GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cispa → persistent-clientside-xss

cispa / persistent-clientside-xss

Licence: AGPL-3.0 License
Exploit generator and Taint Engine to find persistent (and reflected) client-side XSS

Programming Languages

python
139335 projects - #7 most used programming language
javascript
184084 projects - #8 most used programming language
Dockerfile
14818 projects

Labels

xssclient-side-xss

Projects that are alternatives of or similar to persistent-clientside-xss

solutions-bwapp
In progress rough solutions to bWAPP / bee-box
Stars: ✭ 158 (+731.58%)
Mutual labels:  xss
safe-svg
Simple and lightweight library that helps to validate SVG files in security manners.
Stars: ✭ 25 (+31.58%)
Mutual labels:  xss
Foxss-XSS-Penetration-Testing-Tool
Foxss is a simple php based penetration Testing Tool.Currently it will help to find XSS vulnerability in websites.
Stars: ✭ 35 (+84.21%)
Mutual labels:  xss
security-cheat-sheet
Minimalist cheat sheet for developpers to write secure code
Stars: ✭ 47 (+147.37%)
Mutual labels:  xss
vue-dompurify-html
Safe replacement for the v-html directive
Stars: ✭ 104 (+447.37%)
Mutual labels:  xss
ngx http html sanitize module
It's a nginx http module to sanitize HTML5 with whitelisted elements, whitelisted attributes and whitelisted CSS property
Stars: ✭ 14 (-26.32%)
Mutual labels:  xss
SuperXSS
Make XSS Great Again
Stars: ✭ 57 (+200%)
Mutual labels:  xss
PastebinMarkdownXSS
XSS in pastebin.com and reddit.com via unsanitized markdown output
Stars: ✭ 84 (+342.11%)
Mutual labels:  xss
html-sanitizer
HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.
Stars: ✭ 18 (-5.26%)
Mutual labels:  xss
security-wrapper
对springSecurity进行二次开发,提供OAuth2授权(支持跨域名,多应用授权)、JWT、SSO、文件上传、权限系统无障碍接入、接口防刷、XSS、CSRF、SQL注入、三方登录(绑定,解绑)、加密通信等一系列安全场景的解决方案
Stars: ✭ 21 (+10.53%)
Mutual labels:  xss
hackable
A python flask app that is purposefully vulnerable to SQL injection and XSS attacks. To be used for demonstrating attacks
Stars: ✭ 61 (+221.05%)
Mutual labels:  xss
XSS-Payload-without-Anything
XSS Payload without Anything.
Stars: ✭ 74 (+289.47%)
Mutual labels:  xss
diwa
A Deliberately Insecure Web Application
Stars: ✭ 32 (+68.42%)
Mutual labels:  xss
xss-http-injector
XSS HTTP Inject0r is a proof of concept tool that shows how XSS (Cross Site Scripting) flags can be exploited easily. It is written in HTML + Javascript + PHP and released under GPLv3.
Stars: ✭ 22 (+15.79%)
Mutual labels:  xss
safe-marked
Markdown to HTML using marked and DOMPurify. Safe by default.
Stars: ✭ 31 (+63.16%)
Mutual labels:  xss
xssfinder
Toolset for detecting reflected xss in websites
Stars: ✭ 105 (+452.63%)
Mutual labels:  xss
NachtWal
Reinforced Mitigation Security Filter
Stars: ✭ 17 (-10.53%)
Mutual labels:  xss
Eagle
Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities
Stars: ✭ 85 (+347.37%)
Mutual labels:  xss
APSoft-Web-Scanner-v2
Powerful dork searcher and vulnerability scanner for windows platform
Stars: ✭ 96 (+405.26%)
Mutual labels:  xss
hast-util-sanitize
utility to sanitize hast nodes
Stars: ✭ 34 (+78.95%)
Mutual labels:  xss
View All Similar Projects ➔

Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild

This repository contains our code base used to automatically generate exploit candidates for Reflected Client-Side XSS and Persistent Client-Side XSS. It is a product of our work published at NDSS 2019.

Taint Engine

The generation is based on the flows collected by the tainted Chromium engine presented by Lekies et al..

Update 2019/09/26: we are releasing the (very old!!!) Chromium engine. Please find it in the taintchrome folder. This is a prototype we developed after our USENIX 2014 paper and therefore has partial ability to block tainted flows. To start the engine, you therefore have to use specific command line flags to ensure that tainted flows are just recorded and not blocked. We have recently run this in an Ubuntu 16.04 LTS VM (you may need to put libgcrypt.so.11 (md5 bb6c4e40803d0e59e2cc03e23c9861cd) in your library folder for it to work).

./chrome --no-sandbox --disable-xss-auditor --disable-improved-download-protection --js-flags='--noblock_tainted'

Note that this browser is outdated and Chromium has had known-exploitable bugs in this version. We take absolutely no responsibility for this prototype, neither in terms of functionality nor security. You run this at your own risk

Whenever a tainted data flow is detected in a sink, the engine tries to locate the function ___DOMXSSFinderReport in the current window's global scope. We used an extension to inject this code into each page we visited. To get you started, we have put a minimal JavaScript example of the function which can be used to log tainted data flows to the console in the taintchrome/minimal_extension folder.

If you choose to not use the taint engine, check out our examples of such flows, which can be found in the examples directory, with EXAMPLE1 being annotated and each other example providing different combinations of sources and sinks.

Flows

In general we consider findings and sources as provided to us by the tainted chromium engine.
A finding in this case consists of all the different parts(sources) of one string which ended up in one of our sinks.

document.write('<script src="https://github.com//ad.com/url='+ location.href + '></ script>')

In the above example the finding consists of the complete string, whereas we have three sources, that is the beginning and end of the string which are hardcoded(SOURCE_BENIGN) and the middle part which originates from the URL of the frame(SOURCE_LOCATION_HREF).

For an annotated example of the structure which is expected by the Exploit generation refer to EXAMPLE1.

Setup

You can setup a Docker container to test the project making use of the the following two commands in the project root.

docker build -t exploit_generator .
docker run -it exploit_generator:latest

If you want to setup the environment natively you need to install the required dependencies as follows:

pip install -r requirements.txt

Usage

Generating exploits for a specific finding can be performed as follows:

from generator import generate_exploit_for_finding

finding = # fetch finding from somewhere
exploits = generate_exploit_for_finding(finding)

The return value of generate_exploit_for_finding is a list of exploit candidates which will then need to be validated in order to ensure the presence of the same flow given the altered values.

You can run the tests on 6 examples provided in the examples subdirectory, with tests.py currently running the first example.

python tests.py

Optional commandline arguments can be --payload alert(1) or --debug, with the former allowing to change the payload which is used when generating exploit candidates and the latter activating log output.
There is one small caveat to changing the payload, which should be easy to find but prevents copycatting.

Script Source Exploits

When we observe a flow into the src property of a script which happens before the path of the url start, we can redirect the hostname to one under our own control. In config.py it can be configured which hostname should be used and in configs/ you can find the NGINX server block which we used to always host the attacker file no matter which subdomains/path where intended by the developers.

License

This project is licensed under the terms of the AGPL3 license which you can find in LICENSE.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].