Automatic XSS Enumeration

XSS has become a serious topic after the Samy Worm forced MySpace to close for maintenance temporary, and then XSS started to get the attention of the experts in the field. As of May 2007, “Hundreds of XSS vulnerabilities were being disclosed in major Web sites and criminals began combining in phishing scams for an effective fraud cocktail. Unsurprising since according to WhiteHat Security more than 70 percent of Web sites are currently vulnerable.” ( Cross site scripting attacks : Exploits and Defense ).

Now knowing that there are vulnerabilities in many places. It would be fun to start enumerating. It is just a little grunt work to start testing out every field to see if it breaks. Yet, the low hanging fruits are rather tedious as they are all regarding filling in attack vectors into the fields. The intuitive way is to automate this task.

The problem is sometimes you’ll be met with dynamically generated javascript or something that requires execution of javascript to proceed. Moreover, the rendering engine is different for each browser, which means there are attack vectors that are browser-specific. This makes just fetching the HTTP response body to get the text might miss some fruity results. The obvious way to do this is to simulate browser activity. This can be slow, but working.

Citing Thoughtwork Bret Pettichord’s terminology,

Web Protocol Drivers – These are components that simulate protocol interaction, HTTP and HTTPS.
Web Browser Drivers – These are components that simulate browser like a user clicking.

Since some hacks do depend on the particular browser rendering engine, it becomes obvious that Web Protocol Drivers will not be doing our job well, even with something like John J. Lee’s py-SpiderMonkey ( it executes JavaScript in Python with Mozilla ), and some platform specific methods as well, e.g. GreaseMonkey. The direction goes to Web Browser Drivers, or simply UI automation.

I found a tool call Selenium. It is a Java implementation in general but with client drivers implemented in Java, Ruby, Python, C#, PHP and Perl. It utilizes real browser rendering engine to run tasks. So what you get in Selenium will be the response doing the tasks manually. The problem is how does it bypass the same origin policy. The trick is that Selenium builds itself as a reverse proxy and injects the javascript code into the page before passing into the browser, effectively fooling the browser that the code is part of the real site. You can tailor a sequence of actions and start feeding in attack vectors. I coded a prototype by verifying the browser-specific attack vectors. What I do is I tried to captured a few HTTP requests of the sites I want to enumerate manually first, and then automated the HTTP requests and parses with the selenium automation.

As of now, it’s working. I can go on further to parse the input fields so I can automate further more. And even start spidering and enumerating.

You may find a tutorial on Selenium here.


0 Responses to “Automatic XSS Enumeration”

  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: