Are there cross-platform tools to write XSS attacks directly to the database?

StackOverflow https://stackoverflow.com/questions/2453499

  •  20-09-2019
  •  | 
  •  

Question

I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications.

I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development).

Is anyone aware of a similar tool? Preferably it should be:

  • cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok)
  • open source (I really like being able to audit my security tools)
  • able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)

Edit: I'd like to clarify my goal: I'd like a tool that directly writes the result of a successful XSS/SQL injection attack into the database. The idea is that I want to check that every place in my app does correct output encoding. Detecting and avoiding the data getting there in the first place is an entirely different thing (and might not be possible when I display data that's written to the DB by a third-party application).

Edit 2: Corneliu Tusnea, the author of the tool I linked to above, has since released the tool as free software on codeplex: http://xssattack.codeplex.com/

Was it helpful?

Solution

I think metasploit has most of the attributes you are looking for. It may even be the only one that has all of what you specify, since all the others I can think of are closed source. There are a few existing modules that deal with XSS and one in particular that you should take a peek at: HTTP Microsoft SQL Injection Table XSS Infection. From the sounds of that module it is capable of doing exactly what you are wanting to do. The framework is written in Ruby I believe, and is supposed to be easy to extend with your own modules which you may need/want to do. I hope that helps.

http://www.metasploit.com/

OTHER TIPS

Not sure if this is what you're after, its a parameter fuzzer for HTTP/HTTPS.

I haven't used it in a while, but IIRC it acts a proxy between you and the web application in question - and will insert XSS/SQL Injection attack strings into any input fields before deeming whether the response was "interesting" or not, thus whether the application is vulnerable or not.

http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

From your question I'm guessing it is a type of fuzzer you're looking for, and one specifically for XSS and web applications; if I'm right - then that might help you!

Its part of the Open Web Application Security Project (OWASP) that "jah" has linked you to above.

There are some Firefox plugins to do some XSS testing here: http://labs.securitycompass.com/index.php/exploit-me/

A friend of mine keeps saying, that php-ids is pretty good. I haven't tried it myself, but it sounds as if it could approximately match your description:

  • Open Source (LGPL),
  • Cross Platform - PHP is not in your list, but maybe it's ok?
  • Detects "all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks" (this is from the FAQ)
  • Logs to databases.

I don't think there is such a tool, other than the one you pointed us to. I think there's a good reason for that: It's probably not the best way to test that each and every output is properly encoded for the applicable context.

From reading about that tool it seems the premise is to insert random xss vectors into the database and then you browse your application to see if any of those vectors succeed. This is rather a hit and miss methodology, to say the least.

A much better idea, I think, would be to perform code reviews.

You may find it helpful to have a look at some of the resources available at http://owasp.org - namely the Application Security Verification Standard (ASVS), the Testing Guide and the Code Review Guide.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top