WebApp Sec mailing list archives
RE: Execution of Javascript from PERL
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Thu, 17 Apr 2003 10:52:45 -0400
There are four perl modules available on CPAN related to Javascript: Data::JavaScript - convert perl objects to JavaScript objects by generating JS code Data::JavaScript::LiteObject - same as above, not sure about difference JavaScript - execute JavaScript from within Perl (XS interface to Mozilla Spidermonkey JS interpreter) JavaScript::Toolbox - Objects to render cool JavaScript stuff from your CGI The real problem is not getting the JavaScript in the page to execute, it's getting it to execute in a meaningful context - the browser provides a large number of functions that client script can call (though apparently none for examining the server certificate, but that's another thread), and it provides a bunch of objects that represent the current frameset. Most of the functions operate on the object, so you could write them once probably. And you would have to write a function that converts a frameset or page to a DOM object accessible from the context in which the scripts are run. Then, you have to go through the page and decide how, when, and with what parameters to run each script. Alternately, you might be able to host a browser object (at least on win32), and get it to do most of the hard work for you. Good luck! Phil
-----Original Message----- From: EEshwar [mailto:eeshwarf () indiatimes com] Sent: Thursday, April 17, 2003 6:53 AM To: webappsec () securityfocus com Subject: Execution of Javascript from PERL Hi, We are developing a tool in PERL to analyze vulnerabilities like Cross- site scripting etc. in web applications. This tool submits requests to a web application, receives the response, fills up some of the form parameters with XSS vulnerable strings and submits a request back to the application. We are able to this without any problem. However if the received response contains some javascript code meant to be executed in a browser (for dynamically setting the values of parameters to be posted etc.), we are unable to do a complete analysis. Do we have any modules in PERL or any way to solve this problem? Regards, Eeshwar
Current thread:
- Execution of Javascript from PERL EEshwar (Apr 17)
- Re: Execution of Javascript from PERL Alex Russell (Apr 17)
- <Possible follow-ups>
- RE: Execution of Javascript from PERL Brass, Phil (ISS Atlanta) (Apr 17)
- Re: Execution of Javascript from PERL Martin Eiszner (Apr 17)