How to turn firekeeper into an XSS testing tool

luntrus · Post by **luntrus** » Mon Jun 21, 2010 6:20 pm

Hi my good forum friends,

You have the firekeeper extension installed inside Fx or flock browser, open and add the following rules;
alert (msg:”Possible HTML Injection detected!”; body_content:”<xss>“;)
alert (msg:”Possible XSS detected!”; body_content:”>alert(”;)
alert (msg:”Possible XSS detected!”; body_content:”>document.write(”;)
alert (msg:”Possible XSS detected!”; body_content:”>document.body.innerHTML =”;)
Start online testing here: http://www.zubrag.com/tools/sql-injection-test.php
Other online tools for XSS-vulnerability testing: http://www.zubrag.com/tools/
Begin automated testing here from this site:
http://alcazar.sisl.rites.uic.edu/~mike ... tomate.php (these simulated test attacks here will not perform any malicious actions,my good forum friends)It is also good to test the protection of NS only the test site should be allowed, else the tests won't run...

I get an alert box here now and for instance a link report like:
({status: 'recorded', goto: 'http://alcazar.sisl.rites.uic.edu/~mike ... o=a&auto=1'});

Happy hunt,

pol

P.S. for tags checking: http://www.zubrag.com/tools/html-tags-stripper.php
combined with possible exploit: http://www.securiteam.com/securitynews/5HP031PAKY.html
just use your imagination to pen-test...
Example:
Not found there but an obfuscation url exploit test: === Triggered rule ===
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://pmw90687.surfcanyon.com/queryRef ... fscript%3e

Source of above example adopted from: http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html

luntrus