Using XSScrapy to Scan for XSS Vulnerabilities

David Dworken

Source

Using XSScrapy to Scan for XSS Vulnerabilities

XSScrapy is an amazing tool for the aspiring cyber security researcher. Entering the cyber security field used to be challenging and full of hours of wasted research with nothing to show for it. With XSScrapy, that is no longer true.

So what is an XSS Vulnerability

A XSS vulnerability is what happens when a website displays user input without escaping this. If this makes sense to you, continue to the next section.

A common example of when this would happen is if the website returned the following HTML:

<a href="[Link to the current page]">

So on example.com, this would display:

<a href="http://example.com/">

By loading example.com/"><script>alert(0)</script><", the HTML becomes:

<a href="example.com/"><script>alert(0)</script><"">

Which when indented properly looks like:

<a href="example.com/">
<script>
    alert(0)
</script>
<"">

All of which is valid HTML and will run properly. In this case, we have injected javascript code to display a popup box. While a popup box is not dangerous, the javascript can be used to do a number of other malicious things. For example, the injected javascript could automatically exfiltrate cookies back to an attacker owned server (thus giving the attacker access to the victim's account).

So what is XSScrapy?

XSScrapy is an XSS scanner written by Dan McInerney in Python. XSScrapy works by using scrapy to create a web spider to download the HTML of all pages on a given domain name. Scrapy finds URLs by automatically following all of the links on the website until it has scanned every single URL. Once the HTML for a page is downloaded, XSScrapy automatically searches the page for XSS vulnerabilities.

This is done by looking for a number of common injection points and injecting the string 9zqjxel'"(){}<x>:9zqjxel;9. The important part of this string is '"(){}<x>:;. This string contains pretty much every possibly "dangerous" character. So if the HTML is rendered without those characters being escaped, it is likely that there is an XSS vulnerability.

Ok, let's start scanning!

First, follow the installation instructions here. Once you have done that, let's find a website to scan.

Never run XSScrapy against a domain that you do not own or have permission to penetration test. So if you are looking for a website to practice your new found skills on, try any website that offers a bug bounty. Look on websites like Bug Crowd, Hacker One, or CrowdCurity to find websites that allow for automated scanning.

Once you found one, run:

xsscrapy.py -u http://example.com

Once the scan is finished, let's look through the xsscrapy-vulns.txt file. So run cat xsscrapy-vulns.txt. (Assuming the program found some potential vulnerabilities) This should give you a nice list of vulnerabilities in the form of:

URL: [URL of the Vulnerability]
response URL: [URL of the Vulnerability]
Unfiltered: [The code causing the problem]
Payload: [What was injected to trigger the problem]
Type: [Type of Vulnerability]
Injection point: [Where the payload was injected]
Possible payloads: [A suggested payload to exploit: Note this is often incorrect]
Line: [The problematic line of HTML code]
`</pre>

So now lets go through an example vulnerability report line by line. 

<pre>`URL: www.example.com/?q=9zqjxxe'"(){}<x>:9zqjxxe;9
response URL: www.example.com/?q=9zqjxxe'"(){}<x>:9zqjxxe;9
Unfiltered: '"(){}<x>
Payload: 9zqjxxe'"(){}<x>:9zqjxxe;9
Type: form
Injection point: q
Possible payloads: x"/onmouseover=prompt(9)/", x"x><svG/onLoad=prompt(9)>, x" onmouseover=prompt(9) "
Line:  <input type="hidden" name="q" value="9zqjxgm'"(){}<x>:9zqjxgm;9
`</pre>

### 
[<span class="octicon octicon-link"></span>](#developing-the-exploit-if-type--form)Developing the Exploit (if Type == form)

Take the URL from the first line and load it in your browser `www.example.com/?q=9zqjxxe'"(){}<x>:9zqjxxe;9`

Now modify the URL to `www.example.com/?q=`

Then look at the the last line of XSScrapy's vulnerability report: 

<pre>`Line:  <input type="hidden" name="q" value="9zqjxgm'"(){}<x>:9zqjxgm;9

So based off of the above except from the HTML, we can tell that we want to first add a " to escape from the value variable followed by a > to escape out into the HTML. Together, these two characters will get all following text to be interpreted as HTML. So now that we have that done, we simply tack a standard <script>alert(0)</script> onto the end of "> making our final input "><script>alert(0)</script>. So now we have our payload.

Take that payload and add it on to the URL we got earlier (www.example.com/?q=) to make www.example.com/?q="><script>alert(0)</script>. Then load that URL, and you should get a pop up box displaying 0!

Now that you have gotten this far, the final step is to report the vulnerability to the website. Create an account on what ever bug bounty website they use and submit it. If you've gotten this far, then Congratulations! You've reported your first vulnerability.

          </div>
        </div>
      </div>
  </div>
</div>