XSS Testing Greasemonkey Script
Whiteacid built a pretty remarkable XSS Greasemonkey assistant script. It’s got a few kinks left to work out as we’ve been discussing but on the whole this is feeling like a possible right approach to by-hand penetration testing for XSS vulnerability assessment. I still think something like this should be built into burp suite but Whiteacid’s approach is pretty slick.
After installation and going to Tools->Greasemonkey->User Script Commands->Start XSS Forms you see an icon that looks like this:
When clicked that button allows you to run all the commands that the XSS cheatsheet XML file has in them against all form elements. Interesting tool that helps diagnose some of the problems out there. It’s really no substitute to doing it the old fashioned way, but it’s a nice crutch when you’re in a hurry.
October 29th, 2006 at 5:12 pm
If you havent yet bolted this on to your Firefox, then your missing out.
nice one!
April 26th, 2010 at 10:56 am
One question… How do you get the XSS Form logo thing to appear? Where does it appear at? I’ve hit the Start XSS forms bit… but i dont know where the icon would show up…
April 26th, 2010 at 10:58 am
EDIT: Fantastic I get this error in console:
Error: Illegal value
Source File: file:///home/cface/.mozilla/firefox/b6qfqmxxp.default/gm_scripts/xss_assistant/xss_assistant.user.js
Line: 890
April 26th, 2010 at 2:22 pm
@Cface - you are responding to a post written almost four years ago. Whiteacid’s site has been down for years. I have no idea what parts of his script required being able to phone home, but I’d bet it’s more than zero.