Hello,
I have been developing a number of custom plugins for
version 3.2.9 that test for types of XSS filter
evasion. I have noticed that plugins that inject Null
bytes break reporting when they are successful, i.e.
when the attack succeeds and the XSS works, the
following will be contained in the html:
<SCR[null]IPT>alert('Paros')</SCR[null]IPT>
Within the plugin itself, I am injecting the null
byte with the \u0000 unicode representation.
The presence of the null bytes within the HTML causes
Paros not to generate a report. It will scan and
identify the security issue, and you can view the
request and response, but when generating an HTML
report, the report never appears.
I have compensated by putting those into a separate
category for now, called "Manual Report", and
bascially look visually at the HTML output to see if
the attacks succeeed.
I have looked through the 3.2.9 source but I'm unable
to track down the problem.
To verify this problem,
1. modify an XSS plugin as shown below:
private static final String XSS1
= "<SCR\u0000IPT>alert('" + Constant.getEyeCatcher()
+ "')</SCR\u0000IPT>";
private static final Pattern patternXSS1
= Pattern.compile
("<SCR\u0000IPT>alert\\('" + Constant.getEyeCatcher()
+ "'\\)</SCR\u0000IPT>");
2. Run the plugin on an XSS vulnerable target, so
that the nulls appear within the body of the HTML
returned from the target. (If you need a server
that's vulnerable to this, I can point out servers
and versions for your testing).
3. Generate the report. The process of report
generation should fail silently and the report should
never appear.
Hope this helps. If you need additional information,
I can put together some screen shots for you or even
send you one of my plugins that causes this problem.
thanks
-tom
Logged In: YES
user_id=1485211
I have attached a PDF that shows some screenshots and
offers a quick explanation.
Logged In: YES
user_id=810965
Can you provide the complete stacktrace (by starting Paros
using command line)? There should be some exception
generating during report generation.
parosproxy.org
Logged In: YES
user_id=1485211
C:\Documents and
Settings\sterling\Desktop\Sobakawa\paros\build>cd paros
C:\Documents and
Settings\sterling\Desktop\Sobakawa\paros\build\paros>java -
jar
paros.jar
file:/C:/Documents%20and%
20Settings/sterling/Desktop/Sobakawa/paros/build/paros/
paros.jar
file:/C:/Documents%20and%
20Settings/sterling/Desktop/Sobakawa/paros/build/paros/
paros.jar
[Fatal Error] :419:27: An invalid XML character (Unicode:
0x0) was found in the element content of the document.
org.xml.sax.SAXParseException: An invalid XML character
(Unicode: 0x0) was found in the element content of the
document.
at
com.sun.org.apache.xerces.internal.parsers.DOMParser.parse
(Unknown Source)
at
com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl
.parse(Unknown Source)
at
org.parosproxy.paros.extension.report.ReportGenerator.strin
gToHtml(Unknown Source)
at
org.parosproxy.paros.extension.report.ReportLastScan.genera
te(Unknown Source)
at
org.parosproxy.paros.extension.report.ReportLastScan.genera
te(Unknown Source)
at
org.parosproxy.paros.extension.report.ExtensionReport$1.act
ionPerformed(Unknown Source)
at javax.swing.AbstractButton.fireActionPerformed(Unknown
Source)
at javax.swing.AbstractButton$Handler.actionPerformed
(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed
(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown
Source)
at javax.swing.AbstractButton.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown
Source)
at
javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseRelease
d(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent
(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent
(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown
Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy
(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy
(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Logged In: YES
user_id=810965
This is not a fault of Paros reporting. You should encode
the display in this case because the XML SAX generator
cannot parse the \u0000 instead.
parosproxy.org