Description:

This page is meant to enable people to easily showcase XSS flaws that use POST instead of GET. By linking to this page and providing GETed variables this page will build a form as specified which lets you show users the XSS flaw.

Usage:

It should be obvious that the variables are passed in the querystring, any parameters for this script not meant to be used in constructing the form start with xss_. The target of the form is supplied via the xss_target variable. After that follows an ampersand (&), then the rest of the parameters to create, so for instance the following url:

?xss_target=http://babelfish.altavista.com/tr&doit=done&intl=1&tt=urltext&trtext=This+is+a+test&lp=en_de&btnTrTxt=Translate

would create a form to translate 'This is a test' into german using Altavistas babelfish.

On that line I've highlighted the xss_target variable in grey, the url (forms target) in green, keys (form elements names) in blue and values (the values of those elements) in red.

It should be noted that xss_note can also be supplied as a variable and the value will just be printed on the page into a <p> tag, allowing you to leave a note of any kind to whomever views your showcase XSS.

If you want an ampersand in the variables without it splitting the variable in two use %26.

Summary:

xss_target = action attribute of form

xss_note = optional note to reader

any variables not starting with xss_ are form element names and their value in the elements value

".htmlentities($_GET['xss_note'])."

escape(); echo $frm->create_form() ?> <script> document.forms[0].submit() </script>



"; foreach ($this->inputs as $input) { $html .= "\t{$input->create()}



"; } $html .= "\t{$this->create_submit_button()}



"; $html .= "