Cenzic 232 Patent
Paid Advertising
web application security lab

XSS Testing Greasemonkey Script

Whiteacid built a pretty remarkable XSS Greasemonkey assistant script. It’s got a few kinks left to work out as we’ve been discussing but on the whole this is feeling like a possible right approach to by-hand penetration testing for XSS vulnerability assessment. I still think something like this should be built into burp suite but Whiteacid’s approach is pretty slick.

After installation and going to Tools->Greasemonkey->User Script Commands->Start XSS Forms you see an icon that looks like this:

When clicked that button allows you to run all the commands that the XSS cheatsheet XML file has in them against all form elements. Interesting tool that helps diagnose some of the problems out there. It’s really no substitute to doing it the old fashioned way, but it’s a nice crutch when you’re in a hurry.

4 Responses to “XSS Testing Greasemonkey Script”

  1. Apnovi Says:

    If you havent yet bolted this on to your Firefox, then your missing out.
    nice one!

  2. Cface Says:

    One question… How do you get the XSS Form logo thing to appear? Where does it appear at? I’ve hit the Start XSS forms bit… but i dont know where the icon would show up…

  3. Cface Says:

    EDIT: Fantastic I get this error in console:
    Error: Illegal value
    Source File: file:///home/cface/.mozilla/firefox/b6qfqmxxp.default/gm_scripts/xss_assistant/xss_assistant.user.js
    Line: 890

  4. RSnake Says:

    @Cface - you are responding to a post written almost four years ago. Whiteacid’s site has been down for years. I have no idea what parts of his script required being able to phone home, but I’d bet it’s more than zero.