BlogXSS for Lunch - Yum!

XSS for Lunch - Yum!

Jun.14th,2006

I was reading SEO Black Hat during my lunch break, and it pointed me to RSnake's article on using GreaseMonkey to sniff out XSS attack vulnerabilities.  Since I'm a white hat SEO, I'll pretend I'm only interested in this stuff to the extent of attack prevention, so I added a few things to his proof of concept to make it more usable for that purpose (or any purpose, really).

First, we create a script that utilizes the last code-snippet I posted here that parses out the response codes from a HTTP document (LinkChecker.php), located here.

<?
  include('LinkChecker.php');    
      
  $header_result LinkChecker::getHeader($_REQUEST['text']);
  $code = (int) LinkChecker::parseResponseCode($header_result);    
  
  if (!$code) {
      $code 'UNKNOWN';
  }
  
  header("Location: http://www.seoegghead.com/HTTP_codes/HTTP_$code.gif");
?>

We name the file "xss_detect.php."  Then we modify RSnake's script with a few little features that make it much more usable casually.  We insert an image for various response codes, and a bright yellow one for a 301.  If you see a 301, you know it's an oppor … nerability.

Here is the modified script:

// ==UserScript==
// @name    redirect_seo_egghead
// @namespace    http://www.seoegghead.com/
// @description    Looks for things in the page that look like redirects and reports them - By RSnake, SEO Egghead
// @include    *
// ==/UserScript==

(function() {
  window.addEventListener("load", function(e) {
    for (i=0; i <= document.links.length; i++) {
      if (document.links[i].href.match(/http:\/\/.*http(:|%3A)(\/|%2F)(\/|%2F)/i)) {
    red_xss = new Image();
    red_xss.src = "http://YOUR_PHP_WEB_SITE_HERE.com/xss_detect.php?text=" + document.links[i];
        //alert(document.links[i]);
    document.links[i].appendChild(red_xss);
      }
    }
    return;
  }, false);
})();

Here's one example of a big fat vulnerability:


Here's a link to my site from theirs:
http://www.iol.co.za/outgoing.php3?URL_to=http://www.seoegghead.com

I left this script activated in greasemonkey, and I will be auditing all my sites this way. 

2 Responses to “XSS for Lunch - Yum!”

ha.ckers.org security lab - Archive » SEO redirects continued on 6/14th/2006

[...] Jaimie Sirovich just posted an ammendment to my post about SEO redirection on his blog. His post expounds on my crappy SEO redirection explanation by adding in the loggin script, making it more customizable and in general less lame. His is better, check it out. I think this really is a huge problem that will stay around for quite a while. I started finding these in Google a while back, and then they came fast and furious. [...]

itchy on 6/17th/2006

hi jamie,
been reading your blog all day fantastic work bruv. just wondered if you could give us the heads up on how to instal this script and drop links when you find vunerabilities.
thanx itchy

Leave a Reply