netspi / xssvalidator Goto Github PK

User submitted this bug via our blog: http://blog.nvisium.com/2014/01/accurate-xss-detection-with-burpsuite.html?showComment=1394146019577#c6163792376716594417

Received request with method type: POST
Processing Post Request
Beginning to parse page
SECURITY_ERR: DOM Exception 18: An attempt was made to break through the security policy of the user agent.

about:blank:197 in comScore
about:blank:198

Received request with method type: POST
Processing Post Request
Beginning to parse page

I ran the intruder on a HTTP Post page:

POST /blah HTTP/1.1
email=%3cscript%3ealert('f7sdgfjFpoG')%3c%2fscript%3e

The webserver responds with a 200 OK, but with Content-Type: application/json;

Content-Type: application/json;
{"email":"<script>alert('f7sdgfjFpoG')</script>"}

The PhantomJS code then runs parsePage on this response, seemingly ignoring the contentType and executing the code.

I've written a dumb patch for the issue; there's probably a much better fix:

    // Grab pageResponse from POST Data and base64 decode.
    // pass result to parsePage function to search for XSS.
    var pageResponse = request.post['http-response'];
    pageResponse = atob(pageResponse);
    var ct = pageResponse.match(/Content\-Type:\sapplication\/json/)
    if (ct && ct.length > 0) {
        console.log("CT:"+ct);
        console.log("Ignoring Request which has application/json response type.");
        xssResults = false;
    } else {
        xssResults = parsePage(pageResponse);
    }

how can i edit the list of payloads ?

Configure the phantomJS server to have the ability to listen over SSL.

This will allow us to set up a central phantomJS server on AWS, without having to worry about managing a local install. Because of client sensitive data it is necessary that these requests be encrypted in transit.

Hi,

I was going through the video. https://www.youtube.com/watch?v=qS5PsxYY1uc

I can find xss.js but am unable to find slimer.js.

Is slimer.js still relevant as video seems to be 2 year old ?

TIA

The instructions in the Burp App Store are a little out of date. It suggests running:

$ slimerjs slimer.js &  

But, there is only xss.js now. I'd also suggest adding the SlimerJS port number for completeness.

I executed the build script per the instructions and it runs for a while then hangs. I also can't find any xss.js or slimer.js files.

Here is command ouput:

python build/build.py all
"git" submodule update --init
Submodule 'htmlparser' (https://github.com/validator/htmlparser.git) registered for path 'htmlparser'
Submodule 'jing-trang' (https://github.com/relaxng/jing-trang.git) registered for path 'jing-trang'
Submodule 'tests' (https://github.com/validator/tests.git) registered for path 'tests'
Cloning into 'htmlparser'...
remote: Counting objects: 8117, done.
remote: Total 8117 (delta 0), reused 0 (delta 0), pack-reused 8117
Receiving objects: 100% (8117/8117), 11.47 MiB | 3.92 MiB/s, done.
Resolving deltas: 100% (2421/2421), done.
Checking connectivity... done.
Submodule path 'htmlparser': checked out '543cc3e7d442874c10ed40e114317115bcff1ca5'
Cloning into 'jing-trang'...
remote: Counting objects: 24050, done.
remote: Total 24050 (delta 0), reused 0 (delta 0), pack-reused 24050
Receiving objects: 100% (24050/24050), 27.87 MiB | 3.93 MiB/s, done.
Resolving deltas: 100% (13152/13152), done.
Checking connectivity... done.
Submodule path 'jing-trang': checked out '35eb11b84a230ee4d7168f12f98a28bf40e940aa'
Cloning into 'tests'...
remote: Counting objects: 6090, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 6090 (delta 2), reused 0 (delta 0), pack-reused 6084
Receiving objects: 100% (6090/6090), 1.01 MiB | 0 bytes/s, done.
Resolving deltas: 100% (3099/3099), done.
Checking connectivity... done.
Submodule path 'tests': checked out 'a98d88d6ee39a2ff62fcf2b6afe434b130a02759'
https://repo1.maven.org/maven2/com/ibm/icu/icu4j/54.1.1/icu4j-54.1.1.jar
https://repo1.maven.org/maven2/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
https://repo1.maven.org/maven2/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
https://repo1.maven.org/maven2/commons-io/commons-io/2.4/commons-io-2.4.jar
https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2-adapters.jar
https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2-api.jar
https://repo1.maven.org/maven2/io/mola/galimatias/galimatias/0.1.0/galimatias-0.1.0.jar
https://repo1.maven.org/maven2/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
https://repo1.maven.org/maven2/log4j/log4j/1.2.17/log4j-1.2.17.jar
https://repo1.maven.org/maven2/net/sourceforge/jchardet/jchardet/1.0/jchardet-1.0.jar
https://repo1.maven.org/maven2/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
https://repo1.maven.org/maven2/org/apache/httpcomponents/httpcore/4.4/httpcore-4.4.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-http/9.2.9.v20150224/jetty-http-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-io/9.2.9.v20150224/jetty-io-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-security/9.2.9.v20150224/jetty-security-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-server/9.2.9.v20150224/jetty-server-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-servlet/9.2.9.v20150224/jetty-servlet-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-servlets/9.2.9.v20150224/jetty-servlets-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-util/9.2.9.v20150224/jetty-util-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-util-ajax/9.2.9.v20150224/jetty-util-ajax-9.2.9.v20150224.jar
https://repo1.maven.org/maven2/org/mozilla/rhino/1.7R5/rhino-1.7R5.jar
https://repo1.maven.org/maven2/xom/xom/1.2.5/xom-1.2.5.jar
https://raw.githubusercontent.com/tabatkins/parse-css/a878df1503af3bfb63493a63685a117a24988959/parse-css.js
https://raw.githubusercontent.com/douglascrockford/JSON-js/3d7767b6b1f3da363c625ff54e63bbf20e9e83ac/json.js
https://help.whatwg.org/extensions/a-rel/
https://help.whatwg.org/extensions/link-rel/
https://wiki.whatwg.org/wiki/MicrosyntaxDescriptions
https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry
https://wiki.whatwg.org/wiki/Validator.nu_alt_advice
./ant
Buildfile: ./build.xml

check-modules:

modules:

check-modbuild:

modbuild:
[xslt] Processing /Applications/BurpSuitePro/validator/jing-trang/modules.xml to /Applications/BurpSuitePro/validator/jing-trang/modbuild.xml
[xslt] Loading stylesheet /Applications/BurpSuitePro/validator/jing-trang/build.xsl

jar:

init:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build

mod.util.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/util/classes/main
[javac] Compiling 33 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/util/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.dtd-parse.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/dtd-parse/classes/main
[javac] Compiling 104 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/dtd-parse/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.dtdinst.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/dtdinst/classes/main
[javac] Compiling 3 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/dtdinst/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/dtdinst/classes/main/com/thaiopensource/xml/dtd/app/resources

mod.dtdinst.jar:
[jar] Building jar: /Applications/BurpSuitePro/validator/jing-trang/build/dtdinst.jar

mod.regex-gen.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/regex-gen/classes/main
[javac] Compiling 2 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/regex-gen/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.regex.check-gen:

mod.regex.gen:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/regex/gensrc/main/com/thaiopensource/datatype/xsd/regex/java

mod.regex.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/regex/classes/main
[javac] Compiling 9 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/regex/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.datatype.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/datatype/classes/main
[javac] Compiling 13 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/datatype/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.xsd-datatype.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/xsd-datatype/classes/main
[javac] Compiling 41 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/xsd-datatype/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.validate.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/validate/classes/main
[javac] Compiling 41 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/validate/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.rng-parse.gen:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-parse/gensrc/main/com/thaiopensource/relaxng/parse/compact
[javacc] Java Compiler Compiler Version 4.1 (Parser Generator)
[javacc](type "javacc" with no arguments for help)
[javacc] Reading from file /Applications/BurpSuitePro/validator/jing-trang/mod/rng-parse/src/main/com/thaiopensource/relaxng/parse/compact/CompactSyntax.jj . . .
[javacc] Note: UNICODE_INPUT option is specified. Please make sure you create the parser/lexer using a Reader with the correct character encoding.
[javacc] File "TokenMgrError.java" does not exist. Will create one.
[javacc] File "ParseException.java" does not exist. Will create one.
[javacc] File "Token.java" does not exist. Will create one.
[javacc] File "JavaCharStream.java" does not exist. Will create one.
[javacc] Parser generated successfully.

mod.rng-parse.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-parse/classes/main
[javac] Compiling 42 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-parse/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.rng-validate.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-validate/classes/main
[javac] Compiling 121 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-validate/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] Note: Some input files use unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
[javac] 4 warnings
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-validate/classes/main/com/thaiopensource/relaxng/util/resources

mod.nvdl.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/nvdl/classes/main
[javac] Compiling 57 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/nvdl/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.schematron.compile-res:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/schematron/classes/main/com/thaiopensource/validate/schematron/resources
[xslt] Processing /Applications/BurpSuitePro/validator/jing-trang/mod/schematron/src/main/com/thaiopensource/validate/schematron/resources/schematron.xsl to /Applications/BurpSuitePro/validator/jing-trang/build/mod/schematron/classes/main/com/thaiopensource/validate/schematron/resources/schematron-xsltc.xsl
[xslt] Loading stylesheet /Applications/BurpSuitePro/validator/jing-trang/mod/schematron/lib/xsltc-fixup.xsl

mod.schematron.compile-main:
[javac] Compiling 12 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/schematron/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.xerces.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/xerces/classes/main
[javac] Compiling 7 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/xerces/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.picl.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/picl/classes/main
[javac] Compiling 26 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/picl/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.3
[javac] warning: [options] source value 1.3 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.1 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.jing.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/jing/classes/main

mod.jing.jar:
[jar] Building jar: /Applications/BurpSuitePro/validator/jing-trang/build/jing.jar

mod.infer.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/infer/classes/main
[javac] Compiling 20 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/infer/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.rng-schema.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-schema/classes/main
[javac] Compiling 95 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/rng-schema/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.convert-from-xml.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-from-xml/classes/main
[javac] Compiling 2 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-from-xml/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.convert-to-xsd.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-to-xsd/classes/main
[javac] Compiling 71 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-to-xsd/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] Note: /Applications/BurpSuitePro/validator/jing-trang/mod/convert-to-xsd/src/main/com/thaiopensource/relaxng/output/xsd/Transformer.java uses unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
[javac] 4 warnings

mod.convert-from-dtd.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-from-dtd/classes/main
[javac] Compiling 2 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-from-dtd/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.convert-to-dtd.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-to-dtd/classes/main
[javac] Compiling 11 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/convert-to-dtd/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings

mod.trang.compile-main:
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/trang/classes/main
[javac] Compiling 3 source files to /Applications/BurpSuitePro/validator/jing-trang/build/mod/trang/classes/main
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5
[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release
[javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options.
[javac] 4 warnings
[mkdir] Created dir: /Applications/BurpSuitePro/validator/jing-trang/build/mod/trang/classes/main/com/thaiopensource/relaxng/translate/resources

mod.trang.jar:
[jar] Building jar: /Applications/BurpSuitePro/validator/jing-trang/build/trang.jar

jar:

BUILD SUCCESSFUL
Total time: 5 seconds
Copying ./schema/.drivers/html5-all.rnc to ./schema/html5-all.rnc
Copying ./schema/.drivers/html5-its.rnc to ./schema/html5-its.rnc
Copying ./schema/.drivers/html5-no-microdata.rnc to ./schema/html5-no-microdata.rnc
Copying ./schema/.drivers/html5-rdfalite-w3c.rnc to ./schema/html5-rdfalite-w3c.rnc
Copying ./schema/.drivers/html5-rdfalite.rnc to ./schema/html5-rdfalite.rnc
Copying ./schema/.drivers/html5-svg-mathml.rnc to ./schema/html5-svg-mathml.rnc
Copying ./schema/.drivers/html5.rnc to ./schema/html5.rnc
Copying ./schema/.drivers/svg-xhtml5-rdf-mathml.rnc to ./schema/svg-xhtml5-rdf-mathml.rnc
Copying ./schema/.drivers/xhtml1-ruby-rdf-svg-mathml.rnc to ./schema/xhtml1-ruby-rdf-svg-mathml.rnc
Copying ./schema/.drivers/xhtml5-all.rnc to ./schema/xhtml5-all.rnc
Copying ./schema/.drivers/xhtml5-no-microdata.rnc to ./schema/xhtml5-no-microdata.rnc
Copying ./schema/.drivers/xhtml5-rdfalite-w3c.rnc to ./schema/xhtml5-rdfalite-w3c.rnc
Copying ./schema/.drivers/xhtml5-rdfalite.rnc to ./schema/xhtml5-rdfalite.rnc
Copying ./schema/.drivers/xhtml5-svg-mathml.rnc to ./schema/xhtml5-svg-mathml.rnc
Copying ./schema/.drivers/xhtml5.rnc to ./schema/xhtml5.rnc
Copying ./schema/.drivers/xhtml10 to ./schema/xhtml10
Copying ./schema/.drivers/rdf.rnc to ./schema/rdf/rdf.rnc
Removing ./schema/html5-all.rnc
Removing ./schema/html5-its.rnc
Removing ./schema/html5-no-microdata.rnc
Removing ./schema/html5-rdfalite-w3c.rnc
Removing ./schema/html5-rdfalite.rnc
Removing ./schema/html5-svg-mathml.rnc
Removing ./schema/html5.rnc
Removing ./schema/svg-xhtml5-rdf-mathml.rnc
Removing ./schema/xhtml1-ruby-rdf-svg-mathml.rnc
Removing ./schema/xhtml5-all.rnc
Removing ./schema/xhtml5-no-microdata.rnc
Removing ./schema/xhtml5-rdfalite-w3c.rnc
Removing ./schema/xhtml5-rdfalite.rnc
Removing ./schema/xhtml5-svg-mathml.rnc
Removing ./schema/xhtml5.rnc
Removing ./schema/html5/html5core.rnc
Removing ./schema/html5/html5full-no-microdata.rnc
Removing ./schema/html5/html5full-rdfa.rnc
Removing ./schema/html5/html5full-rdfalite.rnc
Removing ./schema/html5/html5full.rnc
Removing ./schema/html5/its20-html5-types.rnc
Removing ./schema/html5/its20-html5.rnc
Removing ./schema/html5/legacy.rnc
Removing ./schema/html5/xhtml5core-plus-web-forms2.rnc
Removing ./schema/html5/xhtml5core.rnc
Removing ./schema/html5/xhtml5full-html-no-microdata.rnc
Removing ./schema/html5/xhtml5full-html-rdfalite.rnc
Removing ./schema/html5/xhtml5full-html.rnc
Removing ./schema/html5/xhtml5full-xhtml-no-microdata.rnc
Removing ./schema/html5/xhtml5full-xhtml-rdfa.rnc
Removing ./schema/html5/xhtml5full-xhtml-rdfalite.rnc
Removing ./schema/html5/xhtml5full-xhtml.rnc
Removing ./schema/xhtml10
Removing ./schema/rdf
"javac" -g -nowarn -classpath "./dependencies/commons-codec-1.10.jar:./dependencies/commons-fileupload-1.3.1.jar:./dependencies/commons-io-2.4.jar:./dependencies/commons-logging-1.2.jar:./dependencies/commons-logging-1.2-adapters.jar:./dependencies/commons-logging-1.2-api.jar:./dependencies/galimatias-0.1.0.jar:./dependencies/httpcore-4.4.jar:./dependencies/httpclient-4.4.jar:./dependencies/icu4j-54.1.1.jar:./dependencies/javax.servlet-api-3.1.0.jar:./dependencies/jchardet-1.0.jar:./dependencies/jetty-http-9.2.9.v20150224.jar:./dependencies/jetty-io-9.2.9.v20150224.jar:./dependencies/jetty-security-9.2.9.v20150224.jar:./dependencies/jetty-server-9.2.9.v20150224.jar:./dependencies/jetty-servlet-9.2.9.v20150224.jar:./dependencies/jetty-servlets-9.2.9.v20150224.jar:./dependencies/jetty-util-9.2.9.v20150224.jar:./dependencies/jetty-util-ajax-9.2.9.v20150224.jar:./dependencies/log4j-1.2.17.jar:./dependencies/rhino-1.7R5.jar:./dependencies/xom-1.2.5.jar:./jing-trang/lib/saxon9.jar:./jing-trang/lib/xercesImpl.jar:./jing-trang/lib/xml-apis.jar:./jing-trang/lib/isorelax.jar" -sourcepath "./htmlparser/src" -d "./htmlparser/classes" -encoding UTF-8 -target 1.6 -source 1.6 @temp-javac-list
Removing temp-javac-list
"jar" cf "./htmlparser/dist/htmlparser.jar" @temp-jar-list
Removing temp-jar-list
Removing ./htmlparser/classes
Removing ./htmlparser/dist
"javac" -g -nowarn -d "./classes" -encoding UTF-8 -target 1.6 -source 1.6 ./src/nu/validator/xml/SaxCompiler.java
"java" -cp ./classes nu.validator.xml.SaxCompiler site/PageEmitter.xml ./src/nu/validator/servlet/PageEmitter.java
file:site/PageEmitter.xml
"java" -cp ./classes nu.validator.xml.SaxCompiler site/FormEmitter.xml ./src/nu/validator/servlet/FormEmitter.java
file:site/FormEmitter.xml
Removing ./classes
"javac" -g -nowarn -classpath "./dependencies/commons-codec-1.10.jar:./dependencies/commons-fileupload-1.3.1.jar:./dependencies/commons-io-2.4.jar:./dependencies/commons-logging-1.2.jar:./dependencies/commons-logging-1.2-adapters.jar:./dependencies/commons-logging-1.2-api.jar:./dependencies/galimatias-0.1.0.jar:./dependencies/httpcore-4.4.jar:./dependencies/httpclient-4.4.jar:./dependencies/icu4j-54.1.1.jar:./dependencies/javax.servlet-api-3.1.0.jar:./dependencies/jchardet-1.0.jar:./dependencies/jetty-http-9.2.9.v20150224.jar:./dependencies/jetty-io-9.2.9.v20150224.jar:./dependencies/jetty-security-9.2.9.v20150224.jar:./dependencies/jetty-server-9.2.9.v20150224.jar:./dependencies/jetty-servlet-9.2.9.v20150224.jar:./dependencies/jetty-servlets-9.2.9.v20150224.jar:./dependencies/jetty-util-9.2.9.v20150224.jar:./dependencies/jetty-util-ajax-9.2.9.v20150224.jar:./dependencies/log4j-1.2.17.jar:./dependencies/rhino-1.7R5.jar:./dependencies/xom-1.2.5.jar:./jing-trang/lib/saxon9.jar:./jing-trang/lib/xercesImpl.jar:./jing-trang/lib/xml-apis.jar:./jing-trang/lib/isorelax.jar:./jars/htmlparser.jar:jing-trang/build/jing.jar" -sourcepath "./src" -d "./classes" -encoding UTF-8 -target 1.6 -source 1.6 @temp-javac-list
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
Removing temp-javac-list
"jar" cf "./dist/validator.jar" @temp-jar-list
Removing temp-jar-list
Removing ./classes
Removing ./dist
"java" -classpath ./dependencies/commons-codec-1.10.jar:./dependencies/commons-fileupload-1.3.1.jar:./dependencies/commons-io-2.4.jar:./dependencies/commons-logging-1.2.jar:./dependencies/commons-logging-1.2-adapters.jar:./dependencies/commons-logging-1.2-api.jar:./dependencies/galimatias-0.1.0.jar:./dependencies/httpcore-4.4.jar:./dependencies/httpclient-4.4.jar:./dependencies/icu4j-54.1.1.jar:./dependencies/javax.servlet-api-3.1.0.jar:./dependencies/jchardet-1.0.jar:./dependencies/jetty-http-9.2.9.v20150224.jar:./dependencies/jetty-io-9.2.9.v20150224.jar:./dependencies/jetty-security-9.2.9.v20150224.jar:./dependencies/jetty-server-9.2.9.v20150224.jar:./dependencies/jetty-servlet-9.2.9.v20150224.jar:./dependencies/jetty-servlets-9.2.9.v20150224.jar:./dependencies/jetty-util-9.2.9.v20150224.jar:./dependencies/jetty-util-ajax-9.2.9.v20150224.jar:./dependencies/log4j-1.2.17.jar:./dependencies/rhino-1.7R5.jar:./dependencies/xom-1.2.5.jar:./jing-trang/lib/saxon9.jar:./jing-trang/lib/xercesImpl.jar:./jing-trang/lib/xml-apis.jar:./jing-trang/lib/isorelax.jar:./jars/htmlparser.jar:./jars/validator.jar:jing-trang/build/jing.jar nu.validator.client.TestRunner --ignore=html-its tests/messages.json
2015-07-07 22:56:10.504:INFO::main: Logging initialized @183ms
java -XX:-DontCompileHugeMethods -Xms131072k -Xmx131072k -classpath ./dependencies/commons-codec-1.10.jar:./dependencies/commons-fileupload-1.3.1.jar:./dependencies/commons-io-2.4.jar:./dependencies/commons-logging-1.2.jar:./dependencies/commons-logging-1.2-adapters.jar:./dependencies/commons-logging-1.2-api.jar:./dependencies/galimatias-0.1.0.jar:./dependencies/httpcore-4.4.jar:./dependencies/httpclient-4.4.jar:./dependencies/icu4j-54.1.1.jar:./dependencies/javax.servlet-api-3.1.0.jar:./dependencies/jchardet-1.0.jar:./dependencies/jetty-http-9.2.9.v20150224.jar:./dependencies/jetty-io-9.2.9.v20150224.jar:./dependencies/jetty-security-9.2.9.v20150224.jar:./dependencies/jetty-server-9.2.9.v20150224.jar:./dependencies/jetty-servlet-9.2.9.v20150224.jar:./dependencies/jetty-servlets-9.2.9.v20150224.jar:./dependencies/jetty-util-9.2.9.v20150224.jar:./dependencies/jetty-util-ajax-9.2.9.v20150224.jar:./dependencies/log4j-1.2.17.jar:./dependencies/rhino-1.7R5.jar:./jing-trang/lib/saxon9.jar:./jing-trang/lib/xercesImpl.jar:./jing-trang/lib/xml-apis.jar:./jing-trang/lib/isorelax.jar:./jars/htmlparser.jar:./jars/validator.jar:jing-trang/build/jing.jar -Dnu.validator.datatype.warn=true -Dnu.validator.messages.limit=1000 -Dnu.validator.servlet.about-page=https://about.validator.nu/ -Dnu.validator.servlet.connection-timeout=5000 -Dnu.validator.servlet.follow-w3c-spec=0 -Dnu.validator.servlet.host.legacy= -Dnu.validator.servlet.host.generic= -Dnu.validator.servlet.host.html5= -Dnu.validator.servlet.host.parsetree= -Dnu.validator.servlet.icon=icon.png -Dnu.validator.servlet.log4j-properties=resources/log4j.properties -Dnu.validator.servlet.max-file-size=8388608 -Dnu.validator.servlet.origin=https://validator.nu/ -Dnu.validator.servlet.path.generic=/ -Dnu.validator.servlet.path.html5=/html5/ -Dnu.validator.servlet.path.parsetree=/parsetree/ -Dnu.validator.servlet.service-name=Validator.nu -Dnu.validator.servlet.read-local-log4j-properties=1 -Dnu.validator.servlet.results-title=Validation results -Dnu.validator.servlet.script=script.js -Dnu.validator.servlet.socket-timeout=5000 -Dnu.validator.servlet.statistics=0 -Dnu.validator.servlet.style-sheet=style.css -Dnu.validator.servlet.user-agent=Validator.nu/LV -Dnu.validator.servlet.version=15.7.7 -Dnu.validator.spec.html5-load=https://www.whatwg.org/specs/web-apps/current-work/ -Dnu.validator.spec.html5-link=https://www.whatwg.org/specs/web-apps/current-work/ -Dorg.mortbay.http.HttpRequest.maxFormContentSize=8388608 nu.validator.servlet.Main 8888
2015-07-07 22:56:14.515:INFO::main: Logging initialized @190ms
nu.validator.servlet.VerifierServletTransaction - Starting static initializer.
nu.validator.servlet.VerifierServletTransaction - Reading miscellaneous properties.
nu.validator.servlet.VerifierServletTransaction - Starting to loop over config file lines.
nu.validator.servlet.VerifierServletTransaction - Finished reading config.
nu.validator.servlet.VerifierServletTransaction - Converted config to arrays.
nu.validator.servlet.VerifierServletTransaction - Prepared namespace array.
nu.validator.servlet.VerifierServletTransaction - Parsed doctype numbers into ints.
nu.validator.servlet.VerifierServletTransaction - The cache path prefix is: null
nu.validator.servlet.VerifierServletTransaction - Parsing set up. Starting to read schemas.
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/html5.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/html5-its.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/html5-rdfalite.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/xhtml10/xhtml-strict.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/xhtml10/xhtml-transitional.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/xhtml10/xhtml-frameset.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/xhtml5.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/xhtml5-rdfalite.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/xhtml1-ruby-rdf-svg-mathml.rnc
nu.validator.servlet.VerifierServletTransaction - Will load schema: http://s.validator.nu/svg-xhtml5-rdf-mathml.rnc
nu.validator.servlet.VerifierServletTransaction - Schemas read.
nu.validator.servlet.VerifierServletTransaction - Reading spec.
nu.validator.servlet.VerifierServletTransaction - Spec read.
nu.validator.servlet.VerifierServletTransaction - Initialization complete.
2015-07-07 22:56:16.659:INFO:oejs.Server:main: jetty-9.2.9.v20150224
2015-07-07 22:56:16.682:INFO:oejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@1f0db41a{/,null,AVAILABLE}
2015-07-07 22:56:16.720:INFO:oejs.ServerConnector:main: Started ServerConnector@396f50d2{HTTP/1.1}{0.0.0.0:8888}
2015-07-07 22:56:16.720:INFO:oejs.Server:main: Started @2397ms

got an error message while testing resource-load.php file.
phantomjs and casperjs both are throw the same error, maybe it's evaluate() problem ?

REF:

• CasperJS Can't find variable $

test file: resource-load.php
error message: Parse error: ReferenceError: Can't find variable: $

BurpSuite version: 1.6.12
xssValidator version: 1.3.1

PhantomJS version: 1.9.8 x64
CasperJS version: 1.1-beta3

phantomjs --debug=false --ignore-ssl-errors=true --load-images=true --local-to-remote-url-access=true --web-security=false --ssl-protocol=any xss.js &

Console Output

Received request with method type: POST
Processing Post Request
Beginning to parse page
URL: http://192.168.30.56/resource-load.php?name=confirm(299792458)%3b
Headers: GET /resource-load.php?name=confirm(299792458)%3b HTTP/1.1
Host: 192.168.30.56
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Connection: close

Parse error: SyntaxError: Parse error
Parse error: ReferenceError: Can't find variable: $

Detailed Debug

2015-03-15T22:40:02 [DEBUG] WebpageCallbacks - getJsConfirmCallback
2015-03-15T22:40:02 [DEBUG] WebpageCallbacks - getJsConfirmCallback
2015-03-15T22:40:02 [DEBUG] WebPage - updateLoadingProgress: 17

Parse error: ReferenceError: Can't find variable: $

2015-03-15T22:40:02 [DEBUG] Network - Resource request error: 203 ( "Error downloading http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js - server replied: Not Found" ) URL: "http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"
2015-03-15T22:40:02 [DEBUG] WebPage - updateLoadingProgress: 100
2015-03-15T22:40:02 [DEBUG] WebPage - setupFrame ""
2015-03-15T22:40:32 [DEBUG] HTTP Request - URI /
2015-03-15T22:40:32 [DEBUG] HTTP Request - Method POST
2015-03-15T22:40:32 [DEBUG] HTTP Request - HTTP Version 1.1
2015-03-15T22:40:32 [DEBUG] HTTP Request - Query String
2015-03-15T22:40:32 [DEBUG] HTTP Request - Receiving Header "Content-Length" = "1370"
2015-03-15T22:40:32 [DEBUG] HTTP Request - Receiving Header "Content-Type" = "application/x-www-form-urlencoded"
2015-03-15T22:40:32 [DEBUG] HTTP Request - Receiving Header "Host" = "127.0.0.1:8093"
2015-03-15T22:40:32 [DEBUG] HTTP Request - Receiving Header "Connection" = "Keep-Alive"
2015-03-15T22:40:32 [DEBUG] HTTP Request - Receiving Header "User-Agent" = "Apache-HttpClient/4.4 (Java 1.5 minimum; Java/1.8.0_25)"
2015-03-15T22:40:32 [DEBUG] HTTP Request - Receiving Header "Accept-Encoding" = "gzip,deflate"
2015-03-15T22:40:32 [DEBUG] HTTP Request - Method POST/PUT

Hello,

I have installed Burp Comunity version 2020.5.1 in Windows, when search XSS vulnerabilities wtih XSSValidator when I select "Request in browser" always open this web "https://portswigger.net/burp/documentation/desktop/getting-started/proxy-troubleshooting" I have installed the CACERT.der of burp in Firefox (77.0.1) Brave (0.62) and Edge Versión 83.0.478 and in all three the same result.

Can anyone help me ?

Thanks and a greeting

How could xssValidator detect this XSS [1] using this XSS-Polyglot [2] ?

[1] https://public-firing-range.appspot.com/reflected/parameter/body?q=/*-/*`/*\`/*%27/*%22/**/(/*%20*/oNcliCk=alert()%20)//%0D%0A%0d%0a//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E\x3csVg/%3CsVg/oNloAd=alert()//%3E\x3e
[2] https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

Need to think about adding the ability to include additional settings that will allow users to specify which functions that want to trigger XSS alerts. For instance, some apps may include native document.writes, and as such, it will trigger false positives. In this instance, the user may want to disable reporting for that particular function.

Demo Site: demo.testfire.net

Full Request is:
http://demo.testfire.net/search.aspx?txtSearch=%3cimg%20src%3d8%20onmousemove%3d%22alert(299792458)%22%3e

Payloads below:
<img src=1 onmousemove="{JAVASCRIPT}">
<img src=1 onmousemove='{JAVASCRIPT}'>
<img src=1 onmousemove={JAVASCRIPT}>

I test on FF and Chrome, payloads is work. But xssValidator can't Detect.
How can I fix it?

Some info:
Firefox: v51.0.1
Chrome: v56.0.2924.87
xssValidator: v1.3.2
Phantomjs: v2.1.1

Hi,

i noticed that extension passing the response to detector without HTTP Authorization header would cause a 401 error when phantomjs trying to include remote javascript resources to assign textbox value dynamically with XMLHttpRequest.

GET /cgi-bin/admin/setparam.cgi?layout_logo_default=1&layout_logo_link=example.com&layout_logobg_default=1&layout_logotitle_default=1&layout_title_text=<script>alert(1)//&layout_title_font_color=%23FFFFFF&layout_title_font_size=33&layout_title_font_style=Arial&return=%2Fsetup%2Fhomelayout.html HTTP/1.1
Host: 192.168.0.123
Proxy-Connection: keep-alive
Authorization: Basic YWRtaW46dGVzdF9wYXNzd2Q=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
DNT: 1
Referer: http://192.168.0.123/setup/homelayout.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: viewsizemode=0; g_mode=1; activatedmode=mechanical

HTTP/1.1 200 OK
Date: Thu, 15 Jan 2015 21:06:37 GMT
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
Content-type: text/html
Cache-control: no-cache
Pragma: no-cache

<html>
<!--
layout_logo_default='1'
layout_logo_link='example.com'
layout_logobg_default='1'
layout_logotitle_default='1'
layout_title_text='<script>alert(1)//'
layout_title_font_color='#FFFFFF'
layout_title_font_size='33'
layout_title_font_style='Arial'
-->
<body>
<script language='JavaScript'>
document.location='/setup/homelayout.html'
</script>
</body>
</html>

<!-- File: homelayout.html -->
<!-- More: https://gist.github.com/skiddie/33768952fc2dc81fe506#file-homelayout-html -->
<!-- snip .. -->
  <script type="text/javascript" src="/include/common.js"></script>
  <script type="text/javascript" src="/include/homelayout.js"></script>
  <script type="text/javascript" src="/colorpicker/colorpicker.js"></script>
  <!--[if lte IE 7]><style type="text/css"> input {behavior:url(/input.htc) } </style><![endif]-->
</head>
<body id="adv_live_video_page_config" onload="loadCurrentSetting()">
<!--
xss payload: <script>alert(1)//
-->
<input class="position_4" type="text" size="20" maxlength="20" name="layout_title_text" title="" id="layout_title_text">
<!-- .. snip -->

// File: homelayout.js
// More: https://gist.github.com/skiddie/33768952fc2dc81fe506#file-homelayout-js
// snip ..
function loadCurrentSetting()
{
  XMLHttpRequestObject.open("GET", "/cgi-bin/admin/getparam_cache.cgi?layout", true);
  XMLHttpRequestObject.setRequestHeader("If-Modified-Since","0");
  XMLHttpRequestObject.send(null);
  document.title=translator("live_video_page_config");  

  // title text
  $('#layout_title_text').val(layout_title_text);
// .. snip

thanks for providing such a great tool for everyone to detect XSS 👍
Chris

There are two scripts, xss.js and slimer.js and they are similar.

They should be identical since SlimerJS is theorically almost 100% compatible with PhantomJS. At least, what xss.js does should work with SlimerJS.

If something does not work with SlimerJS, please fill issues on project github.com/laurentj/slimerjs.

There is at least some few things to fix:

This deprecate way

wp = new WebPage();

should be replaced by

wp = require("webpage").create();

And also many variables are not declared with the var keyword (this may cause warnings in verbose mode).

Need to ensure that the Host header is passed to the xss-detector scripts to ensure that <script src="/relative/path"> are loaded properly.

seems like xss-validator can't parse request anymore

request :

POST /add/code?zip=11011 HTTP/1.1
Host: www.example.com
Connection: close
Content-Length: 128
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Referer: https://www.example.com//add/code?zip=11011
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: SSESS6842d8c7cb1b116c2c910d91f6feb606=MYI__XOn97qwOyaVrQ57T7PhSFnrXEmfsIimZ7DIltA; __qca=P0-1885903518-1491403056750; has_js=1; CardBuilder.stored=true; _ivu=61BC41E0-AB01-4340-A34D-0355A3A31440

zip=11011§a§&op=add+locations&form_build_id=form-Ft974csqqU92EPft5FmPvNaQCYBR1j0ftc_Ibo4xp4U&form_id=add_zip

Make the grep phrase dynamically generated. This will ensure that apps aren't able to build in protective measures by automatically spoofing the grep phrase.

Hi again,

i found that xssValidator wont append the grep phrase to response while it got a 30x redirection.

but i can find the prompt from PhantomJS Output and BurpSuite Extender Output likes below,

On alert: 299792458
Response: {"value":1,"msg":"XSS found: alert(299792458)"}
XSS Found

this will cause BurpSuite Intruder wont flag the grep phrase.

thank you :)

Chris

Intruder options:

Attack Results

✓ Store requests
✓ Store responses
✓ Make unmodified baseline request
✓ Store full payloads

Grep - Match

✓ Flag result items with responses matching these expressions: fy7sdufsuidfhuisdf
✓ Match type: Simple string

Grep - Payloads

✓ Search responses for payload strings
✓ Match against pre-URL-encoded payloads

Redirections

✓ Follow redirections: In-scope only

Intruder Request 1:

POST /cgi-bin/setup_dns_ddns.exe HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Content-Length: 146
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close

page=dns_ddns_main&logout=&ddns_provider=0&ddns_domainame="%3e%3cscript%3ealert(299792458)%3c%2fscript%3e%3c"&ddns_account=XSS4&ddns_password=XSS5

PhantomJS Output 1:

Received request with method type: POST
Processing Post Request
Beginning to parse page
    URL: http://192.168.1.1/cgi-bin/setup_dns_ddns.exe
    Headers: POST /cgi-bin/setup_dns_ddns.exe HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Content-Length: 146
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close

page=dns_ddns_main&logout=&ddns_provider=0&ddns_domainame="%3e%3cscript%3ealert(299792458)%3c%2fscript%3e%3c"&ddns_account=XSS4&ddns_password=XSS5

Intruder Response 1:

HTTP/1.1 302 Found
Server: Apache
Pragma: no-cache
Cache-Control: max-age=0, must-revalidate
Connection: close
Location: http://192.168.1.1/wait.stm
Content-type: text/html

<HEAD><TITLE>302 Document moved</TITLE></HEAD>
<BODY><H1>302 Document moved</H1>
This document has moved <A HREF="http://192.168.1.1/wait.stm</A>.<P>
</BODY>
fy7sdufsuidfhuisdf

Intruder Request 2:

GET /wait.stm HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close

PhantomJS Output 2:

Received request with method type: POST
Processing Post Request
Beginning to parse page
    URL: http://192.168.1.1/wait.stm
    Headers: GET /wait.stm HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close


On alert: 299792458

Intruder Response 2:

HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Cache-Control: max-age=0, must-revalidate
Connection: close
Content-type: text/html
Content-length: 1381
Accept-Ranges: bytes

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<script language="javascript">
//setTimeout('document.location.href="dns_ddns_main.stm";', 10000);
var my_time = 10000 / 100;
var mybar = '';
var cur_time = 0;

function zero_run() {
    for (var i = 0 ; i < 100 ; i++) {
        mybar = mybar + '|';
//      window.status = i + '%' + ' ' + mybar;
        for (var j = 0 ; j < 10000 ; j++) ;
    }
//  window.status="";
    document.location.href="dns_ddns_main.stm";
}

function timebegin() {
    if (my_time == 0) {
        setTimeout("zero_run()", 100);
    }
    else if (cur_time < 100) {
        mybar = mybar + '|';
//      window.status = cur_time + '%' + ' ' + mybar;
        setTimeout("timebegin()", my_time);
        cur_time++;
    }
    else {
//      window.status="";
        document.location.href="dns_ddns_main.stm";
    }
}
timebegin();
</script>
<style type="text/css">
.waitcss {color: #FF6600; font-family: sans-serif; font-size: 9pt; text-align: left; font-weight : bold;}
</style>
</head>
<body bgcolor=#FFFFFF>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center><span class="waitcss">Guardando configuración. POR FAVOR NO APAGUES EL LIVEBOX<br><br><input type=image src="/images/clock.gif" border=0>&nbsp;</span></p>
</body>
</html>

For some reason, certain payloads, such as <img src='1' onerror='{JAVASCRIPT}' are generating race conditions in which legitimate XSS payload execution is not being marked as executed, and payloads that don't execute are being marked as validated.

For the time being throttling the requests seems to decrease the likelihood of running into this behavior, but I'm still looking into the real cause.

Hey,
I have installed and configured everything as instructed But while launching attach i am getting this error in the alerts tab

What could be the problem ?

Regards,
Jasminder Pal Singh

Seems like I am have such a simple issue that I cannot find the fix for. Following the README.md, downloaded Apache's HttpClient and HttpCore both to the target directory and extracted all *.jar files to the required directory ../xssValidator/burp-extender/lib. I even moved the OSGi bundle to the targetted lib with no results. Currently ant and java version "1.7.0_91" installed.

After executing ant, I get a >BUILD FAILED message.

root@kali:~/Git/xssValidator/burp-extender/bin/burp# ant
Buildfile: /root/Git/xssValidator/burp-extender/bin/burp/build.xml

compile:
[javac] /root/Git/xssValidator/burp-extender/bin/burp/build.xml:20: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds
[javac] Compiling 38 source files to /root/Git/xssValidator/burp-extender/bi n
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:25: error: package org.apache.commons.codec.binary does not exist
[javac] import org.apache.commons.codec.binary.Base64;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:26: error: package org.apache.http does not exist
[javac] import org.apache.http.HttpResponse;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:27: error: package org.apache.http.client does not exist
[javac] import org.apache.http.client.HttpClient;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:28: error: package org.apache.http.client.entity does not exist
[javac] import org.apache.http.client.entity.UrlEncodedFormEntity;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:29: error: package org.apache.http.client.methods does not exist
[javac] import org.apache.http.client.methods.HttpPost;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:30: error: package org.apache.http.impl.client does not exist
[javac] import org.apache.http.impl.client.HttpClientBuilder;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:31: error: package org.apache.http.message does not exist
[javac] import org.apache.http.message.BasicNameValuePair;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:32: error: package org.apache.http.util does not exist
[javac] import org.apache.http.util.EntityUtils;
[javac] ^
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:44: error: cannot find symbol
[javac] private HttpClient client;
[javac] ^
[javac] symbol: class HttpClient
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:212: error: cannot find symbol
[javac] HttpPost detector = new HttpPost(detectorUrl);
[javac] ^
[javac] symbol: class HttpPost
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:212: error: cannot find symbol
[javac] HttpPost detector = new HttpPost(detectorUrl);
[javac] ^
[javac] symbol: class HttpPost
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:219: error: cannot find symbol
[javac] byte[] encodedBytes = Base64.encodeBase64(messageInf o
[javac] ^
[javac] symbol: variable Base64
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:225: error: cannot find symbol
[javac] byte[] encodedURLBytes = Base64.encodeBase64(intrude rURL.getBytes());
[javac] ^
[javac] symbol: variable Base64
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:229: error: cannot find symbol
[javac] byte[] encodedHeaderBytes = Base64.encodeBase64(head ers.getBytes());
[javac] ^
[javac] symbol: variable Base64
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:233: error: cannot find symbol
[javac] nameValuePairs.add(new BasicNameValuePair("http-resp onse",
[javac] ^
[javac] symbol: class BasicNameValuePair
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:235: error: cannot find symbol
[javac] nameValuePairs.add(new BasicNameValuePair("http-url" ,
[javac] ^
[javac] symbol: class BasicNameValuePair
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:237: error: cannot find symbol
[javac] nameValuePairs.add(new BasicNameValuePair("http-head ers",
[javac] ^
[javac] symbol: class BasicNameValuePair
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:241: error: cannot find symbol
[javac] .setEntity(new UrlEncodedFormEntity(nameValuePairs)) ;
[javac] ^
[javac] symbol: class UrlEncodedFormEntity
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:243: error: cannot find symbol
[javac] HttpResponse response = this.client.execute(detector );
[javac] ^
[javac] symbol: class HttpResponse
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:244: error: cannot find symbol
[javac] String responseAsString = EntityUtils.toString(respo nse
[javac] ^
[javac] symbol: variable EntityUtils
[javac] location: class BurpExtender
[javac] /root/Git/xssValidator/burp-extender/src/burp/BurpExtender.java:360: error: cannot find symbol
[javac] this.client = HttpClientBuilder.create().build();
[javac] ^
[javac] symbol: variable HttpClientBuilder
[javac] location: class BurpExtender
[javac] 21 errors

BUILD FAILED
/root/Git/xssValidator/burp-extender/bin/burp/build.xml:20: Compile failed; see the compiler error output for details.

Total time: 0 seconds

It feels like I have every *.jar file Apache has available. Any help would be appreciated.

Hi,

According to the burp-extender/src/burp/BurpExtender.java file, this extension is in version 1.3.2. However, there is no release note for this version on GitHub.

In addition, the version of this extension on the BApp Store is said to be 1.3.2 but in the xssValidator tab in Burp it is still required to provide server settings for Slimer.

Could you please add a release note for version 1.3.2 on GitHub and update the extension on the BApp Store?

Thank you.

I'm getting these errors Im not sure why

Parse error: SyntaxError: Invalid character '\u0031'
Parse error: TypeError: undefined is not a constructor (evaluating 'gbar.qfgq()')

The central repo url in buildXssValidatorJar.sh file is not updated with the new https://repo.maven.apache.org

I am following this article https://nvisium.com/blog/2014/01/31/accurate-xss-detection-with-burpsuite/
and have downloaded the jar file and phantomjs, but when i start the attack. no actions take place on the burpsuite. is there any place i can debug this?

It may make sense to implement some baseline compare functionality that creates an index of each JS function that is triggered. Subsequent requests will be compared to the baseline request to ensure that any event that would have triggered an XSS alert wasn't triggered in the baseline request.

I've tested this on 3 different computers, and when I'm using newer versions of Burp (2.0+) XssValidator has a significantly high false positive rate (co-workers say the same thing). When I install an older version (v1.7.37 or older) it has like a 95% success rate? is it time for an update? or should I stick to using the older burp for this one tool?