Pentesting tool

Sketch- has asked for the wisdom of the Perl Monks concerning the following question:

Hey perlmonks, I finally brought myself to make an account on here as I use it every day. I'm pretty new to perl so please excuse how fail my code is :)

Well anyway I'm working on a tool for my pentests, just to quickly scan url's for cross site scripting vulnerabilities.

It just grabs a list of urls and uses LWP to load it with the XSS payload attached. If the payload is returned on the page without any encoding or filtering it will print out "site is vulnerable".

But I'm getting this wierd error when I run it.

Unsuccessful open on filename containing newline at
[download]

Can anyone help me? Here's the code

#!/usr/bin/perl -w
use LWP::UserAgent;

my $ua = LWP::UserAgent->new();
my $payload = "\"/><h1>XSS</h1>";
my $html;

print "list --> ";
my $list = <>;
open(URLS, $list);
my @list = <URLS>;
close(URLS);

foreach $url(@list)
{
     $html = $ua->get($url.$payload);
     $html = $html->decoded_content;
     if($html =~ m/\<h1\>XSS\<\/h1\>/i)
     {
          print "$url is vulnerable\n";
     }
}
[download]

Comment on Pentesting tool Select or Download Code

Replies are listed 'Best First'.
Re: Pentesting tool by johngg (Canon) on Jul 04, 2011 at 13:13 UTC
Expanding on JavaFan's reply, use chomp to remove the line terminator and also use the three-argument form of open with lexical rather then package filehandles and check whether the open was successful, looking at $OS_ERROR if not. It is also not advisable to have scalars and arrays with the same name as that will only lead to confusion. `... chomp( my $list = <> ); open my $urlsFH, '<', $list or die "open: < $list: $!\n"; my @urls = <$urlsFH>; ...` [download] I hope this is helpful. Cheers, JohnGG	[reply] [d/l]
Re: Pentesting tool by JavaFan (Canon) on Jul 04, 2011 at 12:41 UTC
Exactly what it says. You're reading a name from STDIN, you do not remove a newline, and try to use this as a name of a file to open. Unless you have an actual filename containing such a newline, it's going to fail. And since you're not checking the return value of `open`, you're now presented with a message you don't know where it comes from, and have to come here and ask. Please, next time, help yourself, and check the return value of open.	[reply] [d/l]
Re^2: Pentesting tool by Sketch- (Initiate) on Jul 04, 2011 at 13:10 UTC
Ok thanks and sorry. Also I managed to get it working by using chomp on $list. I'll check the return of open just for educational. purposes though	[reply]
Re^3: Pentesting tool by AnomalousMonk (Archbishop) on Jul 04, 2011 at 16:08 UTC
... I managed to get it working by using chomp on $list. I'm sure you realize this, but just in case: chomp removes a trailing record-separator sequence (newline by default), if present, from a string. I'll check the return of open just for educational. purposes* though [sic] [emphasis added]* To reiterate JavaFan's earnest plea, do yourself an enormous favor and always check the return status of open or any other operation having a 'status' that can be checked! What you will learn is that this practice is a good way to avoid headaches.	[reply]
Re: Pentesting tool by GrandFather (Saint) on Jul 04, 2011 at 20:31 UTC
and because no-one else has mentioned it yet: always use strictures (use strict; use warnings; - see The strictures, according to Seuss). True laziness is hard work	[reply]
Re^2: Pentesting tool by Sketch- (Initiate) on Jul 05, 2011 at 02:49 UTC
Ok thanks everyone, I'll start trying to solve these sorts of problems by returning the error messages and working with that. Also yeah, I used to use strict and warnings but then i kept getting syntax errors when I did. Probably cause my code failed but anyway. Thanks	[reply]
Re^3: Pentesting tool by GrandFather (Saint) on Jul 05, 2011 at 07:26 UTC
Those errors were telling you important stuff. Ignoring anything of that nature that can help resolve issues will make your life much more frustrating rather than less. The 'wierd error' at the heart of your OP is a case in point where you were being provided with exactly the information you needed to diagnose and solve a real problem. I strongly recommend that you reinstate strictures and fix your code to correct any problems they reveal. True laziness is hard work	[reply]
Re^3: Pentesting tool by AnomalousMonk (Archbishop) on Jul 05, 2011 at 20:00 UTC
I used to have a similar problem with my car. Until recently, the oil low-pressure warning indicator would come on whenever I drove my car. This made me anxious. I put a piece of black tape over the indicator and now I never see it come on. I drive my car without a care in the world, but I wonder: Is there anything else I should be considering?	[reply]
Re: Pentesting tool by Anonymous Monk on Jul 04, 2011 at 19:47 UTC
Don't prompt when you can pass arguments :) `#!/usr/bin/perl -- use strict; use warnings; ... Main( @ARGV ); exit( 0 ); sub Main { if( not @_ ){ print "Usage: $0 filenameToOpen\n\n"; } ... }` [download] Read Behind the GUI lives the Shell, perlintro, perlrun, @ARGV	[reply] [d/l]