Firstly, if you have no idea what xss is all about , please read xss injection tutorial to understand the way xss works. In this post I’ll list some xss scanners which are available to be used to pentest your own webs. Instead of online xss scanner that I mentioned on my previous post , I’ll introduce you to some other scanner xss.

Acunetix

* Acunetix WVS automatically checks your web applications for XSS, SQL Injection & other vulnerabilities.
* Firewalls, SSL and locked-down servers are futile against web application hacking.
* Acunetix checks your web applications for coding errors that result in Cross Site Scripting vulnerabilities.
* Acunetix also checks for other vulnerabilities in popular web applications such as Joomla, PHPbb.
* Acunetix identifies files with XSS vulnerabilities allowing you to fix them BEFORE the hacker finds them!

URL : http://www.acunetix.com/cross-site-scripting/scanner.htm

Pixy

Pixy is a Java program that performs automatic scans of PHP 4 source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

URL : http://pixybox.seclab.tuwien.ac.at/pixy/download.php

GNUCITIZEN Javascript xss scanner

Once you open the POC application there are two options that are given to you. The first one is to use the XSS scanner together with the Yahoo Site Explorer Spider. The spider is restricted in terms of depth and number of results per page. You can spider only the top 50 results. Again, this is done on purpose. Concurrently with the spider, the scanner will test for the XSS issues and deliver the result via a callback mechanism.

URL : http://www.gnucitizen.org/blog/javascript-xss-scanner/

D3hydr8 Google XSS scanner

XSS Scanner that can find hosts using a google query or search one site.

URL : http://darkcode.ath.cx/scanners/XSSscan.py

Related articles :

• PHP Security: Fortifying Your Website- Power Tips, Tools & How to’s (noupe.com)
• Retrieving Data on a SQL Anywhere Server Using AJAX (java.sys-con.com)
• Php & Web Security – PHPXperts 2009 (slideshare.net)

Milw0rm is finally back with some new interesting informations and exploits , one of then is Firefox 3.5 Zero Day exploit! the exploit has been published on milw0rm yesterday. The firefox 3.5 zero day exploit itself simply demonstrates a security vulnerability that existed on firefox 3.5 by loading windows calculator. The most preventive way to take is by disabling javascript on firefox 3.5 , otherwise your pcs might get infected!

Excerpt :

The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of the problem is a buffer overflow when processing specially prepared Font tags.

The Mozilla Foundation has been informed about the problem, but so far has not responded to queries by heise Security. An update does not currently exist. So far there are no reports of sites on the internet being first to use the hole for active infections and exploitation of Windows PCs. Since the published exploit uses PC heap spraying under JavaScript, disabling JavaScript should act as a stop gap. When the exploit was tested with Windows 7 RC1, after a short time, the browser displayed a dialogue offering to abort the script.

Download firefox 3.5 zero day Exploit : http://www.milw0rm.com/exploits/9137

Related articles :

• Highly Critical Security Vulnerability Found in Firefox 3. (mashable.com)
• Firefox 3.5 vulnerable to critical Javascript attack (macworld.com)
• Firefox users: critical security vulnerability (consumingexperience.com)

* See what users on your network are requesting online
* Check for proper server configuration (or improper, as the case may be)
* Research patterns in HTTP usage
* Watch for dangerous downloaded files
* Verify the enforcement of HTTP policy on your network
* Extract HTTP statistics out of saved capture files
* It’s just plain fun to watch in realtime

Quick excerpt from the official site of httypry:

httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.

Download httpry 0.1.5 :
http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz

Related articles :

• How to monitor site resources and stats in PLESK (5min.com)
• Gathering queries from a server with Maatkit and tcpdump (mysqlperformanceblog.com)
• S3Stat – Log Analysis for Amazon CloudFront and Amazon S3 (aws.typepad.com)

If you’ve read my previous post about hacking myspace account using keylogger on ‘myspace account hacking – does your wife cheat on you?’ , the same thing can also be implemented in hacking into facebook account by using more advanced keylogging method like javascript keylogger. Hack Password Facebook with javascript keylogger can be achieved by combining those both XSS vulnerabilities and Javascript Keylogger itself. Facebook was vulnerable to some XSS back then , this hole can be a good opportunity for intruders to infect a lot of facebook members with their web malware , including javascript keylogger ! And of course by keylogging , intruders can retrieve those facebook users ’s password easily , and then extend their hack into hack facebook profiles , etc

A good implementation of javascript keylogger can be found on http://www.xssed.com/article/25/Paper_Smashing_the_Web_for_fun_&_profit_using_XSS/. Exceprts :

Introduction

This article is dedicated to all this people that believe XSS is not a serious Web application vulnerability. Using XSS vulnerabilities someone can actually make lots of money. I don’t have any responsibility how this knowledge is going to be used, this article was created at of love of hacking and not to hack other people sites. Recently I became very interested to XSS and decided to write an article that fully explains how to inject a JavaScript key logger, and by saying fully explain I mean describe in full detail how can someone perform XSS filter invasion and run my JavaScript key logger in order to steal user names, passwords and user credentials. The scary part is that you don’t have to be a JavaScript expert to write effective JavaScript malicious code, you just have to have a good understanding of the Web. In the following article I provide the reader with two flavors of practically the same JavaScript key logger.

In order to understand this article you have to know:

1. How to write Html web forms (look at [4]).
2. How to write Javascript DOM objects (look at [3]).
3. Basic functionality of Http protocol (look at [1]).
4. Understand JavaScript what obfuscation is (have a look at [5]).
5. Understand how to use Burp Suite1.1 (look at [6]).

The functionality of your XSS

Before you exploit an XSS someone has to understand what is the functionality a XSS exploit should have. By saying functionality I mean what is the reason of your XSS, e.g. to deface a website, to cause a redirect or to steal user credentials (something that is the most interesting!!). In our situation we have to think about writing a key logger XSS. So that is why we have to make some thoughts about what is a log-in page form, from the user perspective, for example what is the average user name and password length? And how fast the an average user is typing? We are going to use this information to build up two flavors of JavaScript key loggers that run in IE, Firefox, Opera and Netscape. So our program is going to steal the user credential based only on time (e.g. auto execute after certain amount of time) or based only on password length (e.g. auto execute after the user types 5 characters) or based on both time and password length (e.g. maybe perform some character mapping, like check if Enter or Tab buttons have been pressed).

You can also read insanesecurity’s article to extend your understanding of userscript keylogger.

Random articles :

• Thwart password-hungry keyloggers with a Greasemonkey script
• Harmful Spyware and their stealthier means
• Keyboard “eavesdropping” just got way easier, thanks to electromagnetic emanations

It’s a bit late to introduce this tool anyway , but it’s still interesting to talk about this tool! The tool is called Browser Fuzzer 2 , developed by Jeremy Brown @ Krakow Labs. This tool allows you to fuzz any browsers you’d like to fuzz by fuzzing CSS,DOM,HTML and JavaScript. The main purpose of this tool is to fuzz web browsers as they process data and render content.

How to use Browser Fuzzer 2 :

1) Set up a place for output and pick a fuzzing phase.

rush@linux:~$ mkdir fuzz
rush@linux:~$ perl bf2.pl -o /home/rush/fuzz -p 4

Krakow Labs Development [krakowlabs.com] -> bf2
“Browser Fuzzer 2 — The bugs cannot hide anymore”
rush@KL (Jeremy Brown) [rush@krakowlabs.com]

bf2[phase four] JS Process Engaged. This could take some time (and disc space)!

[STAGE-> 1] Writing fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 2] Writing fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 3] Writing fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 4] Writing fuzz data to /home/rush/Desktop/fuzz
[STAGE-> 5] Writing fuzz data to /home/rush/Desktop/fuzz

bf2[phase four] JS Process Complete (Final Count: 8004). Point your browser to /home/rush/fuzz/js1.html and monitor for exceptions

rush@linux:~$

2) Open the browser you wish to fuzz (in a debugger or with one attached if you like) and send it to the address of
xxxx1.html, where xxxx is the name of the phase you selected to fuzz.

Download Browser Fuzzer 2 : http://www.krakowlabs.com/dev/fuz/bf2/bf2.tar.gz

Related articles :

• Internet Explorer? Tuibguy says “No, Thanks!”
• TV Repair Update
• Internet Explorer security alert: Your questions answered

Image via Wikipedia

Just stumbled across to packet storm security’s tools collection , and I’ve just found an interesting tool to be discussed here , especially if you’re interested in Browser exploitation. The tool itself is called Browser Rider. It’s a hacking framework to build payloads that exploit your browser. Sounds similar to bEEF ? Well , yes it does! the developer’s purpose of developing this tool is to provide you with the more reliable browser hacking framework than just those other unmaintained tools out there nice..

However , here’s the excerpt from their official project site :

Browser Rider is not a new concept. Similar tools such as BeEF or Backframe exploited the same concept. However most of the other existing tools out there are unmainted, not updated and not documented. Browser Rider wants to fill those gaps by providing a better alternative.
What are the features?

^ Easily create powerful payloads and plugins
^ Manage payloads automatically with plugins
^ All data can be saved in a database
^ Obfuscation
^ Polymorphisme
^ Control more than one zombie at a time
^ Simple administration panel
Why create Browser Rider?

› Fun
› The challenge of creating something better than what is already existing
› Browser Rider can be used as a better XSS tunnel than the other tools during a pentest
› General hacking
Technical requirements

› PHP 5, with json installed
› Mysql
› Apache with url_rewrite on
› Targets must have Javascript turned on

You can also try the online demo of Browser Rider by following these steps :
- Open http://ultratopcool.free.fr/xss_remotedomain.html , and do not close it.
- Then go to http://www.engineeringforfun.com/BrowserRiderDemo/ , and you should see your ip in the zombie list

Watch the video & Read more about this project here !

Related article :

• WordPress update kyboshes XSS flaw