I was reading SEO Black Hat during my lunch break, and it pointed me to RSnake's article on using GreaseMonkey to sniff out XSS attack vulnerabilities.  Since I'm a white hat SEO, I'll pretend I'm only interested in this stuff to the extent of attack prevention, so I added a few things to his proof of concept to make it more usable for that purpose (or any purpose, really).

First, we create a script that utilizes the last code-snippet I posted here that parses out the response codes from a HTTP document (LinkChecker.php), located here.

<?
  
include('LinkChecker.php');    
      
  
$header_result LinkChecker::getHeader($_REQUEST['text']);
  
$code = (int) LinkChecker::parseResponseCode($header_result);    
  
  if (!
$code) {
      
$code 'UNKNOWN';
  }
  
  
header("Location: http://www.seoegghead.com/HTTP_codes/HTTP_$code.gif");
?>

We name the file "xss_detect.php."  Then we modify RSnake's script with a few little features that make it much more usable casually.  We insert an image for various response codes, and a bright yellow one for a 301.  If you see a 301, you know it's an oppor … nerability.

Here is the modified script:

// ==UserScript==
// @name    redirect_seo_egghead
// @namespace    http://www.seoegghead.com/
// @description    Looks for things in the page that look like redirects and reports them - By RSnake, SEO Egghead
// @include    *
// ==/UserScript==

(function() {
  window.addEventListener("load", function(e) {
    for (i=0; i <= document.links.length; i++) {
      if (document.links[i].href.match(/http:\/\/.*http(:|%3A)(\/|%2F)(\/|%2F)/i)) {
    red_xss = new Image();
    red_xss.src = "http://YOUR_PHP_WEB_SITE_HERE.com/xss_detect.php?text=" + document.links[i];
        //alert(document.links[i]);
    document.links[i].appendChild(red_xss);
      }
    }
    return;
  }, false);
})();

Here's one example of a big fat vulnerability:


Here's a link to my site from theirs:
http://www.iol.co.za/outgoing.php3?URL_to=http://www.seoegghead.com

I left this script activated in greasemonkey, and I will be auditing all my sites this way. 

Tell an amigo:
  • Sphinn
  • Digg
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Facebook



Related posts:
XSS & HTML Injection are Frighteningly Trivial to Find at Harvard.edu This recent article mentions that XSS and HTML injection are...