Burp XSS Scanner插件开发思路与实现详解<\/h1>

0x00 前言<\/h2>

Burp Suite虽然自带XSS检测功能，但其Payload和检测数量不可控。本文介绍如何开发一款自定义Burp XSS检测插件，主要特点包括：<\/p>

对每个参数只需发送一次Payload即可检测分隔符逃逸<\/li>
支持DOM XSS检测<\/li>

使用Java HtmlUnit进行页面渲染分析<\/li> <\/ul>

0x01 检测思路概述<\/h2>

发送包含'"<><\/code>特殊字符的HTTP请求<\/li>
分析响应中这些字符的过滤情况<\/li>
对于HTML和JS内容XSS可直接分析响应<\/li>

对于DOM XSS需要使用HtmlUnit渲染页面并hook关键JS函数<\/li>
<\/ol>
0x02 HTML-Content XSS检测<\/h2>
基本原理<\/h3>
通过分析响应中特殊字符的过滤情况，判断是否存在XSS漏洞。<\/p>
HtmlUnit的自动修正问题<\/h3>
HtmlUnit会自动修正错误的HTML语法，这会影响检测结果：<\/p>
测试案例1<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$url =<\/span> $_GET['url'<\/span>];
<\/span><\/span>echo<\/span> "TTT`
<\/span><\/span><\/span>
<\/span><\/span><\/span>渲染后结果：
<\/span><\/span><\/span>```html
<\/span><\/span><\/span><html>
<\/span><\/span><\/span> <head\/>
<\/span><\/span><\/span> <body>
<\/span><\/span><\/span>  
<\/span><\/span><\/span><\/html>
<\/span><\/span><\/span><\/code><\/pre>解决方案<\/strong>：<\/p>

闭合前面的标签：test.php?url='"\/>TTT'"<>TTT<\/code><\/li>
使用标签包裹Payload：test.php?url='"\/><TTT'"TTT><\/code><\/li>
<\/ul>
过滤情况检测<\/h3>
当某些字符被过滤时（如<<\/code>、><\/code>、"<\/code>被替换），可采用以下策略：<\/p>

使用未被过滤的字符（如单引号'<\/code>）<\/li>
观察HtmlUnit如何处理修正后的标签<\/li>
<\/ol>
过滤案例<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$url =<\/span> $_GET['url'<\/span>];
<\/span><\/span>$url =<\/span> str_replace<\/span>("<"<\/span>,"00"<\/span>,$url);
<\/span><\/span>$url =<\/span> str_replace<\/span>(">"<\/span>,"11"<\/span>,$url);
<\/span><\/span>$url =<\/span> str_replace<\/span>("<\/span>\"<\/span>"<\/span>,"22"<\/span>,$url);
<\/span><\/span>echo<\/span> "`
<\/span><\/span><\/span>
<\/span><\/span><\/span>结果：
<\/span><\/span><\/span>```html
<\/span><\/span><\/span>
<\/span><\/span><\/span><\/code><\/pre>检测逻辑总结<\/h3>

检查是否能逃逸当前分隔符<\/li>
根据HtmlUnit的修正行为调整Payload<\/li>
使用正则匹配判断可利用性<\/li>
<\/ol>
0x03 JS-Content XSS检测<\/h2>
基本原理<\/h3>
JS上下文中的XSS检测相对简单，因为错误的JS语法不会被自动修正。<\/p>
测试案例<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$url =<\/span> $_GET['url'<\/span>];
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><script>var a = <?php echo $url;?><\/script>
<\/span><\/span><\/span><\/code><\/pre>Payload：test.php?url=000111"'<TTT'"TTT><\/code><\/p>
响应：<\/p>
<html<\/span>>
<\/span><\/span> <head<\/span>>
<\/span><\/span>  <script<\/span>>\/\/<![CDATA[<\/span>
<\/span><\/span>var a = "000111"'<TTT<\/span>'"<\/span>TTT<\/span>>script>
<\/span><\/span> <\/head<\/span>>
<\/span><\/span> <body<\/span>\/>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>检测方法<\/h3>

使用正则表达式匹配Payload中的特殊模式<\/li>
判断是否能逃逸当前分隔符（如引号、分号）<\/li>
<\/ol>
正则示例<\/strong>：<\/p>

匹配标签：<ttt(.*?)'"ttt(.*?)><\/code><\/li>
逃逸分号检测：'(.*?)ttt(ttt(.*?)'<\/code><\/li>
<\/ul>
0x04 DOM XSS检测<\/h2>
检测挑战<\/h3>
DOM XSS需要通过JS执行才能发现，传统响应分析无法检测：<\/p>

document.write<\/code><\/li>
innerHTML<\/code><\/li>
eval<\/code><\/li>
location<\/code>相关操作<\/li>
setTimeout\/setInterval<\/code><\/li>
<\/ul>
解决方案：JS函数Hook<\/h3>
通过修改返回报文，Hook关键JS函数来监控可疑操作。<\/p>
实现技术<\/h4>

继承FalsifyingWebConnection<\/code>类修改响应<\/li>
在响应中添加Hook代码<\/li>
<\/ol>
核心代码结构<\/strong>：<\/p>
public<\/span> class<\/span> WebConnectionListener<\/span> extends<\/span> FalsifyingWebConnection {<\/span>
<\/span><\/span>    public<\/span> WebConnectionListener<\/span>(<\/span>WebClient webClient)<\/span> throws<\/span> IllegalArgumentException {<\/span>
<\/span><\/span>        super<\/span>(<\/span>webClient);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> WebResponse getResponse<\/span>(<\/span>WebRequest request)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        WebResponse response =<\/span> super<\/span>.<\/span>getResponse<\/span>(<\/span>request);<\/span>
<\/span><\/span>        \/\/ 修改响应内容
<\/span><\/span><\/span><\/span>        return<\/span> createWebResponse(...);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键函数Hook实现<\/h4>

eval函数Hook<\/strong>：<\/li>
<\/ol>
var<\/span> _eval<\/span> =<\/span> eval;
<\/span><\/span>window.eval =<\/span> function<\/span>(string<\/span>) {
<\/span><\/span>    append<\/span>("eval"<\/span>,string<\/span>);
<\/span><\/span>    _eval<\/span>(string<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>
setTimeout Hook<\/strong>：<\/li>
<\/ol>
var<\/span> _setTimeout<\/span> =<\/span> setTimeout<\/span>;
<\/span><\/span>window.setTimeout<\/span> =<\/span> function<\/span>(code<\/span>,millisec<\/span>) {
<\/span><\/span>    append<\/span>("settimeout"<\/span>,code<\/span>);
<\/span><\/span>    _setTimeout<\/span>(code<\/span>,millisec<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>
location操作Hook<\/strong>：<\/li>
<\/ol>

location.href<\/code>赋值：<\/li>
<\/ul>
location<\/span>.__defineSetter__<\/span>('href'<\/span>, function<\/span>(url<\/span>) {
<\/span><\/span>    append<\/span>("location"<\/span>,url<\/span>);
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>
location.replace<\/code>调用：<\/li>
<\/ul>
var<\/span> _replace<\/span> =<\/span> function<\/span>(url<\/span>){
<\/span><\/span>    append<\/span>("location.replace"<\/span>,url<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>
location直接赋值<\/strong>：

通过修改响应报文，将location = "xss"<\/code>转换为location.href = "xss"<\/code><\/li>
<\/ol>
结果收集<\/h4>
添加自定义append<\/code>函数收集检测结果：<\/p>
function<\/span> append<\/span>(type<\/span>,payload<\/span>){
<\/span><\/span>    if<\/span>(payload<\/span>.indexOf<\/span>("111000"<\/span>)>-<\/span>1<\/span>) {
<\/span><\/span>        var<\/span> para<\/span>=<\/span>document.createElement<\/span>("p"<\/span>);
<\/span><\/span>        var<\/span> node<\/span>=<\/span>document.createTextNode<\/span>(type<\/span> +<\/span> payload<\/span>);
<\/span><\/span>        para<\/span>.appendChild<\/span>(node<\/span>);
<\/span><\/span>        var<\/span> element<\/span>=<\/span>document.getElementsByTagName<\/span>("html"<\/span>)[0<\/span>];
<\/span><\/span>        element<\/span>.appendChild<\/span>(para<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x05 完整实现要点<\/h2>

HtmlUnit配置<\/strong>：<\/li>
<\/ol>
WebClient webClient =<\/span> new<\/span> WebClient();<\/span>
<\/span><\/span>webClient.<\/span>getOptions<\/span>().<\/span>setJavaScriptEnabled<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>webClient.<\/span>getOptions<\/span>().<\/span>setCssEnabled<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span>webClient.<\/span>getOptions<\/span>().<\/span>setUseInsecureSSL<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>webClient.<\/span>getOptions<\/span>().<\/span>setThrowExceptionOnScriptError<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
页面渲染与捕获<\/strong>：<\/li>
<\/ol>
try<\/span> {<\/span>
<\/span><\/span>    HtmlPage page =<\/span> webClient.<\/span>getPage<\/span>(<\/span>url);<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>page.<\/span>asXml<\/span>());<\/span>
<\/span><\/span>}<\/span> catch<\/span> (<\/span>ScriptException e)<\/span> {<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>e.<\/span>getFailingLine<\/span>());<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>e.<\/span>getPage<\/span>().<\/span>asXml<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
Payload设计<\/strong>：<\/li>
<\/ol>

包含可识别的标记（如"TTT"）<\/li>
包含所有特殊字符（'"<><\/code>）<\/li>
适应HtmlUnit的自动修正特性<\/li>
<\/ul>
0x06 检测流程总结<\/h2>

发送包含特殊字符的Payload<\/li>
对响应进行三种检测：

HTML上下文检测<\/li>
JS上下文检测<\/li>
DOM型XSS检测（通过函数Hook）<\/li>
<\/ul>
<\/li>
分析结果并报告漏洞<\/li>
<\/ol>
0x07 扩展思路<\/h2>

增加更多上下文检测（如CSS、URL上下文）<\/li>
完善Payload生成策略<\/li>
添加更多JS函数Hook（如setInterval<\/code>、innerHTML<\/code>等）<\/li>
优化结果分析逻辑，减少误报<\/li>
<\/ol>
通过这种自定义插件开发，可以实现比Burp自带功能更灵活、更全面的XSS检测能力，特别是对DOM XSS的检测能力显著提升。<\/p>

Burp XSS Scanner插件开发思路与实现详解<\/h1>

0x02 HTML-Content XSS检测<\/h2>

基本原理<\/h3> 通过分析响应中特殊字符的过滤情况，判断是否存在XSS漏洞。<\/p>

0x03 JS-Content XSS检测<\/h2>

0x04 DOM XSS检测<\/h2>

解决方案：JS函数Hook<\/h3> 通过修改返回报文，Hook关键JS函数来监控可疑操作。<\/p>

基本原理<\/h3>
通过分析响应中特殊字符的过滤情况，判断是否存在XSS漏洞。<\/p>

解决方案：JS函数Hook<\/h3>
通过修改返回报文，Hook关键JS函数来监控可疑操作。<\/p>