### Start Phantom.js XSS Detection Server Source: https://github.com/netspi/xssvalidator/blob/master/README.md This command initiates the external Phantom.js-powered XSS detection server, which is essential for the Burp extender's functionality. The server is designed to process base64 encoded page responses passed via HTTP. ```bash phantomjss xss.js & ``` -------------------------------- ### Burp Intruder Payload Placement for XSS Testing Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/README.txt These examples illustrate how to configure Burp Intruder to inject XSS payloads into different parts of an HTTP request URL: the pathname, the hash fragment, and the query string. The `§PAYLOAD§` marker indicates the injection point. ```HTTP GET /path_to_file.php/§PAYLOAD§ HTTP/1.1 GET /path_to_file.html#§PAYLOAD§ HTTP/1.1 GET /path_to_file.html?var=§PAYLOAD§ HTTP/1.1 ``` -------------------------------- ### Manually Build XSS Validator Burp Extender JAR Source: https://github.com/netspi/xssvalidator/blob/master/README.md This snippet outlines the manual steps to build the XSS Validator Burp Extender JAR. It involves downloading Apache HttpComponents Client libraries using 'wget' and then compiling the project with Apache Ant, requiring Java 7 or higher. ```bash mkdir ./burp-extender/lib cd burp-extender/lib wget https://repo.maven.apache.org/maven2/commons-codec/commons-codec/1.6/commons-codec-1.6.jar wget https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.1.3/commons-logging-1.1.3.jar wget https://repo.maven.org/maven2/org/apache/httpcomponents/fluent-hc/4.3.6/fluent-hc-4.3.6.jar wget https://repo.maven.org/maven2/org/apache/httpcomponents/httpclient/4.3.6/httpclient-4.3.6.jar wget https://repo.maven.org/maven2/org/apache/httpcomponents/httpclient-cache/4.3.6/httpclient-cache/4.3.6.jar wget https://repo.maven.org/maven2/org/apache/httpcomponents/httpcore/4.3.3/httpcore-4.3.3.jar wget https://repo.maven.org/maven2/org/apache/httpcomponents/httpmime/4.3.6/httpmime-4.3.6.jar cd burp-extender/bin/burp ant ``` -------------------------------- ### Build XSS Validator Burp Extender JAR with Bash Script Source: https://github.com/netspi/xssvalidator/blob/master/README.md This snippet provides a bash command to build the XSS Validator Burp Extender JAR file on Debian-based distributions. It automates the compilation process, resulting in a 'xssValidator.jar' file ready for import into Burp Suite. ```bash bash /path/to/xssValidator/buildXssValidatorJar.sh ``` -------------------------------- ### CSS Styling for 404 Error Page Source: https://github.com/netspi/xssvalidator/blob/master/examples/basic-auth-test/public/404.html This snippet provides the CSS rules that define the appearance of the 404 error page. It styles the body, a central dialog box, headings, and paragraphs to create a consistent and informative error display. ```CSS body { background-color: #EFEFEF; color: #2E2F30; text-align: center; font-family: arial, sans-serif; } div.dialog { width: 25em; margin: 4em auto 0 auto; border: 1px solid #CCC; border-right-color: #999; border-left-color: #999; border-bottom-color: #BBB; border-top: #B00100 solid 4px; border-top-left-radius: 9px; border-top-right-radius: 9px; background-color: white; padding: 7px 4em 0 4em; } h1 { font-size: 100%; color: #730E15; line-height: 1.5em; } body > p { width: 33em; margin: 0 auto 1em; padding: 1em 0; background-color: #F7F7F7; border: 1px solid #CCC; border-right-color: #999; border-bottom-color: #999; border-bottom-left-radius: 4px; border-bottom-right-radius: 4px; border-top-color: #DADADA; color: #666; box-shadow:0 3px 8px rgba(50, 50, 50, 0.17); } ``` -------------------------------- ### Reflected XSS via `location.search` in Style Attribute Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.search.htmlinject.squot.html This JavaScript snippet demonstrates a basic reflected Cross-Site Scripting (XSS) vulnerability. It takes the entire query string from `location.search` and directly inserts it into the `style` attribute of a new `div` element written to the document. An attacker could inject malicious CSS or HTML/JavaScript payloads through the URL's query parameters, leading to arbitrary code execution in the user's browser. ```javascript document.write("
"); ``` -------------------------------- ### Injecting CSS via Location Hash for XSS Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.hash.htmlinject.squot.html This JavaScript snippet demonstrates a simple Cross-Site Scripting (XSS) payload. It uses `document.write` to inject a `div` element whose style attribute is dynamically set by `location.hash`. This allows an attacker to control CSS properties by manipulating the URL's hash fragment, potentially leading to visual defacement or other XSS-related attacks. ```JavaScript document.write("
"); ``` -------------------------------- ### Evaluate URL Search Parameters in JavaScript Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.search.jsinject.dquot.html This JavaScript code snippet retrieves the URL's query string (`location.search`), dynamically constructs a string, and then executes it using `eval()`. The purpose is to assign the value of the query string to a variable named 'a'. This pattern is frequently observed in XSS payloads or validation scripts where URL parameters are processed directly. ```JavaScript eval('a="'+location.search+'"'); ``` -------------------------------- ### CSS for 'Change Rejected' Error Page Layout Source: https://github.com/netspi/xssvalidator/blob/master/examples/basic-auth-test/public/422.html This CSS snippet defines the visual presentation of a typical web application error page, specifically for a '422 Unprocessable Entity' response. It styles the overall page background, centers a dialog box for the main message, formats headings, and provides styling for an additional informational paragraph, ensuring a consistent user experience for error notifications. ```CSS body { background-color: #EFEFEF; color: #2E2F30; text-align: center; font-family: arial, sans-serif; } div.dialog { width: 25em; margin: 4em auto 0 auto; border: 1px solid #CCC; border-right-color: #999; border-left-color: #999; border-bottom-color: #BBB; border-top: #B00100 solid 4px; border-top-left-radius: 9px; border-top-right-radius: 9px; background-color: white; padding: 7px 4em 0 4em; } h1 { font-size: 100%; color: #730E15; line-height: 1.5em; } body > p { width: 33em; margin: 0 auto 1em; padding: 1em 0; background-color: #F7F7F7; border: 1px solid #CCC; border-right-color: #999; border-bottom-color: #999; border-bottom-left-radius: 4px; border-bottom-right-radius: 4px; border-top-color: #DADADA; color: #666; box-shadow:0 3px 8px rgba(50, 50, 50, 0.17); } ``` -------------------------------- ### Common XSS Payloads for Event Handlers Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/README.txt These snippets demonstrate common XSS payloads leveraging HTML event handlers like `onload` and `onerror` to execute JavaScript. The `{JAVASCRIPT}` placeholder indicates where the malicious script would be injected. ```JavaScript onload='{JAVASCRIPT}' " onerror="{JAVASCRIPT}" " onload="{JAVASCRIPT}" ' onerror='{JAVASCRIPT}' ' onload='{JAVASCRIPT}' ``` -------------------------------- ### Evaluate Location Search for XSS Validation Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.search.jsinject.squot.html This JavaScript snippet uses the `eval()` function to process the `location.search` property, which contains the query string portion of the current URL. It constructs a string that assigns the `location.search` value to a variable 'a'. This pattern is often seen in contexts where dynamic content from the URL is processed, making it relevant for XSS vulnerability testing. ```javascript eval("a='"+location.search+"'"); ``` -------------------------------- ### JavaScript URL Parameter Evaluation with eval Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.search.jsinject.html This JavaScript code takes the URL's query string (`location.search`), removes leading digits and the '?' character, and then uses `eval` to assign the result to a variable 'a'. This pattern is highly susceptible to Cross-Site Scripting (XSS) attacks if the `location.search` content is user-controlled and not properly sanitized, as `eval` executes arbitrary code directly from the string. ```javascript eval('a='+location.search.replace(/^\\[0-9\\]/,'').replace('?','')); ``` -------------------------------- ### Injecting URL Parameters into HTML Style Attribute for XSS Testing Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.search.htmlinject.dquot.html This JavaScript snippet uses 'document.write' to dynamically create a 'div' element. It then takes the entire query string portion of the URL ('location.search') and directly inserts it as the value for the 'style' attribute of the newly created 'div'. This is a common method to test for reflected XSS vulnerabilities where an attacker can control parts of the URL that are then rendered unescaped into the page's HTML, potentially leading to style-based XSS or other injection attacks. ```javascript document.write('
'); ``` -------------------------------- ### Common DOM-based XSS Injection Points Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/README.txt Key JavaScript `location` object properties that are frequently exploited as injection points in DOM-based Cross-Site Scripting attacks. Understanding these points is crucial for effective XSS testing and mitigation. ```JavaScript 1) location.hash 2) location.search 3) location.pathname ``` -------------------------------- ### Execute Location Hash with Eval in JavaScript Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.hash.jsinject.dquot.html This JavaScript snippet demonstrates the use of `eval()` to execute content from `location.hash`. This pattern is often associated with Cross-Site Scripting (XSS) vulnerabilities, as it allows arbitrary code execution if `location.hash` is not properly sanitized. It assigns the evaluated string to a variable `a`. ```javascript eval('a="'+location.hash+'"'); ``` -------------------------------- ### Evaluate URL Hash Content via eval() Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.hash.jsinject.html This JavaScript snippet demonstrates how content from the URL hash (location.hash) can be extracted and then executed using the eval() function. It replaces the leading '#' character from the hash and then attempts to evaluate the resulting string. This pattern is often used in XSS (Cross-Site Scripting) payloads or tools to test for such vulnerabilities, as it allows arbitrary code execution if the hash content is not properly sanitized. ```javascript eval("a="+location.hash.replace('#','')); ``` -------------------------------- ### XSS Test Payloads for DOM-based Injections Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/README.txt A comprehensive list of XSS payloads designed to trigger DOM-based Cross-Site Scripting vulnerabilities, covering HTML tag injections, JavaScript `eval` injections, and various quoting scenarios. These payloads are intended for use with tools like xssValidator to test different injection points and bypass mechanisms. ```JavaScript ";{JAVASCRIPT};" ';{JAVASCRIPT};' ;{JAVASCRIPT}; ";{JAVASCRIPT}// ';{JAVASCRIPT}// 1;{JAVASCRIPT}// ;{JAVASCRIPT}// 1jsadif; '1jsadif; ';1jsadif; "> '> "> '>'); ``` -------------------------------- ### CSS for 500 Internal Server Error Page Layout Source: https://github.com/netspi/xssvalidator/blob/master/examples/basic-auth-test/public/500.html This CSS snippet defines the visual appearance of the 500 error page displayed by the XSSValidator application. It sets background colors, text styles, box models for dialogs and paragraphs, and border properties to present a user-friendly error message. ```CSS body { background-color: #EFEFEF; color: #2E2F30; text-align: center; font-family: arial, sans-serif; } div.dialog { width: 25em; margin: 4em auto 0 auto; border: 1px solid #CCC; border-right-color: #999; border-left-color: #999; border-bottom-color: #BBB; border-top: #B00100 solid 4px; border-top-left-radius: 9px; border-top-right-radius: 9px; background-color: white; padding: 7px 4em 0 4em; } h1 { font-size: 100%; color: #730E15; line-height: 1.5em; } body > p { width: 33em; margin: 0 auto 1em; padding: 1em 0; background-color: #F7F7F7; border: 1px solid #CCC; border-right-color: #999; border-bottom-color: #999; border-bottom-left-radius: 4px; border-bottom-right-radius: 4px; border-top-color: #DADADA; color: #666; box-shadow:0 3px 8px rgba(50, 50, 50, 0.17); } ``` -------------------------------- ### Evaluate Location Hash for XSS Vulnerability Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.hash.jsinject.squot.html This JavaScript snippet uses the `eval()` function to execute a string constructed by concatenating the current URL's hash fragment (`location.hash`). This pattern is frequently observed in contexts vulnerable to Cross-Site Scripting (XSS) attacks, as unsanitized input from `location.hash` can lead to arbitrary code execution. ```JavaScript eval("a='"+location.hash+"'"); ``` -------------------------------- ### Write URL Hash to Document in JavaScript Source: https://github.com/netspi/xssvalidator/blob/master/examples/dom-xss extensive tests/location.hash.htmlinject.html This JavaScript snippet writes the current URL's hash fragment (the part after '#') directly into the HTML document. This technique is frequently employed in Cross-Site Scripting (XSS) validation or exploitation to reflect user-controlled input from the URL into the page content, allowing for easy testing of XSS vulnerabilities. ```JavaScript document.write(location.hash); ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.