xssPlay is my latest code. It will be added to the pWeb suite of tools for penetration testing web applications.
xssPlay takes a url for input and scans through all GET parameters testing each one for a XSS vulnerability. If found, it will deface the website with either simple CSS, a generic image, or a specified image URL.
This application is coded in Perl/Tk using the MozRepl Firefox plugin. This plugin will take a screenshot of all successfully defaced websites automatically.
Click the thumbnail above to see this bad boy in it’s full glory.
This way we can feed a huge list of URLs to the application via a line-by-line file or xargs and have it go on it’s merry way. In the screenshot above, it proves that xssPlay defeats/finds other simple security measures, such as URL sanitation with magic quotes. It takes into account that all programmers have mistakes somewhere.
xssPlay logs all output and makes a tidy directory named after the domain name, just like SQLmap. In the directory in the screenshot above, it makes a log file, which shows all http requests times-stamped, and all screenshots of successfully defaced websites. In my case, I used the generic image that says “xxsplay was here!” but I specified the full url to prove that it can take any image online.
We can also specify any User Agent we’d like, or randomly choose a Mobile or Standard web browser User Agent.
This tool is valuable not only to the penetration tester, but to the web programmer as well. All of this code shall be released in BETA form shortly. I am adding support for crawling a document for more URLs and I have a working “search bar” attack implemented, but not in the code.