|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Execution of Javascript from PERL
From: Brass, Phil (ISS Atlanta) (PBrass
iss.net)
Date: Thu Apr 17 2003 - 09:52:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
There are four perl modules available on CPAN related to Javascript:
Data::JavaScript - convert perl objects to JavaScript objects by
generating JS code
Data::JavaScript::LiteObject - same as above, not sure about difference
JavaScript - execute JavaScript from within Perl (XS interface to
Mozilla Spidermonkey JS interpreter)
JavaScript::Toolbox - Objects to render cool JavaScript stuff from your
CGI
The real problem is not getting the JavaScript in the page to execute,
it's getting it to execute in a meaningful context - the browser
provides a large number of functions that client script can call (though
apparently none for examining the server certificate, but that's another
thread), and it provides a bunch of objects that represent the current
frameset. Most of the functions operate on the object, so you could
write them once probably. And you would have to write a function that
converts a frameset or page to a DOM object accessible from the context
in which the scripts are run.
Then, you have to go through the page and decide how, when, and with
what parameters to run each script.
Alternately, you might be able to host a browser object (at least on
win32), and get it to do most of the hard work for you.
Good luck!
Phil
> -----Original Message-----
> From: EEshwar [mailto:eeshwarfindiatimes.com]
> Sent: Thursday, April 17, 2003 6:53 AM
> To: webappsecsecurityfocus.com
> Subject: Execution of Javascript from PERL
>
>
>
>
> Hi,
>
>
>
> We are developing a tool in PERL to analyze vulnerabilities
> like Cross-
>
> site scripting etc. in web applications. This tool submits
> requests to a
>
> web application, receives the response, fills up some of the form
>
> parameters with XSS vulnerable strings and submits a request
> back to the
>
> application. We are able to this without any problem. However if the
>
> received response contains some javascript code meant to be
> executed in a
>
> browser (for dynamically setting the values of parameters to
> be posted
>
> etc.), we are unable to do a complete analysis. Do we have
> any modules in
>
> PERL or any way to solve this problem?
>
>
>
> Regards,
>
> Eeshwar
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]