Tag inspector

I’ve been trying to automate the stuff that I normally do when XSS testing to make it easier than writing custom scripts each time. This worked really well for my fuzzing script which fuzzed random characters embedded into tags to find unusual combinations of characters. I’ve done the same again but this time it inspects HTML tags with Javascript, I used RSnake’s cheat sheet to find common HTML properties for XSS injection but if I’ve missed any please leave a comment and I shall expand the script.

The script has two modes Standard and random, the standard mode uses a list of common tags and inspects them, the random mode tries to find obscure tags which aren’t documented or are very old by randomising the names. Using this script has a great advantage because it automates the process of finding tags but also uses the browser’s Javascript engine to do it.

Check out the tag inspector here:-
Tag inspector

8 Responses to “Tag inspector”

  1. Gareth Heyes writes:

    I’ve fixed a slight bug, added mixed mode which inserts a random letter before or after a standard tag. Increased the random tag amount to 200.

  2. thorin writes:

    OMG that really came out looking like EngRish 🙁 Please feel free to delete the previous comment.

    I meant to say:
    “I think I’m missing something here. What exactly are you “scanning”? There’s no target specification. Also I fired off all 3 options, but random and Mixed return nothing.”

  3. Gareth Heyes writes:

    At the moment it’s pretty basic but it will look for HTML attributes that allow Javascript execution such as “SRC” and list the ones it finds. The random and mixed modes are unlikely to return results because they are based on randomising tags.

    For example lets say the inspector finds the tag “image” and then finds it has a attribute “SRC” then it’s likely that you’ve found a new XSS vector.

    My plan is to automate this further by allowing Javascript execution testing but it’s proving tricky because of the different combinations of executing it within a tag.

  4. Gareth Heyes writes:

    The script now also logs Javascript execution, so it will automatically find what XSS is compatible across browsers 😀

  5. thorin writes:

    I still don’t understand the “target” of the scan (or inspection). Is it just searching the tag namespace (er whatever you wanna call it) of my browser? Or is it just “inspecting” itself, ie: the tagInspector URL.

  6. Gareth Heyes writes:

    It inspects the tags in a hidden div layer and finds if they have javascript properties for things like src, href etc so the script creates these tags in the browser itself.

    The goal of the script is not to scan any web site but to simply scan the browser’s HTML tags.

    The script will automatically be able to answer questions like “Does iframe onload work on Safari?” etc

  7. thorin writes:

    Ok perfect, now I’m on the same page. I did have a quick look at the source but I didn’t catch the div you’re talking about.

  8. Gareth Heyes writes:

    Sorry I should have explained the code a bit more, I was going to use standard DOM functions to insert the code but I thought using a hidden div this way would be faster.

    I’m currently struggling with inserting external files with src and href and logging the results. Hopefully it will work but Opera’s high security model is proving tough work to get around, good work Opera 🙂