Writing a scanner to find reflected XSS vulnerabilities — Part 1

  • How does it function? Create a simple flow chart on how you want the scanner to function, it can be what input does it take, what’s it going to parse, and then finally what will be the output.
  • What technology are we going to use? Selecting the right technology is very important. While selecting a technology you should be aware of libraries that you need to use, and how to scale it up as per your needs. But more than anything else the most important thing would be your comfort zone with the technology. I might spend 20 hours writing code in Golang, the output might be slightly better than my Python project which I completed in just 5 hours. If that’s the case I would stick with Python.
Reflected XSS Flow Chart
  • Raw HTTP request parser
  • Initial prober
  • Context analyzer
  • Payload generator
  • Payload confirmer
pip3 install virtualenv
python3 -m virtualenv xss_env
cd xss_env/Scripts && activate
mkdir rxss

1 - Raw HTTP request parser

from __future__ import absolute_import, unicode_literalsfrom http.server import BaseHTTPRequestHandler
from io import BytesIO

class HTTPRequest(BaseHTTPRequestHandler):
def __init__(self, request_text):
self.rfile = BytesIO(request_text)
self.raw_requestline = self.rfile.readline()
self.error_code = self.error_message = None
self.parse_request()

def send_error(self, code, message):
self.error_code = code
self.error_message = message
POST /search.php?test=query HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://testphp.vulnweb.com
Connection: close
Referer: http://testphp.vulnweb.com/search.php?test=query
Upgrade-Insecure-Requests: 1
searchFor=asdas&goButton=go
from __future__ import absolute_import, unicode_literals

from http.server import BaseHTTPRequestHandler
from io import BytesIO


class HTTPRequest(BaseHTTPRequestHandler):
def __init__(self, request_text):
self.rfile = BytesIO(request_text)
self.raw_requestline = self.rfile.readline()
self.error_code = self.error_message = None
self
.parse_request()

def send_error(self, code, message):
self.error_code = code
self.error_message = message


with open("requests.txt", "rb") as f:
request = HTTPRequest(f.read())
if not request.error_code:
print(request.command) # prints method
print
(request.path) # prints request.path
print
(request.headers.keys()) # prints requests headers
print
(request.headers['host']) # prints requests host
content_len = int(request.headers.get('Content-Length'))
print(request.rfile.read(content_len)) # prints request body
python3 request_parser.pyPOST
/search.php?test=query
['Host', 'User-Agent', 'Accept', 'Accept-Language', 'Accept-Encoding', 'Content-Type', 'Content-Length', 'Origin', 'Connection', 'Referer', 'Upgrade-Insecure-Requests']
testphp.vulnweb.com
b'searchFor=asdas&goButton=go'

2 — Initial Prober

pip3 install requests
python3 create_insertions.py [<__main__.HTTPRequest object at 0x0000021E8AD34A30>, <__main__.HTTPRequest object at 0x0000021E8AD34B80>, <__main__.HTTPRequest object at 0x0000021E8AD34BB0>]
import requestsdef send_request(request, scheme):
url = "{}://{}{}".format(scheme, request.headers.get("host"), request.path)
req = requests.Request(request.method, url, params=request.params, data=request.data, headers=request.headers)
r = req.prepare()
s = requests.Session()
response = s.send(r, allow_redirects=False, verify=False)
return response
with open("requests.txt", "rb") as f:
parser = RequestParser(f.read())
i_p = GetInsertionPoints(parser.request)

for request in i_p.requests:
response = send_request(request, "http")
if "teyascan" in response.text:
print("probe reflection found in "+request.insertion)
python .\test.py
probe reflection found in searchFor

--

--

--

Python Dev, Part time Bug Bounty Hunter & a Full time entrepreneur.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Production: The First 100 Days

How to start the CLI Project

Top 10 programming languages in 2021

Foldable Devices Android An Initiative

Numbers to Strings and Back Again

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hungrysoul

Hungrysoul

Python Dev, Part time Bug Bounty Hunter & a Full time entrepreneur.

More from Medium

PortSwigger Web Security Academy Server-side topics — SQL Injection

[Day 14] Networking Dev(Insecure)Ops | Advent of Cyber 3 (2021)

Ethical Hacking (part 10.0/20): SQL injection explained with examples and tools

Simple Operations using Python