XSS Rays extension

You might remember my XSS Rays bookmarklet I developed a while ago, I got nagged by a few of you to fix some things in it. Well it was crappy because it was bookmarklet based so I didn’t bother. Instead I decided to create a Chrome extension and revamp the features. So here it is the awesome XSS Rays!

XSS Rays

Features

Scan

Performs a scan of all forms and links and even crawls each one to a depth you specify (this will open a lot of tabs while it does this). At the moment it only supports GET requests and path injection. You press the extract links button, then select the links you want to inject with the multi-context XSS vector, then click run XSS injector and it will attempt to inject all the links and give you the urls. You can also download them and save the file.

Reverse

This is super awesome, it will attempt to blackbox reverse a XSS filter. Again only GET is supported at the minute (mainly for speed and the fact that most XSS attacks support GET). You choose the site you want to scan by visiting it, a quick shortcut is to already have the param filled in, this way XSS Rays automatically enters it for you. To see how it works:-

1. Visit Mario’s challenge
2. Open XSS Rays and click reverse
3. Click reverse filter and watch the magic happen.

It will give you a report of which characters are allowed, a estimated length guess (pretty accurate unless a site removes a request if it exceeds the amount), I estimate to save http requests, which tags are allowed and which attributes :) and finally the characters it converts.

Search

Ever wanted to regex search the dom and event handlers? Well I did that but on steroids. You can enter your regex string to search, the highlight regex which will highlight the results like for example if I wanted to see where in the search results “location” appeared. It will search inline and external scripts and also give you the ability to click the file and edit it in real time.

Source

Will highlight events, charsets etc of the current source code of the page. Useful for quickly viewing the source and events. I have to improve this section and display headers etc.

Inspect window

Here you can traverse user define objects, this was tricky because in chrome hasOwnProperty is broken and isolated worlds in chrome extensions make it difficult to edit the current window object. You click the object on the left and traverse it if there are any objects inside, then you can click any functions defined inside a object and it will be de-obfuscated and allow you to edit in real time.

Inspect user define functions

How on earth do you inspect user defined functions on window? Think about it, if they are not assigned to window like window.x=function(){} then they will not be available inside for..in loops. That didn’t stop me :) I grabbed the source code for each script, scanned for functions defined inside the script, gathered a list of the names, then sent the name to the new function constructor like so:-


var funcName = funcs[i];
var val = '';
try {
var val = new Function("return "+funcName)();
if(/^function\s*\(\)\s*\{\s*\[native code\]\s*\}/.test(val.toString())) {
val = false;
}
} catch(e){}

So the new function returns the value if it global and I do one last check to make sure it isn’t native, like for example if there is a function called close.

Inject forms

Inject forms does exactly what it says on the tin, it will loops through all the forms on the page and inject a multi-context XSS vector.

Edit forms

Edit forms is cool because it allows you to alter a sites forms without altering their type, lets say you have a checkbox. The elements are linked together and you can alter the value, if the site logic expects a checkbox then it still works.

Extract forms

Will extract all forms and fields on the page and return a url for each.

DOM Input/Output filter

Here you give it a url and param, then some input, it will then inject your input onto the page and scan the DOM for the results showing your the output. This is useful for creating a interface for testing a client side filtering system.

4 Responses to “XSS Rays extension”

  1. Gareth Heyes writes:

    Please enter any feature requests here:-
    http://code.google.com/p/xssrays/issues/list

  2. Ryan C writes:

    Hey Gareth. Awesome tool!

    The only problem I’ve had with it is that when you tab away from the window it halts and resets all progress in the extension. This means that, if the scanner finds some xss and you go to analyze one, the rest are removed from the list.

  3. Gareth Heyes writes:

    Hey Ryan

    Glad you like it :)
    The focus problem is how popups work in chrome and there’s no way around it :( you can export the results using the button. As a fix I’m gonna store the results of the scan so you don’t lose them, then the next time it will remember the state.

  4. John Barrett writes:

    Yeap, this tools is amazing. I don’t have Chrome installed, I use only Opera but I will intsall Chrome just to test this extension, it is very promising. I like Inspect window, I will report here how it works