Pesquisa personalizada

2009/03/04

Easy XSS/AJAX using Greasemonkey

Did you have tried to use Greasemonkey? Try it! It's great!

Greasemonkey is a simple but extremely powerful addon to Mozilla Firefox. There are more than a thousand of user scripts to it. With Greasemonkey, you can develop your own script to (aka user script) customize, modify, extract data, insert and whatever you need to do with *any* page!

Easy XSS - Cross-Site Scripting

Recently I need to integrate a website from a customer with external data from another website, but it must occurs when the employee uses the customer website and without more requirements, except: Firefox, Greasemonkey and one little user script to do XSS. I need to do XSS because some part of the application data is extracted from another website (and domain). If you don't know nothing about what's XSS or Same Origin Police, take a read at Wikipedia and you'll know that isn't so easy to do XSS...

Along the rest of this article you will read the acronym XSS, but, please, understand XSS don't as "injection code", but as "The term "cross-site scripting" originated from the fact that a malicious web site could load another web site into another frame or window, then use Javascript to read/write data on the other web site." (or something near its).

When I need to do XSS, I have a couple of options, like: Greasemonkey, Selenium, Firefox Chrome, HTA, Httpunit, customized http clients via TCP sockets, customized browser version, proxy servers, fake dns/ip (eg.: editing system host file to resolve DNS to another IP and changing the document.domain to correspond to the same base domain) and some hacks. For my last application I choose to use Greasemonkey.

Greasemonkey has a javascript function called GM_xmlhttpRequest to be used for AJAX requests; but it, also, can be used to XSS because it runs as a Mozzilla Chrome context. It's amazing! 'cause to do XSS nowadays is so difficulty...

I've created a smaller user script to grease monkey allow me to do AJAX request between diferent domains. See bellow (click to automatically greasemonkey install it):

   1:// ==UserScript==
   2:// @name           UnlockXss
   3:// @namespace      net.marciowb.unlock.xss
   4:// @include        http://127.0.0.1:8080/
   5:// @include        http://www.trilha21.com.br/
   6:// ==/UserScript==
   7:// Copyright Marcio Wesley Borges<marciowb@gmail.com>, Created: 2009/03/05
   8:
   9:unsafeWindow.xss = {};
  10:unsafeWindow.xss._requests = new Array();
  11:
  12:unsafeWindow.xss.call = function(req) {
  13:        unsafeWindow.xss._requests.push(req);
  14:        window.setTimeout( xssExecutor, 1 );
  15:};
  16:
  17:function _xssExecutor() {
  18:        var reqs = unsafeWindow.xss._requests;
  19:        if (reqs.length<1)
  20:                return;
  21:                        
  22:        var req = reqs[reqs.length-1];
  23:        reqs.pop();
  24:        
  25:        GM_xmlhttpRequest(req);
  26:}
  27:
  28:function xssExecutor() {
  29:        try {
  30:                _xssExecutor();
  31:        } catch (ex) {
  32:                GM_log(ex);
  33:        }       
  34:}
  35:
  36:unsafeWindow.GM_xmlhttpRequest = unsafeWindow.xss.call;
  37:

To use it, take a look in the GM_xmlhttpRequest documentation. The example code, from Greasemonkey website, remains valid and works with the UnlockXss script:

   1:GM_xmlhttpRequest({
   2:    method: 'GET',
   3:    url: 'http://greaseblog.blogspot.com/atom.xml',
   4:    headers: {
   5:        'User-agent': 'Mozilla/4.0 (compatible) Greasemonkey',
   6:        'Accept': 'application/atom+xml,application/xml,text/xml',
   7:    },
   8:    onload: function(responseDetails) {
   9:        alert('Request for Atom feed returned ' + responseDetails.status +
  10:              ' ' + responseDetails.statusText + '\n\n' +
  11:              'Feed data:\n' + responseDetails.responseText);
  12:    }
  13:});

Remember: Now, you can embbending GM_xmlhttpRequest in your code, but, also, you must tell to greasemonkey where you run your user script. Do it, adding an entry as the above @include for each domain where you want to enable the XSS/Ajax request.

Assorted Greasemonkey Tips

Do you want compile your Greasemonkey User Script into a XPI extension to Firefox? Okay, you can! See the Greasemonkey Compiler.

Do you need to inject Dojo into a page via Greasemonkey? Don't know how? Do, it:

   1:// ==UserScript==
   2:// @name           ML - Copiar dados da Lista de Envios
   3:// @namespace      net.marciowb.ml.lista.envios
   4:// @description    Copia os dados da lista de envios do ML
   5:// @include        http://www.mercadolivre.com.br/jm/impressionList
   6:// ==/UserScript==
   7:
   8:var script = document.createElement("script");
   9:script.id="scriptInjectedDojo";
  10:script.src="http://www.trilha21.com.br/Webs/js/dojo/dojo.js";
  11:document.getElementsByTagName("head")[0].appendChild(script);
  12:
  13:var link = document.createElement("link");
  14:link.id = "linkInjectedTundra" 
  15:link.rel = "stylesheet";
  16:link.type= "text/css";
  17:link.href="http://www.trilha21.com.br/Webs/js/dijit/themes/tundra/tundra.css";
  18:document.getElementsByTagName("head")[0].appendChild(link);
  19:....

Labels: , ,

posted by marciowb at 23:05