Sunday, December 4, 2011

Chrome Extension for Easy XSS Insertion

I decided to venture into the world of Chrome extension-making this week. Surprisingly, it was extremely simple to make a basic extension. Getting the extension to interact with the actual code on the page (such as getting the element ID, etc.) was a bit more difficult, but only took a few hours to get working.

Before I could create an extension, I needed an idea. So I decided to make an XSS, mySQL injection snippet manager. It's a fairly basic, but potentially useful little extension that adds a menu to Chrome's right-click context menu. When a user right clicks on a text box, the menu appears, allowing the user to select from a variety of popular XSS attack scripts. When they click one, it's added to the text box and the user can then submit the form and see if the site is vulnerable.

I am only advocating the use of this extension for testing web applications that you own. Do not use this on any other sites. Most of the XSS scripts come from http://ha.ckers.org/xss.html (with permission), an excellent XSS resource.

Download Link: http://matthewdfuller.com/content/WebSec_Toolbox_Chrome_Extension.crx


Screenshot: