Introduction
After a lot of time and hard work, it’s finally ready. We’re excited to announce our new product: Wingman.
Wingman is a new kind of XSS scanner. We managed to eliminate many false-positive and false-negative issues by designing our methodology from the ground up. Ideal for infosec professionals, bug bounty hunters, and hobbyists.
How we stand out
Context-Awareness
Wingman has context-awareness. That means that Wingman can evaluate many different scenarios and act accordingly. Take the following PHP snippet:
<?php
function sanitize($s) {
// remove <, ' and "
return str_replace("<", "", str_replace("'", "", str_replace("\"", "", $s)));
}
?>
<iframe srcdoc='<script>x="<?php echo sanitize($_GET["x"]); ?>"</script>'></iframe>
The essence of the code is this:
- Remove
<
,'
and"
from an HTTP GET parameter called “x”. - Reflect the result of the previous step into a script tag within an iframe
srcdoc
attribute.
The tricky part here is that traditional payloads will not be able to function in this situation. Payloads such as </script><script>alert(1)</script>
will not work here, or any alternatives you can pull from lists on GitHub, for that matter.
That is where Wingman stands out:
karelk:standalone karel$ ./wingman -u http://localhost:8080/?x=1 --allow-internal-hosts
[INFO] Proof-Of-Concepts (PoCs):
1. Type: Query
URL: http://localhost:8080/?x=%26%2334%3B-alert%26lpar%3B%26rpar%3B-%26%2334%3B
Payload: "-alert()-"
You can see that it detected the vulnerability and generated a Proof-Of-Concept for it. All while taking context and character limitations into account.
Dynamic DOM Scanner
A somewhat rare technique we have implemented is taint-sink tracking.
The idea is that you inject a random string into a JavaScript “source” (URL Query, Window name, anything that can be controlled by a 3rd party). We then see where it ends up, hopefully, a sink, and track it back to the source.
All of this combined with context-awareness and live-scanning allows Wingman to automatically generate Proof-Of-Concepts on the fly:
karelk:standalone karel$ ./wingman -u http://public-firing-range.appspot.com/dom/toxicdom/window/name/eval
[INFO] Proof-Of-Concepts (PoCs):
1. Type: Dom
URL: data:text/html,<!-- XSS discovered and PoC generated by Wingman (xsswingman.com) --><script>window.name="alert()";location.href="http:\/\/public-firing-range.appspot.com\/dom\/toxicdom\/window\/name\/eval"</script>
Payload: alert()
Live Scanning
Another feature is the ability to launch a Google Chrome session and scan while browsing. URLs and HTML Forms are automatically submitted back to Wingman for scanning purposes.
This mode will also log JavaScript sinks calls to the terminal
Sink logging could have aided in finding the famous Google Search DOM XSS
What to expect
Something we pride ourselves in is our constant desire to do better. We aim to cover as many edge cases as possible while remaining reliable.
Things we already have on our product roadmap at the time of writing:
- Burp Extension
- Extended functionality for aided (live) scanning
- Support for additional JavaScript sinks
Scan types
Wingman supports multiple scanning options out-of-the-box. Any scan can be explicitly excluded if needed. Below you can find an overview of every type we have at the moment.
Query
Scan every URL parameter.
http://example.com/?x=1&y=2
x
and y
will be scanned
http://exampe.com/
URL will be ignored
Path
Scan the URL path on every level
http://example.com/
Trailing directory will be scanned
http://example.com/x/
/x/
and trailing directory will be scanned
Body
Scan every HTTP POST body with a application/x-www-form-urlencoded
Content-Type (HTML forms).
POST /reflected/parameter/form HTTP/1.1
Host: public-firing-range.appspot.com
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close
q=123
q
will be scanned
DOM
Perform dynamic analysis on all executed JavaScript on the targeted endpoint.
Supported platforms
Operating System | 64-bit | 32-bit |
---|---|---|
Windows | Yes | Yes |
MacOS | Yes | No |
Linux | Yes | Yes |
Getting started
Sign up for free and get started within a couple minutes. Find the installation guide here or on your dashboard.