ethicalhack3r

A few weeks a go I had an idea.

JavaScript Taint Analysis for DOM #XSS in Burp would be an awesome feature to have! // cc: @portswigger

— Ryan Dewhurst (@ethicalhack3r) June 28, 2012

When I get ideas that I think have something worth while in them I note them down for future reference.

The three main points to get this working were:

The first step was to somehow extract HTML responses from Burp Suite, luckily someone had already written a Ruby Burp extender called Buby. I followed this awesome series of blog posts to get myself aquatinted with Buby.

The next step is to extract the JavaScript from the HTML responses, this is quite trivial to do with the Nokogiri Ruby gem.

The third step is to analyse the extracted JavaScript for Sinks, Sources and Securing functions (Taint Analysis). This was the hard part, for me at least. Finding this information proved to be hard, I did find some data, however, in the end this is where I stopped pursuing my idea.

So today Michele “antisnatchor” Orru’ posts a blog post titled ‘Enumerate potential DOM-based XSS vulnerable code’ in which Michele uses a regular expression originally written by Mario “.mario” Heiderich to find JavaScript Sinks and Sources.

In my original plan I had planned to use Dynamic Taint Analysis, this would have compromised of arrays of Sinks, Sources and Securing functions, however, the regular expression route is much easier as it has already been done for us by Mario. :)

StaticBurp ALPHA (it’s had limited testing and was written during my lunch break) can be found here:

http://pastie.org/4283545

To run it first install Buby. Then I used the following command:

jruby -S buby -i -B /pentest/web/burpsuite/burpsuite_v1.4.01.jar -r Desktop/StaticBurp.rb

As Michele states in his blog post the output will need manual verification, it will probably produce a lot of false negatives and false positives. It is for now better than nothing.