Are there cross-platform tools to write XSS attacks directly to the database?

views:

309

answers:

+10 Q:

Are there cross-platform tools to write XSS attacks directly to the database?

I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications.

I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development).

Is anyone aware of a similar tool? Preferably it should be:

cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok)
open source (I really like being able to audit my security tools)
able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)

Edit: I'd like to clarify my goal: I'd like a tool that directly writes the result of a successful XSS/SQL injection attack into the database. The idea is that I want to check that every place in my app does correct output encoding. Detecting and avoiding the data getting there in the first place is an entirely different thing (and might not be possible when I display data that's written to the DB by a third-party application).

Edit 2: Corneliu Tusnea, the author of the tool I linked to above, has since released the tool as free software on codeplex: http://xssattack.codeplex.com/

+1 A:

There are some Firefox plugins to do some XSS testing here: http://labs.securitycompass.com/index.php/exploit-me/

ar 2010-03-25 11:56:27

Those are probably useful tools, but they are not what I look for. I'd like to inject the attacks into the DB to *explicitly* test the output encoding.

Joachim Sauer 2010-03-25 13:08:51

+1 A:

A friend of mine keeps saying, that php-ids is pretty good. I haven't tried it myself, but it sounds as if it could approximately match your description:

Open Source (LGPL),
Cross Platform - PHP is not in your list, but maybe it's ok?
Detects "all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks" (this is from the FAQ)
Logs to databases.

Chris Lercher 2010-03-26 20:58:25

I'm sorry, but that's not what I'm looking for. I'm trying to test my output encoding by injecting XSS attack strings in my database. This seems to be a filter to detects current attacks and it only works for PHP applications.

Joachim Sauer 2010-03-28 10:06:09

@Joachim Sauer: I completely misunderstood your sentence "that writes XSS attacks directly to the database" - I thought you meant it should write the facts about an attack that occurred directly to the database.

Chris Lercher 2010-03-28 13:08:31

+1 A:

I don't think there is such a tool, other than the one you pointed us to. I think there's a good reason for that: It's probably not the best way to test that each and every output is properly encoded for the applicable context.

From reading about that tool it seems the premise is to insert random xss vectors into the database and then you browse your application to see if any of those vectors succeed. This is rather a hit and miss methodology, to say the least.

A much better idea, I think, would be to perform code reviews.

You may find it helpful to have a look at some of the resources available at http://owasp.org - namely the Application Security Verification Standard (ASVS), the Testing Guide and the Code Review Guide.

jah 2010-03-28 17:14:12

@jah: I agree that there may be better ways, but code reviews can be just as hit-and-miss. I'm not saying that such a tool would be the end-all-be-all of security tools (no tool can be), but it can be a very useful tool for a first approximation.

Joachim Sauer 2010-03-28 18:36:48

@Joachim: I disagree that 'code reviews can be just as hit-and-miss' (they can be poorly executed - sure). The problems with that specific tool are twofold: first, there doesn't seem to be any control over what vectors are tested so a methodical approach, ensuring that a broad range of techniques is tried for every field is out of the question and second, there's no way to map specific inputs to their respective outputs - you just browse the application hoping for hits.If you properly define a set of security controls, it should be very easy to check they are being used with a code review.

jah 2010-03-28 19:39:20

+2 A:

Not sure if this is what you're after, its a parameter fuzzer for HTTP/HTTPS.

I haven't used it in a while, but IIRC it acts a proxy between you and the web application in question - and will insert XSS/SQL Injection attack strings into any input fields before deeming whether the response was "interesting" or not, thus whether the application is vulnerable or not.

http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

From your question I'm guessing it is a type of fuzzer you're looking for, and one specifically for XSS and web applications; if I'm right - then that might help you!

Its part of the Open Web Application Security Project (OWASP) that "jah" has linked you to above.

Moddy 2010-03-29 02:08:07

This too looks very interesting, but it's not what I was looking for specifically. I want to test the correct *output encoding* of my apps! For this I need data in my database **as if an attack has succeeded**, no matter if my app is vulnerable or not.

Joachim Sauer 2010-03-30 08:30:03

@Joachim: If your database offers a web interface, then maybe you could run the parameter fuzzer on that interface, so it can insert anything directly in the database (maybe define some updatable views of the tables first, so it can't change primary keys etc.) Then you'd have to check, if your application exposes unescaped content. This could be a workaround, if you don't find a better suited tool...

Chris Lercher 2010-03-30 14:39:53

@chris_l: neat idea! I'll look into that, if I don't find the "perfect" tool.

Joachim Sauer 2010-03-30 15:50:58

+2 A:

I think metasploit has most of the attributes you are looking for. It may even be the only one that has all of what you specify, since all the others I can think of are closed source. There are a few existing modules that deal with XSS and one in particular that you should take a peek at: HTTP Microsoft SQL Injection Table XSS Infection. From the sounds of that module it is capable of doing exactly what you are wanting to do. The framework is written in Ruby I believe, and is supposed to be easy to extend with your own modules which you may need/want to do. I hope that helps.

http://www.metasploit.com/

Mike Williamson 2010-03-30 06:27:04

This definitely goes in the right direction! It still writes the data via an exploit, which wouldn't be necessary for my use case, but it does what I want.

Joachim Sauer 2010-03-30 08:28:43

Ok, thanks for the clarification. In that case I would take the xssAttacks.xml file from the xssattack tool zip that is linked to on the blog you mentioned. I would write a script that looks at my test/dev database and inserts one of those attacks into any column that is type varchar/string/test/etc. That might be your best bet.

Mike Williamson 2010-03-30 23:28:12

@Sleepycat: yes, that's basically what I will do if no such tool exists: port the tool over to Java (because that's what I know best). I just hoped that something else existed.

Joachim Sauer 2010-03-31 07:23:03

ansaurus

tags:

views:

answers:

Are there cross-platform tools to write XSS attacks directly to the database?

related questions