31 Dec, 2014

xssValidator v1.3.0 Released

by John Poulin

I’m proud to announce the release of xssValidator 1.3.0 with some exciting new improvements!

Active Scanner Support

One of the most exciting new features is the addition of active scanner capabilities. The active scanner will leverage the same payload list and same xss detectors as the intruder counterpart.  It’s worth mentioning that there’s no way to enable or disable the scans without disabling the extender.

DOM-based detection

Thanks to help from ewilded ( https://github.com/ewilded), xssValidator now supports basic DOM-based XSS detection, including injections into the URL hash.

Because the content stored in the URL hash is never sent to the server, Burp doesn’t capture it in the requests. But if you manually create the content in the payload position panel, the xss detectors will process it as a browser would.

Cookies, Host Headers, and More

In this release, we altered the extender and the xss.js detector to support the passthrough of HTTP cookies and host headers. This resolves issues with relative-linked libraries (such as jQuery) and cookie-dependent functionality.

Some Bugs, though

There appears to be a bug in the slimerjs implementation of the WebPage.evaluate() method ( https://github.com/laurentj/slimerjs/issues/284) that prevents the callbacks (onAlert, onConfirm, etc) from being called. As such, the xss.js detector will not work in slimerjs.

As always, please let me know if you have any questions or concerns. This update was submitted to the BApp store and should be live within a few days. For the time being, please download the v1.3.0 release from our repository.