Greetings, fellow security enthusiasts, as well as curious souls who clicked on this article by accident! I’m a penetration tester here at Bugcrowd, and I go by Phishician. I specialize in network security and often develop my own applications and tools. Whether it’s crafting custom exploits or building scanners to map attack surfaces, I create the solutions I need to uncover vulnerabilities more efficiently and to generally speed up my workflow.

Every proficient hacker knows that laziness breeds innovation, so let me introduce you to a new pen testing tool I created. It was born from the desire to hack smarter, not harder.

 

What is XSSpect?

XSSpect is a browser extension that can automatically inject thousands of XSS payloads into a given input field and determine if a web application is vulnerable to cross-site scripting. 

It’s a super-efficient tool and convenient way to quickly identify cross-site scripting vulnerabilities on the fly and without leaving your web browser. Additionally, there’s no need to set up a proxy and intercept/modify requests or use any command-line scripts. 

It can also submit authenticated payloads without the need for user credentials or session cookies, as long as the user is logged into the web application in the same browser the extension is being used. Have I raised a few eyebrowsers? Get it? Eyebrow? Browser? Anyway, read on to find out how to use this tool.

 

How to use XSSpect

 

Scan

Figure 1. Scan tab.

The full URL, including the parameter(s) to be tested, can be entered in the Scan tab. The value of a parameter can also be entered, although this is not necessary. Once a URL is supplied, the parameter(s) will automatically be detected. From there, a drop-down menu will be populated and a target parameter can be chosen.

Figure 2. Scan tab (after running a scan).

Scans can be executed once payloads are saved in the Payloads tab (see Figure 3). This will display the payload that was executed and the validity of the payload (i.e., Safe or Valid). We can see in Figure 2 that the first payload is marked as Safe and the second payload is marked as Valid.

A summary of the results is displayed at the bottom. This shows the total number of payloads tested and the total number of valid payloads.

 

Payloads

Figure 3. Payloads tab.

Custom payloads can be entered (one per line) into the text area. Alternatively, a TXT file containing payloads can be uploaded, and the extension will extract the payloads from the file and display them in the text area. 

Saving the payloads allows a user to use them again even after the extension has been closed, as the browser will remember them in memory.

 

 Results

Figure 4. Results tab.

All previous scan information can be seen in the Results tab. Each scan includes the URL, the parameter tested, the payload, the date and time the payload was executed, and the validity of the payload (i.e., Safe or Valid).

The Results tab will show the Scan History even after the extension has been closed, unless the history is cleared. 

There is an option to export results, which will generate a TXT file containing all the information presented in the Results tab. An example of this can be seen in Figure 5.

Figure 5. Exported scan history (TXT file).

Settings

 Figure 6. Settings tab.

A timeout value can be set to prevent a scan from waiting indefinitely for an application to respond. This also allows for flexibility with applications that we know will take longer than normal to load. 

A delay value can also be set, meaning the tool will wait a given amount of time before executing the next payload. Figure 6 shows a delay set to 5000 milliseconds. This means there will be a delay of 5 seconds between each request. Shorter delay values allow for faster responses, while longer delay values can be useful in cases where a user wants to remain stealthy to avoid raising security alerts.

There is also an option to enable Stop On First Valid Payload. As the function name suggests, once Stop On First Valid Payload is enabled, the scan will automatically stop running as soon as it finds the first valid payload. This is another useful option that can help prevent sending excess traffic.

 

Limitations and future enhancements

Limitations and improvements: 

  • v1.0 is only capable of handling HTTP GET requests. 
  • A more informative figure that gives the real-time scan progress (e.g., a live progress bar with a message such as “1000/2000 payloads executed”) is in the works.
  • The function to import payloads from a file currently only supports TXT files. Support for uploading additional file formats, such as CSV, could be implemented.
  • The export function currently generates a TXT file. An option to select other file formats such as CSV, HTML, or PDF could be implemented.
  • A tab for generating payloads including obfuscation techniques is also an avenue of development.

Demo

The video below demonstrates XSSpect being used against an application intentionally vulnerable to cross-site scripting.

 

 

Closing Remarks

No tool is perfect and there is always room for growth. I’m interested in hearing your thoughts on how XSSpect could be improved. Are there other Web application attacks you would like to see performed from a browser extension? Would a suite of tools packed into a Swiss Army type browser extension be useful?

 

Thank you for taking the time to read this blog and remember to always hack responsibly.

Tags: