Header1: < script >alert(document.cookie);
Others will be added
XSSYA V2.0 Available for Download https://github.com/yehia-mamdouh/XSSYA-V-2.0
Happy Hunting :-)