Unibomber tool for specialized XSS testing
27 Jul 2009
At Black Hat I’m planning to demo a new tool we’ve been putting together at Casaba Security. It’s mostly a brute force input testing tool right now, aimed at finding cross-site scripting (XSS) bugs but with a unique set of techniques. It automates the testing process greatly, by auto-injecting a canary and ID into each input be it query string, HTTP header, or POST parameter.
It basically bombs a Web-app with a slew of Unicode characters to find XSS bugs – hence the name – Unibomber.
Appended to the canary is a special character – special because it can transform into a ‘dangerous’ character through normalization, casing, or best-fit mapping operations. So we end up injecting these special characters all over the place and then detecting where they get transformed and displayed as output.
The beauty is that we can find both reflected and persistent XSS bugs this way. It’s not a one-click tool though, this is intended rather for an experienced person, who knows how to find and exploit an XSS bug. The Unibomber assists the pen-tester by automating input-injection and ‘output encoding’ detection to find the vulnerability hotspots.
It basically bombs a Web-app with a slew of Unicode characters to find XSS bugs – hence the name – Unibomber.
Appended to the canary is a special character – special because it can transform into a ‘dangerous’ character through normalization, casing, or best-fit mapping operations. So we end up injecting these special characters all over the place and then detecting where they get transformed and displayed as output.
The beauty is that we can find both reflected and persistent XSS bugs this way. It’s not a one-click tool though, this is intended rather for an experienced person, who knows how to find and exploit an XSS bug. The Unibomber assists the pen-tester by automating input-injection and ‘output encoding’ detection to find the vulnerability hotspots.