NBG0x1/xss.js

## xss.js
var DEBUG = false

// Create xss object that will be used to track XSS information
var xss = new Object();
xss.value = 0;
xss.msg = "";

/**
 * parse incoming HTTP responses that are provided via BURP intruder.
 * data is base64 encoded to prevent issues passing via HTTP.
 *
 * This function appends the js-overrides.js file to all responses
 * to inject xss triggers into every page. Webkit will parse all responses
 * and alert us of any seemingly malicious Javascript execution, such as
 * alert, confirm, fromCharCode, etc.
 */
parsePage = function(data) {
	if (DEBUG) {
		console.log("Beginning to parse page");
	}

	var html_response = "";
	wp.content = data;

	// Evaluate page, rendering javascript

	xssInfo = wp.evaluate(function (wp) {
                var tags = ["a", "abbr", "acronym", "address", "applet", "area", "article", "aside", "audio", "audioscope", "b", "base", "basefont", "bdi", "bdo", "bgsound", "big", "blackface", "blink", "blockquote", "body", "bq", "br", "button", "canvas", "caption", "center", "cite", "code", "col", "colgroup", "command", "comment", "datalist", "dd", "del", "details", "dfn", "dir", "div", "dl", "dt", "em", "embed", "fieldset", "figcaption", "figure", "fn", "font", "footer", "form", "frame", "frameset", "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "iframe", "ilayer", "img", "input", "ins", "isindex", "kbd", "keygen", "label", "layer", "legend", "li", "limittext", "link", "listing", "map", "mark", "marquee", "menu", "meta", "meter", "multicol", "nav", "nobr", "noembed", "noframes", "noscript", "nosmartquotes", "object", "ol", "optgroup", "option", "output", "p", "param", "plaintext", "pre", "progress", "q", "rp", "rt", "ruby", "s", "samp", "script", "section", "select", "server", "shadow", "sidebar", "small", "source", "spacer", "span", "strike", "strong", "style", "sub", "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead", "time", "title", "tr", "tt", "u", "ul", "var", "video", "wbr", "xml", "xmp"];
                var eventHandler = ["mousemove","mouseout","mouseover"];

                tags.forEach(function(tag) {
                        currentTags = document.querySelector(tag);
                        if (currentTags !== null){
                                eventHandler.forEach(function(currentEvent){
		                        var ev = document.createEvent("MouseEvents");
                                        ev.initEvent(currentEvent, true, true);
                                        currentTags.dispatchEvent(ev);
                                });
                        }
                });
		// Return information from page, if necessary
	}, wp);

	if(xss) {
		// xss detected, return
		return xss;
	}
	return false;
};

/**
 * After retriving data it is important to reinitialize certain
 * variables, specifically those related to the WebPage objects.
 * Without reinitializing the WebPage object may contain old data,
 * and as such, trigger false-positive messages.
 */
reInitializeWebPage = function() {
	wp = new WebPage();
	xss = new Object();
	xss.value = 0;
	xss.msg = "";

	// web page settings necessary to adequately detect XSS
	wp.settings = {
		loadImages: true,
		localToRemoteUrlAccessEnabled: true,
		javascriptEnabled: true,
		webSecurityEnabled: false,
		XSSAuditingEnabled: false
	};

	// Custom handler for alert functionality
	wp.onAlert = function(msg) {
		console.log("On alert: " + msg);

		xss.value = 1;
		xss.msg += 'XSS found: alert(' + msg + ')';
	};

	wp.onConsoleMessage = function(msg) {
		console.log("On console.log: " + msg);

		xss.value = 1;
		xss.msg += 'XSS found: console.log(' + msg + ')';
	};

	wp.onConfirm = function(msg) {
		console.log("On confirm: " + msg);

		xss.value = 1;
		xss.msg += 'XSS found: confirm(' + msg + ')';
	};

	wp.onPrompt = function(msg) {
		console.log("On prompt: " + msg);

		xss.value = 1;
		xss.msg += 'XSS found: prompt(' + msg + ')';
	};

	return wp;
};

// Initialize webpage to ensure that all variables are
// initialized.
var wp = reInitializeWebPage();

// Hard code the response for simplicity
var response = "HTTP/1.1 200 OK\nContent-Type: text/xml; charset=utf-8\nContent-Length: length\n\n<HTML>\n  <BODY>\n    <SCRIPT>alert('Carrier Rocks!')</SCRIPT>\n  </BODY>\n</HTML>\n\n";
xssResults = parsePage(response);

if(xssResults){
	console.log("We discovered XSS on the page!!!");
	phantom.exit();
}

// Re-initialize webpage after parsing request
wp = reInitializeWebPage();
pageResponse = null;
xssResults = null;

phantom.exit();
	var DEBUG = false

	// Create xss object that will be used to track XSS information
	var xss = new Object();
	xss.value = 0;
	xss.msg = "";

	/**
	* parse incoming HTTP responses that are provided via BURP intruder.
	* data is base64 encoded to prevent issues passing via HTTP.
	*
	* This function appends the js-overrides.js file to all responses
	* to inject xss triggers into every page. Webkit will parse all responses
	* and alert us of any seemingly malicious Javascript execution, such as
	* alert, confirm, fromCharCode, etc.
	*/
	parsePage = function(data) {
	if (DEBUG) {
	console.log("Beginning to parse page");
	}

	var html_response = "";
	wp.content = data;

	// Evaluate page, rendering javascript

	xssInfo = wp.evaluate(function (wp) {
	var tags = ["a", "abbr", "acronym", "address", "applet", "area", "article", "aside", "audio", "audioscope", "b", "base", "basefont", "bdi", "bdo", "bgsound", "big", "blackface", "blink", "blockquote", "body", "bq", "br", "button", "canvas", "caption", "center", "cite", "code", "col", "colgroup", "command", "comment", "datalist", "dd", "del", "details", "dfn", "dir", "div", "dl", "dt", "em", "embed", "fieldset", "figcaption", "figure", "fn", "font", "footer", "form", "frame", "frameset", "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "iframe", "ilayer", "img", "input", "ins", "isindex", "kbd", "keygen", "label", "layer", "legend", "li", "limittext", "link", "listing", "map", "mark", "marquee", "menu", "meta", "meter", "multicol", "nav", "nobr", "noembed", "noframes", "noscript", "nosmartquotes", "object", "ol", "optgroup", "option", "output", "p", "param", "plaintext", "pre", "progress", "q", "rp", "rt", "ruby", "s", "samp", "script", "section", "select", "server", "shadow", "sidebar", "small", "source", "spacer", "span", "strike", "strong", "style", "sub", "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead", "time", "title", "tr", "tt", "u", "ul", "var", "video", "wbr", "xml", "xmp"];
	var eventHandler = ["mousemove","mouseout","mouseover"];

	tags.forEach(function(tag) {
	currentTags = document.querySelector(tag);
	if (currentTags !== null){
	eventHandler.forEach(function(currentEvent){
	var ev = document.createEvent("MouseEvents");
	ev.initEvent(currentEvent, true, true);
	currentTags.dispatchEvent(ev);
	});
	}
	});
	// Return information from page, if necessary
	}, wp);

	if(xss) {
	// xss detected, return
	return xss;
	}
	return false;
	};

	/**
	* After retriving data it is important to reinitialize certain
	* variables, specifically those related to the WebPage objects.
	* Without reinitializing the WebPage object may contain old data,
	* and as such, trigger false-positive messages.
	*/
	reInitializeWebPage = function() {
	wp = new WebPage();
	xss = new Object();
	xss.value = 0;
	xss.msg = "";

	// web page settings necessary to adequately detect XSS
	wp.settings = {
	loadImages: true,
	localToRemoteUrlAccessEnabled: true,
	javascriptEnabled: true,
	webSecurityEnabled: false,
	XSSAuditingEnabled: false
	};

	// Custom handler for alert functionality
	wp.onAlert = function(msg) {
	console.log("On alert: " + msg);

	xss.value = 1;
	xss.msg += 'XSS found: alert(' + msg + ')';
	};

	wp.onConsoleMessage = function(msg) {
	console.log("On console.log: " + msg);

	xss.value = 1;
	xss.msg += 'XSS found: console.log(' + msg + ')';
	};

	wp.onConfirm = function(msg) {
	console.log("On confirm: " + msg);

	xss.value = 1;
	xss.msg += 'XSS found: confirm(' + msg + ')';
	};

	wp.onPrompt = function(msg) {
	console.log("On prompt: " + msg);

	xss.value = 1;
	xss.msg += 'XSS found: prompt(' + msg + ')';
	};

	return wp;
	};

	// Initialize webpage to ensure that all variables are
	// initialized.
	var wp = reInitializeWebPage();

	// Hard code the response for simplicity
	var response = "HTTP/1.1 200 OK\nContent-Type: text/xml; charset=utf-8\nContent-Length: length\n\n<HTML>\n <BODY>\n <SCRIPT>alert('Carrier Rocks!')</SCRIPT>\n </BODY>\n</HTML>\n\n";
	xssResults = parsePage(response);

	if(xssResults){
	console.log("We discovered XSS on the page!!!");
	phantom.exit();
	}

	// Re-initialize webpage after parsing request
	wp = reInitializeWebPage();
	pageResponse = null;
	xssResults = null;

	phantom.exit();