false positives

[wilson9x1]

good project!!
but, I find this rule will cause false positives:

(r"<[^>]*'[^>']*%(chars)s[^>']*'[^>]*>", ('\'',), "\"<.'.xss.'.>\", inside the tag, inside single-quotes, %(filtering)s filtering", r"(?s)<script.+?</script>|<!--.*?-->") 

egg:
demo.php:

<?php
$input= str_replace("\"", "&quot;" ,$_GET['xss']);
$input=str_replace(">","&lt;",$input);
$input=str_replace("<","&gt;",$input);
echo '<meta name="description" content="';
print($input);
echo '#23578';
print($input);
echo '#23578';
print($input);
echo '#23578"/>';
?>

for help～

[wilson9x1]

Another false positives:

demo.php:

</main><script>
    var jobs = {
        log: {
            pj: 'jobs-social',
            qid: '',
            pn: 0
        },
        common: {
	    query:'',
            cookieStr: 'iurl',
	     selected : {"city":"<?php echo str_replace("\"", "\\\"" ,$_GET['xss']);?>"}
	   }
    };
</script>

change regrex:

<script[^>]*>[^<]*?'[^<'\"]*%(chars)s|%(chars)s[^<']*'[^<]*</script>
<script[^>]*>[^<]*?"[^<"\']*%(chars)s|%(chars)s[^<"]*"[^<]*</script>

maybe work...

[stamparm]

This is a project under 100 lines which should cover majority of XSS vulnerabilities. It doesn't have a true-positive or false-positive detection mechanism, neither it could be implemented into such restricted code environment.

I've personally made another detection mechanism which is more complex than this one and I am aware that DSXS has its quirks. Though, as a PoC I would say that it works pretty fine. It is up to the tester to test the positiveness of the results (as in any scanner/tool)

[stamparm]

With the latest patch problem related to the #5 (comment) should be gone

[stamparm]

With the latest patch problem related to the #5 (comment) should be gone, though...

Now the new problem arise where another rule is being triggered because the original content is actually being reflected in an invalid matter (unclosed double quotes) which is something unexpected. It causes (minor) problem where everything that looks like a quoted string is being prefiltered (before the rule is being triggered).

[wilson9x1]

oooo..... thank you for answer~~

but , I can't understand why replace r"\'" in content??

(r"(?s)<script[^>]*>[^<]*?'[^<']*%(chars)s|%(chars)s[^<']*'[^<]*</script>", ('\'', ';'), "\"<script>.'.xss.'.</script>\", enclosed by <script> tags, inside single-quotes, %(filtering)s filtering", r"\\'"),

dsxs still think demo.php is <script> tags, inside single-quotes...it seem can't solve problem

</main><script>
    var jobs = {
        log: {
            pj: 'jobs-social',
            qid: '',
            pn: 0
        },
        common: {
	    query:'',
            cookieStr: 'iurl',
	     selected : {"city":"<?php echo str_replace("\"", "\\\"" ,$_GET['xss']);?>"}
	   }
    };
</script>

[phackt]

@stamparm Hello Miroslav, you say it s a POC but i did not find any more convenient tool. It s pretty quick and effective. However you were talking about another of your tools with an improved detection mechanism, is it a private project or is there a repo for this ? Thanks.

[stamparm]

@phackt private project, developed in several occasions (cca. two months of development time). Greasemonkey script created for automated vulnerability assessment (with similar (though improved) web application security heuristics as in DSXS or DSSS or...) during regular browsing of web pages. Now the "fishing story" goes like this - it got too dangerous to release it wide open to the public as I got great results by just browsing random sites. In one wild scenario I wanted to release it on Defcon, though I got rejected (based just on abstract) two years ago.

In short, private project currently not releasable to anyone as it would produce new wave of script kiddies (hack as you browse).

p.s. also, payloads used are/were basically indistinguishable from invalid values making it great for "under the radar" scans - though, as said, producing great results

[phackt]

@stamparm Arf at least you have a rocking tool for your hunt. I will look at your code i just would like to provide the payload in this way (http://mysite.com/), let's say if no params have been found in the url (could be useful for xss in tracker and co). Cheers.

[phackt]

@wilson9x1, @stamparm Hi Wilson, did you find any new regexp, i'm also facing some false/positives with the regexp: r"(?s)<script[^>]*>[^<]*?'[^<']*%(chars)s|%(chars)s[^<']*'[^<]*</script>.

As i understand, any content involving script tags, if not matching the first both script tags regex, will fall into the third one (the one above) which is enough permissive to generate false positives. The difficulty is: how to keep this detection without generating these false positives.