自动XSS过滤突破工具—snuck
snuck与众多传统安全扫描器不同,他的作用主要用于突破XSS过滤器。snuck基于Selenium,支持Mozilla Firefox, Google Chrome和Internet Explorer浏览器。
使用方法:
>java -jar snuck.jar
Usage: snuck [-start xmlconfigfile ] -config xmlconfigfile -report htmlreportfile [-d # ms_delay]
[-proxy IP:port] [-chrome chromedriver ] [-ie iedriver] [-remotevectors URL] [-stop-first]
[-reflected targetURL -p parameter_toTest] [-no-multi]
Options :
-start path to login use case (XML file)
-config path to injection use case (XML file)
-report report file name (html extension is required)
-d delay (ms) between each injection
-proxy proxy server (IP: port)
-chrome perform a test with Google Chrome, instead of Firefox. It needs the path to the chromedriver
-ie perform a test with Internet Explorer, instead of Firefox.
Disable the built in XSS filter in advance
-remotevectors use an up-to-date online attack vectors source instead of the local one
-stop-first stop the test upon a successful vector is detected
-no-multi deactivate multithreading for the reverse engineering process - a sequential approach will be adopted
-reflected perform a reflected XSS test (without writing the XML config file)
-p HTTP GET parameter to inject (useful if -reflected is setted)
-help show this help menu
内置XSS攻击测试向量
1.html_payloads:it stores HTML tags whose purpose is to generate an alert dialog window. 2.js_alert payloads:it stores many javascript approaches to trigger an alert dialog window, such as alert(1) or eval(alert(2)). 3.uri_payloads:it stores malicious URIs, such as javascript:alert(1). 4.expression_alert_payloads:it stores malicious expression payloads, such as expression(URL=0);
测试XML配置过程(一个购物网站测试实例)
主配置XML
<?xml version="1.0" encoding="UTF-8"?>
<root>
<post>
<commands>
<command>
<name>open</name>
<target>http://wtfbay.com/modify.php?id=90</target>
<value></value>
</command>
<command>
<name>type</name>
<target>name=name</target>
<value>${RANDOM}</value>
</command>
<command>
<name>type</name>
<target>id=description</target>
<value>${INJECTION}</value>
</command>
<command>
<name>click</name>
<target>name=submit</target>
<value></value>
</command>
<command>
<name>select</name>
<target>id=cat</target>
<value>Bike</value>
</command>
<command>
<name>click</name>
<target>name=submit</target>
<value></value>
</command>
</commands>
</post>
</root>
登录配置
<?xml version="1.0" encoding="UTF-8"?>
<root>
<post>
<commands>
<command>
<name>open</name>
<target>http://wtfbay.com/login.php</target>
<value></value>
</command>
<command>
<name>type</name>
<target>name=user</target>
<value>admin</value>
</command>
<command>
<name>type</name>
<target>name=pwd</target>
<value>admin</value>
</command>
<command>
<name>click</name>
<target>name=submit</target>
<value></value>
</command>
</commands>
</post>
</root>
执行检测
> java -jar snuck.jar -config usecase.xml -report report.html -start login.xml
更多说明请参考https://code.google.com/p/snuck/wiki/Tutorial
参考阅读
Selenium是一个用于Web应用程序测试的工具。Selenium测试直接运行在浏览器中,就像真正的用户在操作一样。支持的浏览器包括IE、Mozilla Firefox、Mozilla Suite等。这个工具的主要功能包括:测试与浏览器的兼容性——测试你的应用程序看是否能够很好得工作在不同浏览器和操作系统之上。测试系统功能——创建衰退测试检验软件功能和用户需求。支持自动录制动作和自动生成。Net、Java、Perl等不同语言的测试脚本。Selenium 是ThoughtWorks专门为Web应用程序编写的一个验收测试工具。
