XSS Rays
Wednesday, 25 March 2009
I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make sure you’ve filtered XSS correctly on your application.
It works as a bookmarklet and scans any links, paths or forms on the target scanning page (even cross domain). You can add vectors to it quite easily and it includes some of the most common injections I’ve found on sites over the years. I’ve tested it on IE7/IE8 and Firefox but it could work in other browsers.
The advantage of the bookmarklet is that vectors can be customised for each browser and they are executed in the context of the browser, in IE8 standards mode were css expressions are disabled in IE8 the vector won’t be executed for example.
Hopefully there should be no false positives either because each vector is actually executed and it reported back as successful, in fact if there is a false positive it will be a bug in my code (lets hope not).
Technical details
The code works by creating connections to the target links/paths using iframes, each iframe is assign a name which is the url to return to on successful execution (the originating url). This allows cross domain links to be checked.
The vectors are stored in a simple object, each vector has the following properties:- input, name, browser, form, url, path (there’s a optional second input). Input is the XSS vector, the string “XSS” is used to replace with a logger or a poc url and is required by all vectors.
Name is just a meaningful name applied to the vector, browser supports ALL|FF|IE and helps to save time when testing specific browser vectors as XSS Rays will only target those versions for the vector.
Form, url, path allows you to disable the vector for scanning forms etc, supports TRUE|FALSE.
There are a few configuration properties supported:-
1. externalLog – Sends all executions to a external logger by default “http://127.0.0.1/XSS_Rays/logging/xss_logger.php”, the vector is encoded and sent to a get variable xss and can be easily customised to log in another language, each field is sent tab separated.
2. excludeURLS – allows you to exclude certain urls from the scan, the variable is a regular expression so remember to double escape special characters.
3. sameorigin – When enabled it should stay to the same site and not scan external links, this has not be tested fully yet.
There’s a interesting little hack for IE to enable the onload event of a dynamic iframe, I use the following code to create a specific IE loader:-
var ieLoader = "document.getElementById('"+'ray'+self.uniqueID+"').ieonload()";
if(self.isIE()) {
try {
var iframe = document.createElement('<iframe name="'+location + '#xss'+'" onload="'+ieLoader+'">');
} catch (e) {
var iframe = document.createElement('iframe');
}
} else {
var iframe = document.createElement('iframe');
}
Download & Instructions
1. You need to install a local web server like xampp:-
http://www.apachefriends.org/en/xampp.html
2. Once installed copy the XSS_Rays directory to your web server root xampp root is :- C:\xampp\htdocs\
3. Open the bookmarklet.html file in the helpers directory of XSS_Rays. Drag to your bookmarks toolbar on Firefox or on IE right click the link and click add to favorites (You might get a security warning in IE).
4. Find your web site that you wish to scan, click your bookmarklet. Then press CTRL+SHIFT+X which will now run XSS Rays on the target site.
Thanks
Big thanks to David Ross, Manuel Caballero and you (you know who you are) for testing and feedback. Thanks to Microsoft for supporting the development of XSS Rays.
Updates….
The latest version of XSS Rays is now online (0.5.0), it contains some speed improvements and bug fixes.
1. Fixed conflicts with form elements with the name action or submit was causing form posts not to be submitted. Thanks Mike W
2. Removed unneeded cleanup code now the IE onload works.
3. Added the ability to exclude certain field types and names from being XSS’d.
4. Fixed name vector to specify window.name which was causing conflicts with image elements.
5. Fixed and checked same origin code. Thanks to Arshan who gave me a kick up the backside π
6. Removed keyboard shortcut and added a button instead.
New update 0.5.5
1. Fixed Firefox bug with same origin
2. Fixed form Post to allow field names with submit. Thanks Kuza55 for the awesome form post hack π
No. 1 — March 25th, 2009 at 10:14 am
SO COOL !
π
No. 2 — March 25th, 2009 at 1:25 pm
4. Find your web site that you wish to scan, click your bookmarklet. Then press CTRL+ALT+X which will now run XSS Rays on the target site.
———————–
it should be ‘ctrl+shift+x’,not ‘ctrl+alt+x’?
No. 3 — March 25th, 2009 at 1:29 pm
@cosine
Thanks! I’ve corrected the article
No. 4 — March 25th, 2009 at 1:37 pm
unfortunately, some browsers use X as a menu shortcut, so ctrl+shift+x does not seem to work (tested it with IE8 & FF307) π
No. 5 — March 25th, 2009 at 1:51 pm
@chris
I can change the shortcut, any suggestions?
* Don’t forget you must click the bookmarklet first to activate the shortcut
No. 6 — March 25th, 2009 at 2:17 pm
Marcin has pointed out if you wish to host XSS Rays at a different location other than 127.0.0.1 you need to do the following:-
1. Edit the bookmarklet file to point to the correct address in XSS_Rays/helpers/bookmarklet.html
2. Change the externalLog property in XSS_Rays.js to the new address.
You can also run a custom logging script which stores the vectors to a database if required.
No. 7 — March 25th, 2009 at 4:36 pm
Does the CTRL+SHIFT+X shortcut works on a mac? i tried this but nothing happened (the mouse cursor just disappears until i move it again)
No. 8 — March 25th, 2009 at 4:40 pm
@FBatista
Could be Apple+Shift+X, I’ll check it on the mac
No. 9 — March 25th, 2009 at 7:57 pm
I don’t get it. Say if I have a simple form of 3 inputs. Shouldn’t the tool simulate the form submission with the payloads? All the tool does is appending the payload to the target urls, which gets back 404s. Am I missing something here?
No. 10 — March 25th, 2009 at 8:38 pm
@Mike W
XSS Rays checks path injections and only works on certain web servers and configurations. If you don’t want it to check paths then switch it off in the js file. FYI XSS Rays scans paths, urls, forms and submits get/posts vectors.
No. 11 — March 25th, 2009 at 10:01 pm
This would seem to be a natural fit to work with php-ids (http://php-ids.org/). As they contain a great list of filters, and probably have a comprehensive list of attack vectors that could be simulated by this tool
No. 12 — March 26th, 2009 at 8:31 am
@RFS
Yes any vectors can be included within the vectors array, so that would be no problem.
No. 13 — March 26th, 2009 at 6:00 pm
@Gareth Heyes
I played around a little more. What I found is that a single
<input name=”submit” type=”submit”>
will throw the tool off track. Here is the form I have
<form action=”/somewhere” method=”post”>
<input type=”text” name=”first”>
<input name=”submit” type=”submit”>
</form>
I works if I delete the 2nd input.
I took a look at the js file, there is a function to scan the form. Not sure why it can’t handle a submission button.
No. 14 — March 26th, 2009 at 6:24 pm
@Mike W
Thanks I’ll look into that and have it fixed shortly. I suspect because the application is expecting a known value for the submit button it is failing to inject as all values are attack vectors.
No. 15 — March 26th, 2009 at 9:36 pm
the “same site” thing is important for professional testers who want to make sure not to send attacks against 3rd party partners who may not like it.
as soon as that’s tested and working let us know!
No. 16 — March 26th, 2009 at 11:05 pm
I’ll add graphs and reporting for all you professionals π
Not. π
No. 17 — March 27th, 2009 at 9:59 am
so does the javascript download have all the fixes?
No. 18 — March 27th, 2009 at 10:01 am
@miha pi
I’ve fixed the instructions and I’m currently working on some other fixes which should be released today thanks
No. 19 — March 27th, 2009 at 10:27 am
i like the idea but instaling some php into a server does not sound good to me.
It would be really usable as e.g. app engine or something similar. Users just have to use the bookmarklet and do not have to install anything…
No. 20 — March 27th, 2009 at 10:40 am
@grosser
It doesn’t have to be a local server, you can install it anywhere and just modify the configuration. The logging can also be done in a database if you so wish.
No. 21 — March 27th, 2009 at 2:42 pm
XSS Rays has now been updated, thanks to everyone for the bug reports and suggestions.
No. 22 — March 27th, 2009 at 3:31 pm
Latest version is now 0.5.3
No. 23 — March 28th, 2009 at 6:01 pm
so nice.
No. 24 — March 30th, 2009 at 8:18 am
Latest version is now 0.5.5
No. 25 — September 17th, 2009 at 6:56 pm
Hi,
i liked your article very much,
and i would also like to point out another article on this blog ->
XSS Phishing
Thanks
No. 26 — December 9th, 2009 at 9:39 pm
isnt the xss function call on Line 175 (scanLinks function) of XSS_RAYS.js missing the href parameter?
observed:
this.xss({pathname:location.pathname,search:location.search, type: ‘url’});//scan originating url
expected:
this.xss({href:location.href,pathname:location.pathname,search:location.search, type: ‘url’});//scan originating url
No. 27 — December 10th, 2009 at 7:08 am
@jagstyle
Nope this is intentional, I scan the path name of the url
No. 28 — December 10th, 2009 at 5:17 pm
without it my test hangs at that point with the linkStatus field displaying “url: undefined”
No. 29 — December 10th, 2009 at 6:32 pm
@jagstyle
Please can you tell me which browser you are using? It could be a bug in the way it gets the path
No. 30 — December 12th, 2009 at 1:44 am
Firefox 3.5.5
I sent an email with full details. Hopefully it’s helpful.
No. 31 — December 16th, 2009 at 11:40 am
Can you please send the details for me too,
it is not working for me
No. 32 — December 18th, 2009 at 10:04 am
Working on a fix for this, there is a bug on firefox but the vectors are intentionally duplicated as there are path injections. A temporary workaround is either comment out the path injections or disable the path option in the vectors.
I should have a fix soon when I get chance to look at the code.
No. 33 — October 3rd, 2010 at 7:53 am
I can’t scan something except on 127.0.0.1 despite I changed the xss_rays.js and bookmarklet.php files. When scan start is clicked nothing happens.
No. 34 — October 31st, 2010 at 6:40 am
Hi , i tried to use this tool , but nt able to activate. Clicked on the link in my favourites also & then pressed the combination of keys also as mentioned. Help me in giving detailed steps to start this.
No. 35 — November 1st, 2010 at 10:38 am
@jyoti @3p1C
I plan to update the XSS Rays code and release a new version which will hopefully make it more user friendly. In the meantime try editing the XSS_Rays.js file to execute automatically