Friday, March 27th, 2009

XSS Rays: Scan pages for XSS holes

Category: Security

Gareth Heyes has released XSS Rays, an open source library for detecting XSS holes via a bookmarklet:

The code works by creating connections to the target links/paths using iframes, each iframe is assign a name which is the url to return to on successful execution (the originating url). This allows cross domain links to be checked.

The vectors are stored in a simple object, each vector has the following properties:- input, name, browser, form, url, path (there’s a optional second input). Input is the XSS vector, the string “XSS” is used to replace with a logger or a poc url and is required by all vectors.

Name is just a meaningful name applied to the vector, browser supports ALL|FF|IE and helps to save time when testing specific browser vectors as XSS Rays will only target those versions for the vector.

Gareth also shows how he enables the onload event of a dynamic iframe in a way that works with IE:


  1. var ieLoader = "document.getElementById('"+'ray'+self.uniqueID+"').ieonload()";                                            
  2.     if(self.isIE()) {
  3.         try {
  4.           var iframe = document.createElement('<iframe name="'+location + '#xss'+'" onload="'+ieLoader+'">');
  5.         } catch (e) {                          
  6.            var iframe = document.createElement('iframe');
  7.         }
  8.     } else {
  9.        var iframe = document.createElement('iframe');
  10. }

Posted by Dion Almaer at 4:33 am
1 Comment

2.7 rating from 21 votes

1 Comment »

Comments feed TrackBack URI

Thanks for this useful article. It helped me out.

Comment by yokosushi — November 3, 2009

Leave a comment

You must be logged in to post a comment.