As I wrote in one of my last postings, here’s the posting for my XSS vulnerability scanner I presented at 0sec.

What is it and what can you do with it?
As the name says, it’s a XSS vulnerability scanner. I wrote it during my research in the topic of XSS and as a part of my talk at the 0sec security conference. At the moment it’s only a proof-of-concept which’s written in PHP and only has about 200 lines of code including the variable validation but I think it shows how an easy scanner for XSS could work and I have to say that the POC is working fine for me

How does it works:
As I said, there are only about 200 lines of code so it’s very easy stuff. First it uploads the local file which includes the variables we want to scan for to the server then it extracts the variables and put them in an array. After this is done, the scanner opens a socket and send a request with the scan type you set before. The request include the variable and a simple XSS-String (<script>alert(123);</script>) which is set as value of the variable. When the request is sent, the server give back an answer and if it includes our XSS-String it’s vulnerable or else it’s not, after this it goes on with the next variable. Now many of you’ll ask “and what if it’s not vulnerable for this stupid basic XSS-String?” The answer is very simple: Of course most of the time we have to write something before the XSS-Sting like “> or and so it won’t executed this way. Now surprise, surprise! It doesn’t matters We/the scanner can say if it’s vulnerable anyway. How that? This is also very simple. Also if the XSS will not be executed with the really dumb XSS-Sting, it will be included in the HTML content unfiltered if it’s vulnerable. If we try this in our webbrowser, nothing will happen but if you see that a variable is vulnerable you can have a look where it will be included in the HTML and what you have to set before the XSS-String to get it executed

Things to be added:
At the moment the scanner only can test for variables in PHP code and not for example in ASP or other languages.
The scanner only can handle variables in the following form: $var_name This means, that it can’t scan for variables like $GET_['var'] but feel free to add this functionality in the code
Sorry, shame on me but I hadn’t the time yet to really test my POC-Code on security
And of course to say it once more, it’s only a POC. So if it should become a good working scanner I have to implement a filter detection, a better analyzer and much more.

So now I’m sure you’ll have a look on the code

Here it is:
XSS vulnerability scanner

I’m looking forward to hear your comments about it and of course if I have some time I’ll work on the things which are on the TODO-List.