CURL: xss.sh

Main Menu

It doesn't matter how good your programmers are, rigorous testing will always be part of producing secure software. Hope and Walther steal Web security testing back from the L33T hax0rs and return it to the realm of the disciplined professional.

Brian Chess,
Founder/Chief Scientist Fortify Software

CURL: xss.sh

Wednesday, 23 September 2009 19:59

#!/bin/bash
CURL=/usr/local/bin/curl
# where do we put temporary output?
TEMPDIR=/tmp

# a file with URLs to attack, one per line
URLFILE=urls.txt

# a file containing XSS attack strings, one per line
ATTACKS=xss-strings.txt

# file descriptor 3 is our URLs
3<"${URLFILE}"

# file descriptor 4 is our XSS attack strings
4<"${ATTACKS}"

typeset -i FAILED

# for each URL in the URLFILE
while read -u 3 URL
do
    TEMPFILE="${TEMPDIR}/curl${RANDOM}.html"
    FAILED=0
    # attack with each attack in the ATTACKS file
    while read -u 4 XSS
    do
	# call curl to fetch the page. Save to temp file because we
	# need to check the error code, too. We'll grep if we got
	# anything.
	curl -f -s -o "${TEMPFILE}" "${URL}${XSS}"
	RETCODE=$?

	echo "ret: $RETCODE"

	# check to see if curl failed or the server failed
	if [ $RETCODE != 0 ]
	then
	    echo "FAIL:	(curl ${RETCODE}) ${URL}${XSS}"
	else
	    # curl succeeded. Check output for our attack string.
	    rm -f "${TEMPFILE}"
	    result=$(grep -c "${XSS}" "${TEMPFILE}")
	    # if we got 1 or more matches, that's a failure
	    if [ "$result" != 0 ]
	    then
		echo "FAIL:	${URL}${XSS}"
		FAILED=${FAILED}+1
	    else
		echo "PASS:	${URL}${XSS}"
	    fi
	fi
	rm -f "${TEMPFILE}"
    done
    if [ $FAILED -gt 0 ]
    then
	echo "$FAILED failures for ${URL}"
    else
	echo "PASS: ${URL}"
    fi
done

follow pacohope at http://twitter.com/

follow OWASP NoVA at http://twitter.com/