Introduction

After a lot of time and hard work, it’s finally ready. We’re excited to announce our new product: Wingman.

Wingman is a new kind of XSS scanner. We managed to eliminate many false-positive and false-negative issues by designing our methodology from the ground up. Ideal for infosec professionals, bug bounty hunters, and hobbyists.

How we stand out

Context-Awareness

Wingman has context-awareness. That means that Wingman can evaluate many different scenarios and act accordingly. Take the following PHP snippet:

<?php
function sanitize($s) {
    // remove <, ' and "
    return str_replace("<", "", str_replace("'", "", str_replace("\"", "", $s)));
}
?>

<iframe srcdoc='<script>x="<?php echo sanitize($_GET["x"]); ?>"</script>'></iframe>

The essence of the code is this:

  1. Remove <, ' and " from an HTTP GET parameter called “x”.
  2. Reflect the result of the previous step into a script tag within an iframe srcdoc attribute.

The tricky part here is that traditional payloads will not be able to function in this situation. Payloads such as </script><script>alert(1)</script> will not work here, or any alternatives you can pull from lists on GitHub, for that matter.

That is where Wingman stands out:

karelk:standalone karel$ ./wingman -u http://localhost:8080/?x=1 --allow-internal-hosts
[INFO] Proof-Of-Concepts (PoCs):
        1.      Type:   Query
                URL:    http://localhost:8080/?x=%26%2334%3B-alert%26lpar%3B%26rpar%3B-%26%2334%3B
                Payload: &#34;-alert&lpar;&rpar;-&#34;

You can see that it detected the vulnerability and generated a Proof-Of-Concept for it. All while taking context and character limitations into account.

Dynamic DOM Scanner

A somewhat rare technique we have implemented is taint-sink tracking.

The idea is that you inject a random string into a JavaScript “source” (URL Query, Window name, anything that can be controlled by a 3rd party). We then see where it ends up, hopefully, a sink, and track it back to the source.

All of this combined with context-awareness and live-scanning allows Wingman to automatically generate Proof-Of-Concepts on the fly:

karelk:standalone karel$ ./wingman -u http://public-firing-range.appspot.com/dom/toxicdom/window/name/eval
[INFO] Proof-Of-Concepts (PoCs):
        1.      Type:   Dom
                URL:    data:text/html,<!-- XSS discovered and PoC generated by Wingman (xsswingman.com) --><script>window.name="alert()";location.href="http:\/\/public-firing-range.appspot.com\/dom\/toxicdom\/window\/name\/eval"</script>
                Payload: alert()

Live Scanning

Another feature is the ability to launch a Google Chrome session and scan while browsing. URLs and HTML Forms are automatically submitted back to Wingman for scanning purposes.

This mode will also log JavaScript sinks calls to the terminal

Sink logging could have aided in finding the famous Google Search DOM XSS

What to expect

Something we pride ourselves in is our constant desire to do better. We aim to cover as many edge cases as possible while remaining reliable.

Things we already have on our product roadmap at the time of writing:

  • Burp Extension
  • Extended functionality for aided (live) scanning
  • Support for additional JavaScript sinks

Scan types

Wingman supports multiple scanning options out-of-the-box. Any scan can be explicitly excluded if needed. Below you can find an overview of every type we have at the moment.

Query

Scan every URL parameter.

http://example.com/?x=1&y=2

x and y will be scanned

http://exampe.com/

URL will be ignored

Path

Scan the URL path on every level

http://example.com/

Trailing directory will be scanned

http://example.com/x/

/x/ and trailing directory will be scanned

Body

Scan every HTTP POST body with a application/x-www-form-urlencoded Content-Type (HTML forms).

POST /reflected/parameter/form HTTP/1.1
Host: public-firing-range.appspot.com
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close

q=123

q will be scanned

DOM

Perform dynamic analysis on all executed JavaScript on the targeted endpoint.

Supported platforms

Operating System64-bit32-bit
WindowsYesYes
MacOSYesNo
LinuxYesYes

Getting started

Sign up for free and get started within a couple minutes. Find the installation guide here or on your dashboard.

Demo