Xsssniper Extension Introduction

Xsssniper Extension Introduction

The DOMXSS vulnerability of implicit output has been difficult to be discovered by traditional scanning tools, and Xsssniper is based on the expansion of Chrome browser, which can detect DOMXSS vulnerabilities quickly and accurately through dynamic parsing.

In addition, this extension can discover not only the implicit output of XSS, but also the display output of DOMXSS, reflective XSS, automatically find Jsonp XSS, and detect some vulnerabilities (homology method execution).

Principle

XSS detection principle

This extension uses two methods to detect DOMXSS.

The first method: FUZZ

This detection method false positive rate is very low, as long as it is detected must be all there is a loophole. But the cost is also relatively high under-reporting rate. Specifically, create a stealth iframe in the current page, and use the payload of different character combinations in this iframe to fuzz each URL parameter in the current page and the Location.hash parameter. If payload executes, the vulnerability must exist.

The second way: Monitor JS error changes

If XSS exists in a more covert way, or if a very complex combination of characters is required to truncate, payload is not performing properly, however, payload may cause some JS syntax exceptions that can be extended only to detect these exceptions. Then prompts the user the wrong position, the error content, the error line number, lets the user hand to go thus detects XSS in this way, the false report is few, but the price is the false positives high.

Two methods of detection are combined to complement each other.

How to use

Open Control Panel

For the first time, please manually update the policy and fill in the list with the test target. Tester is not actively detecting vulnerabilities in these list domain names. Instead, when you browse these sites, detect the XSS vulnerabilities in the current page. So, after opening the fuzz, only the normal browsing of these sites can be.

The first mode of alarm: payload Direct execution

If you find a pop-up dialog box in the browsing process and display a URL with an XSS payload, the following illustration shows that the URL can trigger an XSS vulnerability.

Press F12 to open the console console, and the tested URLs will be displayed inside. Copy the url+payload that is displayed in the dialog box just now.

The second mode of alarm: payload to make JS throw an exception

If you are browsing the page, the lower right corner of the following pop-up alarm, stating that payload to make JS throw a different exception.

At this point open F12 Open the console, according to the icon to find the exception content and trigger the exception of the payload, but also can find the exception to throw the file and line number, easy to debug.

Third alarm: JSONP Reflective XSS

If the following alarm is found, there is an XSS vulnerability in the JSONP used in the page. The URL is already given in the prompt.

Alarm Fourth: Some vulnerability

When the extension finds that the parameters in the current page also appear in Jsonp, the following alarms are given, requiring the tester to manually confirm whether the page parameters can affect the Jsonp return parameters.

Chrome Store Address: Https://chrome.google.com/webstore/detail/domxss-tester/pnhekakhikkhloodcedfcmfpjddcagpi?hl=zh-CN

This article by 360 security broadcast original release, if need to reprint please indicate the source and this article address.
This article address: http://bobao.360.cn/learning/detail/644.html