WebApp Sec mailing list archives

RE: Execution of Javascript from PERL

From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Thu, 17 Apr 2003 10:52:45 -0400

There are four perl modules available on CPAN related to Javascript:
Data::JavaScript - convert perl objects to JavaScript objects by
generating JS code
Data::JavaScript::LiteObject - same as above, not sure about difference
JavaScript - execute JavaScript from within Perl (XS interface to
Mozilla Spidermonkey JS interpreter)
JavaScript::Toolbox - Objects to render cool JavaScript stuff from your
CGI

The real problem is not getting the JavaScript in the page to execute,
it's getting it to execute in a meaningful context - the browser
provides a large number of functions that client script can call (though
apparently none for examining the server certificate, but that's another
thread), and it provides a bunch of objects that represent the current
frameset.  Most of the functions operate on the object, so you could
write them once probably.  And you would have to write a function that
converts a frameset or page to a DOM object accessible from the context
in which the scripts are run.

Then, you have to go through the page and decide how, when, and with
what parameters to run each script.

Alternately, you might be able to host a browser object (at least on
win32), and get it to do most of the hard work for you.

Good luck!

Phil

-----Original Message-----
From: EEshwar [mailto:eeshwarf () indiatimes com] 
Sent: Thursday, April 17, 2003 6:53 AM
To: webappsec () securityfocus com
Subject: Execution of Javascript from PERL




Hi,



We are developing a tool in PERL to analyze vulnerabilities 
like Cross-

site scripting etc. in web applications. This tool submits 
requests to a 

web application, receives the response, fills up some of the form 

parameters with XSS vulnerable strings and submits a request 
back to the 

application. We are able to this without any problem. However if the 

received response contains some javascript code meant to be 
executed in a 

browser (for dynamically setting the values of parameters to 
be posted 

etc.), we are unable to do a complete analysis. Do we have 
any modules in 

PERL or any way to solve this problem?



Regards,

Eeshwar

Current thread:

Execution of Javascript from PERL EEshwar (Apr 17)
- Re: Execution of Javascript from PERL Alex Russell (Apr 17)
- <Possible follow-ups>
- RE: Execution of Javascript from PERL Brass, Phil (ISS Atlanta) (Apr 17)
  - Re: Execution of Javascript from PERL Martin Eiszner (Apr 17)