New my XSS scanning tool - DalFox

Powerful open-source XSS scanner and utility focused on automation

Hi, hackers and bugbounty hunters ๐Ÿ‘‹๐Ÿผ

Today Iโ€™m going to talk about my new XSS tool, DalFox. Iโ€™m sure there are a lot of bugs because itโ€™s still under development, but Iโ€™m going to talk it lightly now because itโ€™s somewhat functional and has a critical bug fixed!

์ •๋ง ์˜ค๋žœ๋งŒ์— ๊ธ€์„ ์“ฐ๋Š” ๊ฒƒ ๊ฐ™๋„ค์š”. ๋ณ€๋ช…์„ ๋Š˜์—ฌ๋†“์ž๋ฉด, ๊ธ€์„ ์“ธ ์‹œ๊ฐ„์— ๊ฐœ๋ฐœ์„ ํ•˜๋‹ค๋ณด๋‹ˆ ๋งŽ์ด ์†์„ ๋ชป๋Œ”์Šต๋‹ˆ๋‹ค. ์˜ค๋Š˜์€ ์ œ ์ƒˆ๋กœ์šด XSS Scanning ๋„๊ตฌ์ธ Dalfox์— ๋Œ€ํ•ด ์ด์•ผ๊ธฐํ•˜๋ ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

What is DalFox

It is a tool that analyzes parameters and scans XSS just like the existing XSpear. Most of the key feature of existing specs are inherited, and the new version addresses chronic slow speed and detection issues of detection. Andโ€ฆ there was a big change from Ruby to Go.

๊ธฐ์กด XSpear์™€ ๋™์ผํ•˜๊ฒŒ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ๋ถ„์„ํ•˜๊ณ  XSS๋ฅผ ์Šค์บ๋‹ํ•˜๋Š” ๋„๊ตฌ์ž…๋‹ˆ๋‹ค. ๊ธฐ์กด ์ŠคํŽ™์˜ ๋Œ€๋‹ค์ˆ˜ ๊ธฐ๋Šฅ์€ ๊ทธ๋Œ€๋กœ ์Šน๊ณ„ํ•˜๊ณ , ๊ณ ์งˆ์ ์ธ ์†๋„ ๋ฌธ์ œ์™€ ํƒ์ง€ ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•œ ๋ฒ„์ „์ž…๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ . Ruby์—์„œ Go๋กœ ๋ฐ”๋€Œ๋Š” ๋Œ€๋Œ€์  ๋ณ€ํ™”๊ฐ€ ์žˆ์—ˆ๊ตฌ์š”.

This is Key features ๊ฐ€์žฅ ์ค‘์š”ํ•œ ๊ธฐ๋Šฅ์ด ๋˜๋Š” ๋ถ€๋ถ„์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค.

  • ํŒŒ๋ผ๋ฏธํ„ฐ ๋ถ„์„์— ๋”ฐ๋ฅธ ํŽ˜์ด๋กœ๋“œ ์˜ตํ‹ฐ๋งˆ์ด์ง• (Payload Optimization according to parameter analysis)
  • ์ถ”์ƒํ™”๋ฅผ ํ†ตํ•ด ์ฝ”๋“œ ์‚ฝ์ž… ์œ„์น˜๋ฅผ ๋ถ„์„ํ•˜๊ณ , ์ข…๋ฅ˜์— ๋งž๋Š” ํŽ˜์ด๋กœ๋“œ ์‚ฌ์šฉ (Analyse the location of code insertion through abstraction and use Payload for the type)
  • DOM ๊ธฐ๋ฐ˜ ๊ฒ€์ฆ๋กœ์ง (DOM-based verification logic)
  • Pipeline ์ง€์› (Pipeline support)

(What you see in git is the most accurate.)

Optimazation & Abstraction

Existing XSpear used multiple testing queries, DalFox has a Badchar-based payload verification logic. This selects the query to use for the actual test based on the data obtained from the parameter testing. And we talked about the abstraction concept above, which eventually divides the code into HTML and Script areas, as shown below, identifies the injected location and uses the payload according to the location.

๊ธฐ์กด XSpear๊ฐ€ ๋‹ค์ˆ˜์˜ ํ…Œ์ŠคํŒ… ์ฟผ๋ฆฌ๋ฅผ ์‚ฌ์šฉํ–ˆ๋‹ค๋ฉด, DalFox๋Š” ์ฒ ์ €ํžˆ Badchar ๊ธฐ๋ฐ˜์˜ ํŽ˜์ด๋กœ๋“œ ๊ฒ€์ฆ ๋กœ์ง์„ ๊ฐ€์ง‘๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ ํŒŒ๋ผ๋ฏธํ„ฐ ํ…Œ์ŠคํŒ…์—์„œ ์–ป์–ด์ง„ ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์‹ค์ œ ํ…Œ์ŠคํŒ…์— ์‚ฌ์šฉํ•  ์ฟผ๋ฆฌ๋ฅผ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ์œ„์—์„œ ์ถ”์ƒํ™” ๊ฐœ๋…์„ ์ด์•ผ๊ธฐํ–ˆ๋Š”๋ฐ, ๊ฒฐ๊ตญ ์•„๋ž˜ ๊ทธ๋ฆผ๊ณผ ๊ฐ™์ด ์ฝ”๋“œ๋ฅผ HTML ์˜์—ญ๊ณผ Script ์˜์—ญ์œผ๋กœ ๋‚˜๋ˆ„๊ณ , ์ธ์ ์…˜๋œ ์œ„์น˜๋ฅผ ํŒŒ์•…ํ•œ ํ›„ ์œ„์น˜์— ๋”ฐ๋ฅธ ํŽ˜์ด๋กœ๋“œ๋ฅผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. (์™œ๋ƒ๋ฉด.. ์‹ค์ œ๋กœ ํ…Œ์ŠคํŒ…ํ• ๋•Œ๋„ javascript ๋‚ด๋ถ€ ์‚ฝ์ž…๋œ ์ฝ”๋“œ์— ํƒˆ์ถœ ๊ตฌ๋ฌธ์„ ์ œ์™ธํ•œ html๋ฅผ ์ž˜ ์‚ฌ์šฉํ•˜์ง„ ์•Š์ฃ )

DalFox checked HTML, Javascript, Attribute

DOM Verify

For XSpear, the Selenium driver has verified that the alert actually occurs. This is a sure way to find it, but calling the headless browser is a very slow task. The system is overloaded, especially if you want to verify a huge number of data.

XSpear์˜ ๊ฒฝ์šฐ Selenium driver๋ฅผ ํ†ตํ•ด ์‹ค์ œ๋กœ alert์ด ๋ฐœ์ƒํ•˜๋Š”์ง€ ๊ฒ€์ฆํ–ˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ํ™•์‹คํ•˜๊ฒŒ ์ฐพ์„ ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ด์ง€๋งŒ, headless browser๋ฅผ ํ˜ธ์ถœํ•˜๋Š”๊ฑด ๊ต‰์žฅํžˆ ๋Š๋ฆฐ ์ž‘์—…์ž…๋‹ˆ๋‹ค. ํŠนํžˆ๋‚˜ ์—„์ฒญ๋‚˜๊ฒŒ ๋งŽ์€ ์ˆ˜์˜ ๋ฐ์ดํ„ฐ๋ฅผ ๊ฒ€์ฆํ•˜๋ ค๋ฉด ์‹œ์Šคํ…œ์˜ ๊ณผ๋ถ€ํ™”๋„ ๋งŽ์ด ๊ฑธ๋ฆฌ์ฃ .

So at DalFox, we boldly threw away Selenium, and we changed it to a DOM-based verification method. If you think the actual object is inserted, you can think of it as Verify. Verified parameters do not need to be tested further, so the remaining payload queues will be passed(not testing).

๊ทธ๋ž˜์„œ DalFox์—์„  ๊ณผ๊ฐํ•˜๊ฒŒ Selenium์„ ๋ฒ„๋ฆฌ๊ณ , DOM ๊ธฐ๋ฐ˜์œผ๋กœ ๊ฒ€์ฆํ•˜๋Š” ๋ฐฉ์‹์œผ๋กœ ๋ฐ”๊ฟจ์Šต๋‹ˆ๋‹ค. ์‹ค์ œ Object๊ฐ€ ์‚ฝ์ž…๋ฌ๋‹ค๊ณ  ํŒ๋‹จํ•˜๋ฉด Verify๋ฅผ ์ค€๋‹ค๊ณ  ์ƒ๊ฐํ•˜์‹œ๋ฉด ๋ฉ๋‹ˆ๋‹ค. Verify๋œ ํŒŒ๋ผ๋ฏธํ„ฐ๋Š” ์ถ”๊ฐ€๋กœ ๋” ํ…Œ์ŠคํŒ…ํ•  ํ•„์š”๊ฐ€ ์—†์œผ๋‹ˆ ๋‚˜๋จธ์ง€ ํŽ˜์ด๋กœ๋“œ ํ๋Š” ํŒจ์Šคํžˆ๊ตฌ์š”.


On DalFox, I paid a little more attention to the part where I got the factor value (io, file, arg) or log output so that I could fit into the pipeline in general. Basically, scan logging provides a variety of data, such as code views and actual payloads, but print only attack query it out if you with a pipeline option.

DalFox๋กœ ์˜ค๋ฉด์„œ, ์ „๋ฐ˜์ ์œผ๋กœ Pipeline์— ๋ผ์›Œ๋“ค์–ด๊ฐˆ ์ˆ˜ ์žˆ๋„๋ก ์ธ์ž๊ฐ’์„ ๋ฐ›๋Š” ๋ถ€๋ถ„(io, file, arg)์ด๋‚˜ log output ๋ถ€๋ถ„์— ์กฐ๊ธˆ ๋” ์‹ ๊ฒฝ์„ ์ผ์Šต๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ ์Šค์บ” ๋กœ๊น…์—์„  Code view๋‚˜ ์‹ค์ œ ํŽ˜์ด๋กœ๋“œ ๋“ฑ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋ฐ์ดํ„ฐ๋ฅผ ์ œ๊ณตํ•ด์ฃผ์ง€๋งŒ, pipeline์œผ๋กœ ์ถœ๋ ฅ์„ ํ–ˆ์„ ๊ฒฝ์šฐ์—” ํŽ˜์ด๋กœ๋“œ๋งŒ ์ฐํž ์ˆ˜ ์žˆ๋„๋ก ํ•œ ๋ถ€๋ถ„๋„ ์ด๋Ÿฐ ๊ณ ๋ฏผ์˜ ๊ฒฐ๊ณผ ์ค‘ ํ•˜๋‚˜์ฃ .

So, just simple pipeline tip :D ์•„๋ฌดํŠผ ๊ทธ๋ž˜์„œ.. ์ด์ œ ์•„๋ž˜์™€ ๊ฐ™์€ ํ˜•ํƒœ๋กœ ๋ช…๋ น ๊ตฌ์„ฑ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

cat target_list | waybackurls -no-subs | grep "https://" | grep -v "png\|jpg\|css\|js\|gif\|txt" | grep "=" | qsreplace | qsreplace -a | dalfox -pipe -blind


์ž‘๋…„๋ถ€ํ„ฐ ruby=>go๋กœ ๋ฉ”์ธ ์–ธ์–ด๋ฅผ ๋ฐ”๊พธ๊ณ  ์žˆ์—ˆ๊ณ , ๋“œ๋””์–ด ์ œ๊ฐ€ ๊ฐ€์ง„ ๊ฐ€์žฅ ํฐ(์™ธ๋ถ€์— ์˜คํ”ˆ๋œ ๊ฒƒ ์ค‘) ํ”„๋กœ์ ํŠธ๋ฅผ ๋ณ€๊ฒฝํ•˜๊ฒŒ ๋˜์—ˆ๋„ค์š”. ์•„์ง ๋ฒ„๊ทธ๊ฐ€ ๋งŽ์ด ์žˆ๊ฒ ์ง€๋งŒ, ์‚ฌ์šฉํ•ด๋ณด์‹œ๊ณ  ์ข‹์€ ์˜๊ฒฌ์ด๋‚˜ ๋ฒ„๊ทธ๊ฐ€ ์žˆ๋‹ค๋ฉด git issue๋กœ ๋“ฑ๋กํ•ด์ฃผ์„ธ์š”. ๊ทธ๋ฆฌ๊ณ  ๋งˆ์ง€๋ง‰์œผ๋กœ ์ด๋ฆ„์— ๋Œ€ํ•œ ์ด์•ผ๊ธฐ๋ฅผ ํ•˜์ž๋ฉด, DalFox์—์„œ Dal์€ ๋‹ฌ์ž…๋‹ˆ๋‹ค. (and Dal of DalFox is the Korean pronunciation of moon.)

// and Fox = Finder of XSS, Haha happy hacking!