I was reading SEO Black Hat during my lunch break, and it pointed me to RSnake's article on using GreaseMonkey to sniff out XSS attack vulnerabilities. Since I'm a white hat SEO, I'll pretend I'm only interested in this stuff to the extent of attack prevention, so I added a few things to his proof of concept to make it more usable for that purpose (or any purpose, really).
First, we create a script that utilizes the last code-snippet I posted here that parses out the response codes from a HTTP document (LinkChecker.php), located here.
<?
include('LinkChecker.php');
$header_result = LinkChecker::getHeader($_REQUEST['text']);
$code = (int) LinkChecker::parseResponseCode($header_result);
if (!$code) {
$code = 'UNKNOWN';
}
header("Location: http://www.seoegghead.com/HTTP_codes/HTTP_$code.gif");
?>
We name the file "xss_detect.php." Then we modify RSnake's script with a few little features that make it much more usable casually. We insert an image for various response codes, and a bright yellow one for a 301. If you see a 301, you know it's an oppor … nerability.
Here is the modified script:
// ==UserScript==
// @name redirect_seo_egghead
// @namespace http://www.seoegghead.com/
// @description Looks for things in the page that look like redirects and reports them - By RSnake, SEO Egghead
// @include *
// ==/UserScript==
(function() {
window.addEventListener("load", function(e) {
for (i=0; i <= document.links.length; i++) {
if (document.links[i].href.match(/http:\/\/.*http(:|%3A)(\/|%2F)(\/|%2F)/i)) {
red_xss = new Image();
red_xss.src = "http://YOUR_PHP_WEB_SITE_HERE.com/xss_detect.php?text=" + document.links[i];
//alert(document.links[i]);
document.links[i].appendChild(red_xss);
}
}
return;
}, false);
})();
Here's one example of a big fat vulnerability:
Here's a link to my site from theirs:
http://www.iol.co.za/outgoing.php3?URL_to=http://www.seoegghead.com
I left this script activated in greasemonkey, and I will be auditing all my sites this way.
Related posts:
"2 Wise Comments Banged Out Somewhere On The Internet ..."
hi jamie, ha.ckers.org security lab - Archive » SEO redirects continued[...] Jaimie Sirovich just posted an ammendment to my post about SEO redirection on his blog. His post expounds on my crappy SEO redirection explanation by adding in the loggin script, making it more customizable and in general less lame. His is better, check it out. I think this really is a huge problem that will stay around for quite a while. I started finding these in Google a while back, and then they came fast and furious. [...]
|
