README for xsstool v1.3 (c) 27-Jun-2007 torh@bogus.net => What Tool for demonstrating cross-site scripting (XSS) attacks. Requires Ruby 1.8.6 or later. => Features - Insanely prototype and very Perl-ish, you can tell I've not written a lot of Ruby before. - Base64, URL and HTML encoder and decoders. - Dynamic content (e.g. for demonstration of trojan login pages). - Simple cookie stealer. => How Start the tool from the command line (./xsstool.rb) - you may also want to ensure that the current directory has the directory "fc" present. If it is not, you can't save your dynamically created content (in-memory access only). You can change the location of where the tool saves this data by changing the $webroot variable within the source. Please note that if you delete in-memory content, if you previously saved it to disk, it remains saved. All dynamic content MUST use alphanumeric characters (a-z,0-9). Any other characters are illegal. By default, the tool provides a 'splash' screen at the site root. Point your browser at http://localhost:9080/ - this page has a link to the (very sparsely populated) help page. You can remove the / handler (and thus the splash screen) by changing the value of 'dosplash' to 'false' within the source. Login to the command interface using the password 'letmein'. You should change this to something more sensible if using this tool in an untrusted environment; change the $password variable accordingly. If you don't go through the splash screen, try accessing the command interface directly through either of the following URL's: http://localhost:9080/xsstool?cmd=help https://localhost:9443/xsstool?cmd=help Sessions (any access to the command interface is checked against valid session tokens) are valid for 1800 seconds. Tool interaction is always through the url /xsstool?; you can change the tool reference from 'xsstool' by changing the $toolref variable. If used in an untrusted environment, you may want to change this. Access dynamic content by pointing your browser at http://address:9080/xsstool?dc= Previously stored content can be accessed using http://address:9080/xsstool?fc= If you want to create stored content outside of XSS Tool, ensure that the first line in the file defines the Content-Type (e.g. text/html for HTML pages). Look at the default 'test' file provided within the distribution. The incomplete Help link also gives an indication on how to access the static content (as in "part of the tool source") by using it to obtain a session cookie. => To do - Write a better README. - Go from prototype to production code. - Normalise the error codes; they're all over the place. - Enable editing of content saved to disk. - Write a functional XSS proxy and associated tools in JavaScript. Ugh.