xssPlay is my latest code. It will be added to the pWeb suite of tools for penetration testing web applications.

xssPlay takes a url for input and scans through all GET parameters testing each one for a XSS vulnerability. If found, it will deface the website with either simple CSS, a generic image, or a specified image URL.

This application is coded in Perl/Tk using the MozRepl Firefox plugin. This plugin will take a screenshot of all successfully defaced websites automatically.

Click the thumbnail above to see this bad boy in it’s full glory.

This way we can feed a huge list of URLs to the application via a line-by-line file or xargs and have it go on it’s merry way. In the screenshot above, it proves that xssPlay defeats/finds other simple security measures, such as URL sanitation with magic quotes. It takes into account that all programmers have mistakes somewhere.

xssPlay logs all output and makes a tidy directory named after the domain name, just like SQLmap. In the directory in the screenshot above, it makes a log file, which shows all http requests times-stamped, and all screenshots of successfully defaced websites. In my case, I used the generic image that says “xxsplay was here!” but I specified the full url to prove that it can take any image online.

We can also specify any User Agent we’d like, or randomly choose a Mobile or Standard web browser User Agent.

This tool is valuable not only to the penetration tester, but to the web programmer as well. All of this code shall be released in BETA form shortly. I am adding support for crawling a document for more URLs and I have a working “search bar” attack implemented, but not in the code.

~Douglas

2 thoughts on “xssPlay in pWEb Suite

  1. hey ,
    i am trying to use xssPlay but i am getting error with the url i tried with quote “” ” and without with http:// and without with no luck i get cant understand url or attack failed with an empty url plz help

    • It is because the code is looking far a traditional “this.com” domain name so that it can actually find the GET parameters and parse them out. I am updating the code now and will be uploading the new version asap. Thanks for the heads up and I hope that the emails helped you with his issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>