Articles — script

Tasos Laskos

Script your DOM XSS exploitation workflow

Hello all, I wanted to share some Codename SCNR scripting kung-fu with you. This is something you can use post-scan, to exploit/validate your DOM XSS vulnerabilities. It can get tedious repeating the same steps manually over and over while exploring DOM XSS, but this script will help you automate the boring parts and leave you with all the fun. It will also allow you to intercept and inspect HTTP traffic from Ruby, in the form of HTTP::Request and HTTP::Response objects. In addition, you can still also chain Burp or ZAP to further your investigation.   Happy scanning! - Tasos L.

Read more


Tasos Laskos

Following the execution: Taint-tracing in the JS environment

In our previous article we discussed data-flow tracing, i.e. following a piece of data as it travels through the JS environment of a page. In this article we're going to concern ourselves with tracing the execution flow of the page. Imagine this scenario: either via manual or automated testing we managed to identify an input vulnerable to XSS. Wouldn't it be nice if we could track exactly that vulnerability came to be? Well, we're going to soon find out. The methodology isn't that much different from data-flow tracing, the only difference is that we're going to be using a little...

Read more


Tasos Laskos

Following the data: Taint-tracing in the JS environment

Frustratingly enough, something fishy is going on with an input you're manually checking but you can't quite put your finger on it. There must be something going on within the flow its value follows throughout the client-side but its complete behavior eludes you due to high complexity. Break-points need to be set and notes to be kept. Well, fret no more! Codename SCNR to the rescue with its client-side data-flow tracing!   What I'm talking about is this: You configure a taint for the JS environment -- i.e. a value that SCNR needs to track. You operate the browser via...

Read more


Tasos Laskos

Client-side crawl: A DOM state exploration

Say you need to do a manual pentest on a web application with a lot of client-side code, like a single page application of the AngularJS sort. It would be very helpful to understand how the app transitions through different states based on DOM events. For example, which flows lead to which results, and also the steps for those flows. What we're talking about here is basically a client-side crawl.   With a simple script, you can print-out the client-side crawl that SCNR does and keep those result at hand to help you with your manual audit.

Read more