The idea
Most modern applications (ab)use JavaScript to build client-side logic. The code is spread in JavaScript files and inline scripts tag. It can totalise thousands of lines of code.
The idea is to do static analysis on all JavaScript files intercepted by the proxy to mark security sensitive code sections.
Developing the rules
Doing a grep like scanner would have limited value. For this reason, Mozilla Rhino was chosen to do JavaScript parsing. By having a real parser, it will be possible to do more intelligent rules that eliminate some false positives. For example, the identification of innerHTML usage was the first rule developed.
The following line could be an exploitable XSS
element.innerHTML = "XSS here ->" + value + "";
While the following line doesn't need to be review.
element.innerHTML += "Static content";
The first example will trigger an alert while the second one is ignore because it is safe.
Screenshots
 |
| ZAP Plugin |
 |
| Burp Pro Plugin |
Try it yourself
The respective plugins are available to download at https://github.com/h3xstream/rhinauditor#downloads.
Note : The plugins are in an alpha stage.
Doing your own passive rules
With ZAP, the implementation of a PluginPassiveScanner is needed to analyse response content. [sample]
In Burp api, you need to implement IScannerCheck. [sample]
No comments:
Post a Comment