It has been quite a while since you’ve heard anything new about xssValidator, but today we bring good news! Version 1.2.0 has been released with some significant modifications.
onmouseover, that can be used within any HTML element attribute. As an attacker, this will allow us to avoid using
<script> tags that may very well get caught by a WAF.
Within the payload definition panel (yes, that’s new, too!), we provide instructions for creating payloads with event handlers, but it’s as simple as this:
The Phantom.JS xss-detector script has been modified to support testing of event handling. When the detector is evaluating a page, it will now simulate hovering over each element of the page in an attempt to trigger events.
Currently the Slimer.JS xss-detector does not support this functionality; however, it is on the roadmap for version 1.2.1.
In this release we also spent some time (more than 30 minutes ;)) building a more useful GUI for the xssValidator tab. It’s still not where we want it to be in terms of design and functionality, but it’s definitely a step in the right direction.
We’ve added the ability to view, modify, and create new payloads dynamically, right through the interface. Previously, if our users wanted to modify payloads, they would have to actually modify and recompile the source code, which isn’t very friendly. Most of our users install the plugin through the BApp store and don’t have the source readily available to them.
And most importantly, we added instructions! Because this extender requires external services (Phantom.JS / Slimer.JS), it’s important for the users to have instructions. Please note, the extender will run without the services, but that’s the same as running Burp Intruder with an XSS payload list.
As always, please let me know if you have any questions or concerns. This update was submitted to the BApp store and should be live within a few days. For the time being, please download the v1.2.0 release from our repository.
John Poulin is an application security consultant for nVisium who specializes in web application security. He worked previously as a web developer and software engineer that focused on building multi-tier web applications. When he’s not hacking on web apps, John spends his time building tools to help him hack on web apps! You can find him on twitter: @forced_request and on myspace: REDACTED.