Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Execution of Javascript from PERL

RE: Execution of Javascript from PERL

From: Brass, Phil (ISS Atlanta) <PBrass_at_iss.net>
Date: Thu, 17 Apr 2003 10:52:45 -0400

There are four perl modules available on CPAN related to Javascript:
Data::JavaScript - convert perl objects to JavaScript objects by
generating JS code
Data::JavaScript::LiteObject - same as above, not sure about difference
JavaScript - execute JavaScript from within Perl (XS interface to
Mozilla Spidermonkey JS interpreter)
JavaScript::Toolbox - Objects to render cool JavaScript stuff from your
CGI

The real problem is not getting the JavaScript in the page to execute,
it's getting it to execute in a meaningful context - the browser
provides a large number of functions that client script can call (though
apparently none for examining the server certificate, but that's another
thread), and it provides a bunch of objects that represent the current
frameset. Most of the functions operate on the object, so you could
write them once probably. And you would have to write a function that
converts a frameset or page to a DOM object accessible from the context
in which the scripts are run.

Then, you have to go through the page and decide how, when, and with
what parameters to run each script.

Alternately, you might be able to host a browser object (at least on
win32), and get it to do most of the hard work for you.

Good luck!

Phil

> -----Original Message-----
> From: EEshwar [mailto:eeshwarf_at_indiatimes.com]
> Sent: Thursday, April 17, 2003 6:53 AM
> To: webappsec_at_securityfocus.com
> Subject: Execution of Javascript from PERL
>
>
>
>
> Hi,
>
>
>
> We are developing a tool in PERL to analyze vulnerabilities
> like Cross-
>
> site scripting etc. in web applications. This tool submits
> requests to a
>
> web application, receives the response, fills up some of the form
>
> parameters with XSS vulnerable strings and submits a request
> back to the
>
> application. We are able to this without any problem. However if the
>
> received response contains some javascript code meant to be
> executed in a
>
> browser (for dynamically setting the values of parameters to
> be posted
>
> etc.), we are unable to do a complete analysis. Do we have
> any modules in
>
> PERL or any way to solve this problem?
>
>
>
> Regards,
>
> Eeshwar
>
Received on Apr 17 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos