ezXSS icon indicating copy to clipboard operation
ezXSS copied to clipboard

Published 20 hours ago verified publisher icon ssl

Feature request: Automatic spider

Open dicksnel opened this issue 1 year ago • 2 comments

Hi, thanks for this great tool!

It would be great if ezXSS can automatically spider an entire app after the XSS is triggered. This works adding a hidden iframe and scanning the target page for all hyperlinks with the same domain. Then for each found URL, fetch it via XHR in the iframe and extract all response data / screenshot it like a usual target page.

The advantage of this is that an attacker can gain immediate insight in all URL's and pages that are available in for example an admin panel.

If this is something to consider including, I have working code available from our own tooling.

dicksnel avatar Jul 18 '24 08:07 dicksnel

Hey Dick,

Thanks for the feature request. This for sure sounds like something we can add. I would love for you to share the working code and possibly some ideas how to implement this in ezXSS.

I can then look myself what would be the best way to implement this in the current system.

ssl avatar Jul 21 '24 09:07 ssl

@ssl great, I'll get back with some example code after my holidays!

dicksnel avatar Jul 25 '24 07:07 dicksnel

Hey @dicksnel! Hope you had a good holiday. Is this FR still something you would like to see in ezXSS? Let me know so I can implement it :)

ssl avatar Oct 27 '24 12:10 ssl

Hi @ssl, I still have it on my list but can't find the time yet. Feel free to close the issue and I'll open a new one later on or a PR when I have things ready!

dicksnel avatar Oct 30 '24 13:10 dicksnel

I've added automatic spidering in the latest commit #3fa71a2.

Enabling per payload, allows 2 different methods. Either via Web API (XHR) or via iframe.

Via XHR will look for all a href on the current page and requests them like 'extract additional page' would work normally.

The iframe method will also grab all a-href on the current page, but instead renders it in a hidden iframe and send the callback. With this method, all a-href's on the grabbed page is also added to the list, making it recursive spidering.

Each method has their pro's and con's, which is why I decided to add both and making it an option.

I'm not sure if it is any close to what you've created, but im open to changes or adding another method if it differs much. If you have no time or I don't get any response I will close this as completed but feel free to re-open in that case.

In any way thanks for the suggestion!

Image

ssl avatar May 05 '25 19:05 ssl