This is a Greasemonkey tool which is a few years old by now, but it is still a tool I use pretty often and which has served me very well when doing a quick recon for XSS issues.

It is a ‘quick-n-dirty’ way of testing a page you are on. It extracts the links from the page you’re on (including the curren url), and creates a list of urls to fuzz, where each parameter will become fuzzed once.

The ‘quick’ fuzz vector is hzg<izg"jzg'kzg%c0%bcgzh, with four payloads in one. The ‘thorough’ fuzzing instead creates four fuzz vectors for each parameter.

It then fetches each link using XHR, and checks if the response contained any of the fuzzes without encoding them. For example, the page may contain hzg<izg, which will signal that < was not html-encoded, which is an indicator that output encoding was not performed correctly and you have a high chance of turning it into an acual exploit. That is, XSS.

I find that this modest approach works very well, I don’t particularly like it when frameworks try to find an actual XSS-vector. Once the vulnerability has been flagged in this simple manner, I can take the next step manually.

Vulnerability : erroneous output encoding. Exploit : Cross-site scripting.


Source code repos:

comments powered by Disqus