CURL: xss.sh

Main Menu

If you're wondering whether your organization has an application security problem, there's no more convincing proof than a few failed security tests. Paco and Ben get you started with the best free web application security tools, including many from OWASP, and their simple recipes are perfect for developers and testers alike.

Jeff Williams, CEO Aspect Security and OWASP Chair

CURL: xss.sh

Wednesday, 23 September 2009 19:59

#!/bin/bash
CURL=/usr/local/bin/curl
# where do we put temporary output?
TEMPDIR=/tmp

# a file with URLs to attack, one per line
URLFILE=urls.txt

# a file containing XSS attack strings, one per line
ATTACKS=xss-strings.txt

# file descriptor 3 is our URLs
3<"${URLFILE}"

# file descriptor 4 is our XSS attack strings
4<"${ATTACKS}"

typeset -i FAILED

# for each URL in the URLFILE
while read -u 3 URL
do
    TEMPFILE="${TEMPDIR}/curl${RANDOM}.html"
    FAILED=0
    # attack with each attack in the ATTACKS file
    while read -u 4 XSS
    do
	# call curl to fetch the page. Save to temp file because we
	# need to check the error code, too. We'll grep if we got
	# anything.
	curl -f -s -o "${TEMPFILE}" "${URL}${XSS}"
	RETCODE=$?

	echo "ret: $RETCODE"

	# check to see if curl failed or the server failed
	if [ $RETCODE != 0 ]
	then
	    echo "FAIL:	(curl ${RETCODE}) ${URL}${XSS}"
	else
	    # curl succeeded. Check output for our attack string.
	    rm -f "${TEMPFILE}"
	    result=$(grep -c "${XSS}" "${TEMPFILE}")
	    # if we got 1 or more matches, that's a failure
	    if [ "$result" != 0 ]
	    then
		echo "FAIL:	${URL}${XSS}"
		FAILED=${FAILED}+1
	    else
		echo "PASS:	${URL}${XSS}"
	    fi
	fi
	rm -f "${TEMPFILE}"
    done
    if [ $FAILED -gt 0 ]
    then
	echo "$FAILED failures for ${URL}"
    else
	echo "PASS: ${URL}"
    fi
done

follow pacohope at http://twitter.com/

follow OWASP NoVA at http://twitter.com/