Professional Documents
Culture Documents
By drd_
11/28/2018 12:34 am
Cross-site scripting is one of the most common vulnerabilities found on the web today, with
repercussions of this type of flaw ranging from harmless defacement to sensitive data exposure.
Probing for XSS can be tedious and time-consuming for an attacker, but luckily there are tools
available to make things a little easier, including Burp Suite, Wfuzz, and XSStrike.
Fuzzing Overview
Fuzzing is a technique used to test applications for security flaws in an automated fashion. The
fuzzer, a piece of software designed to test for these flaws, provides malformed or random data as
input to a program in order to find bugs, usually leading to vulnerabilities in the context of security.
Generated input can be static, such as values loaded from a list, or random, and new fuzzers are even
starting to use algorithms to dynamically generate and input data.
We will be using Mutillidae, a vulnerable web application, to test for XSS flaws. To get started, open
up Mutillidae, and on the left, browse to "OWASP Top 10," then "Cross Site Scripting," followed by
"Reflected," and finally "DNS Lookup." This will be our entry point for XSS fuzzing.
Burp Suite is a powerful tool used to test web applications for vulnerabilities. The free Community
Edition is included in Kali Linux. In its most common utilization, Burp is used as a proxy to intercept
and modify requests.
We need to configure our browser to work with Burp. In Firefox, go to "Preferences," and scroll all
the way down to the section titled Network Proxy. Click on the "Settings" button, select "Manual
proxy configuration," and enter 127.0.0.1 as the HTTP Proxy and 8080 as the Port. Now, check "Use
this proxy server for all protocols," and make sure it is blank under No Proxy for.
Finally, click "OK," and everything should be configured correctly. You can then fire up Burp Suite and
start a new project. Navigate to the "Proxy" tab and ensure the "Intercept is on" button is pressed.
This will allow us to modify the request and fuzz for XSS.
Next, back in Mutillidae, enter a value in the Hostname/IP text box, and hit "Lookup DNS" to submit
the request (I just used 127.0.0.1 – it doesn't really matter here). The request should show up in Burp
now.
Right-click anywhere in the request window, and select "Send to Intruder," then navigate to the
"Intruder" tab. We will use the "Sniper" attack type to iterate through a list of payloads. Burp will
automatically select positions to use, which are the parameters to test, but for now, we only need
one. Hit the "Clear" button on the right, highlight the target host we entered earlier, and hit the
"Add" button.
Next, go to the "Payloads" tab, and under Payload Options, press "Load." There is a useful wordlist
located at /usr/share/wfuzz/wordlist/Injections/XSS.txt — browse to it and we are ready to launch
the attack.
Press "Start attack," and a new window will pop up. Once the attack has iterated through all the
payloads in our wordlist, the attack is finished and we can see all the requests and their status codes.
To demonstrate, let's take a look at request number 3. If we paste this payload into the DNS Lookup
utility, an alert box will pop up proving that this page is indeed vulnerable to XSS.
Before we move on to other tools, make sure your browser's proxy configuration is changed back to
use system settings.
App 2Wfuzz
Wfuzz is another popular tool used to fuzz applications not only for XSS vulnerabilities, but also SQL
injections, hidden directories, form parameters, and more. It is included in Kali by default.
wfuzz -h
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.
********************************************************
* *
* *
********************************************************
FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of
the specified payload.
Options:
-h : This help
-v : Verbose information.
--interact : (beta) If selected,all key presses are captured. This allows you to
interact with the program.
-p addr : Use Proxy in format ip:port:type. Repeat option for using various
proxies.
...
We will be testing the same page in Mutillidae for XSS vulnerabilities. Basic usage of Wfuzz includes
specifying a wordlist file including the payloads to use with the -z flag, and the URL to test, replacing
the parameter in question with FUZZ. We can also set the -c flag to get color output.
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt
http://172.16.1.102/mutillidae/index.php?page=FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.
********************************************************
********************************************************
Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39
==================================================================
==================================================================
Processed Requests: 39
Filtered Requests: 0
Requests/sec.: 1.469462
We can see each request ID, the response code, and information about that request. The payloads
from our wordlist file are also included, and near the bottom, there is data including total time and
the number of requests. Also of use, when fuzzing an application where many different response
codes might be encountered, the --hc flag can be utilized to ignore certain responses, such as 404
codes.
Another helpful feature of Wfuzz is the ability to encode payloads in order to bypass defensive filters
more effectively. To list the available encoders, use the following command.
wfuzz -e encoders
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.
Available encoders:
------------------------------------------------------------------------------------------------------------------------
url_safe, url | urlencode | Replace special characters in string using the %xx escape. Letters,
digits, and
url_safe, url | double urlencode | Applies a double encode to special characters in string using the
%25xx escape.
html | html_escape | Convert the characters '&', '<' and '>' in string to HTML-safe
sequences.
html | html_hexadecimal | Replaces ALL characters in string using the &#xx; escape
url | doble_nibble_hex | Replaces ALL characters in string using the %%dd%dd escape
url | utf8 | Replaces ALL characters in string using the \u00xx escape
default | random_upper | Replaces random characters in string with its capitals letters
url | first_nibble_hex | Replaces ALL characters in string using the %%dd? escape
default | hexlify | Every byte of data is converted into the corresponding 2-digit hex
representatio
| | n.
url | second_nibble_hex | Replaces ALL characters in string using the %?%dd escape
url | utf8_binary | Replaces ALL characters in string using the \uxx escape
url | uri_unicode | Replaces ALL characters in string using the %u00xx escape
html | html_decimal | Replaces ALL characters in string using the &#dd; escape
Simply append the desired encoder (in this case urlencode) to the specified file, separated by a
comma, to encode the payloads.
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt,urlencode
http://172.16.1.102/mutillidae/index.php?page=FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.
********************************************************
********************************************************
Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39
==================================================================
==================================================================
000003: C=200 514 L 1420 W 21907 Ch "%3C%3Cscript%3Ealert%28%22WXSS
%22%29%3B//%3C%3C/script%3E"
Processed Requests: 39
Filtered Requests: 0
Requests/sec.: 1.426505
The results are similar to before, but now the each payload is URL encoded.
App 3XSStrike
The last tool we will look at today is XSStrike. It is a dedicated suite for detecting cross-site scripting
vulnerabilities that includes an intelligent payload generator, a fuzzer, a crawler, WAF detection, and
more. XSStrike is currently in beta.
Before we can use this tool, we need to download it from GitHub and install it on our machine. The
process may vary slightly depending on the system, but for reference, I am using the latest version of
Kali. XSStrike works best with Python 3.
Download the tool using the wget utility in the terminal, as seen in the below command.
wget https://github.com/s0md3v/XSStrike/archive/master.zip
Next, extract the archive by typing unzip master.zip and changing into the extracted directory with
cd XSStrike-master. Now we should be able to run the tool by typing python3 xsstrike.py at the
prompt.
It may throw an error stating that the fuzzywuzzy module is not installed.
python3 xsstrike.py
If this is the case, just use pip3 install fuzzywuzzy to install the missing module. Now we should be
good to go.
python3 xsstrike.py -h
XSStrike v3.0-beta
optional arguments:
url
--fuzzer fuzzer
--update update
--timeout timeout
--crawl crawl
level of crawling
number of threads
-d DELAY, --delay DELAY
XSStrike's basic usage is quite simple — use the -u flag followed by the URL to test.
XSStrike v3.0-beta
------------------------------------------------------------
52 //document.getElementById("idSystemInformationHeading").innerHTML =
l_loginMessage;
54 document.getElementById("idSecurityLevelHeading").innerHTML = 'Security
Level: ' + l_securityLevel + ' (' + l_securityLevelDescription + ')';
------------------------------------------------------------
------------------------------------------------------------
[!] Cofidence: 10
This tool begins by checking for DOM-based XSS vulnerabilities, and the potentially vulnerable
parameters are displayed on the screen. Reflected XSS is tested for next, and the interactive payload
generator displays the payload and the projected likelihood of success. To continue scanning, hit y at
the prompt.
------------------------------------------------------------
[!] Cofidence: 10
We can also skip the DOM-based checking with the --skip-dom option.
XSStrike v3.0-beta
------------------------------------------------------------
[!] Cofidence: 10
XSStrike also contains fuzzing capabilities used to test filters and WAFs. This can be extremely slow,
though, because it uses random delay requests to probe the application. To speed things up, we can
set the delay to one second with the -d flag alongside the --fuzzer option.
[passed] <test
[passed] <test//
[passed] <test>
[passed] <test/oNxX=yYy//
[passed] <test/o%00nload=x
[passed] <script//src=//
...
There are many other features included in this tool, and there are sure to be even more as XSStrike
undergoes further development.
Wrap Up
Fuzzing is an extremely useful technique for discovering vulnerabilities in a timely and thorough
manner. Today, we explored three fuzzing tools in an effort to find XSS flaws in a vulnerable web
application: Burp Suite, Wfuzz, and XSStrike. Knowing how to use tools like these will improve your
effectiveness as a white hat hacker and lead you on the path to success.
Don't Miss: How to Find XSS Vulnerable Sites with the Big List of Naughty Strings
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with
our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get
over 60 hours of training from ethical hacking professionals.