We get really excited here at Secure Ideas about sharing knowledge with others. Our mission statement is “Provide the best penetration testing experience possible.” One of the ways we accomplish this is by sharing as much information with our clients about the pentesting process as possible. Walking through attack vectors and mitigation techniques with our clients is a lot of fun, because we get to teach. We love to teach and train people to do what we do, which brings me to the topic of today’s blog: tips on how to start writing your own browser userscripts for use with TamperMonkey or Greasemonkey.
Recently, I found myself in need of a tool to fill out a lot of form inputs in a web application for an API pentest. I’m talking about a lot of inputs, in several pages. Most of the inputs needed to be filled with testing payloads, generally payloads containing data like “testing1” or “fuzzme17”. Some of the inputs needed to be specific to the datatype the form was expecting, like dates. A couple of the inputs were very specific to the API I was testing (think API keys). Being that there were a lot of forms with several inputs per form, I DID NOT want to do this manually. There had to be a better way.
I ended up first looking for a Chrome extension that would do it, but didn’t find any that I liked. There were a few that were made to automatically fill out form inputs, but they didn’t really suit my needs. I asked around, and someone had mentioned userscripts. I had heard of userscripts, but had not actually used nor written any before. Honestly, I needed something to write a blog post about, so I decided that I should write my own tool to do exactly what I needed - autofill in a bunch of different forms with various fuzzing payloads.
Now, for most hackers, coding comes easy. For me, not so much. Anyone that knows me can tell you (because I talk about it ALL THE TIME) that I come from the system administrator side of IT, not the dev side. For those of you who may not get what I’m trying to say, I work with a TON of former developers here, and they’re all world class hackers. I’m a good network hacker because of my former life as a network/sysadmin and helpdesk guru, but when it comes to writing my own tools, or trying to write anything that is more than a few lines of code…well, it takes me about 5x longer than anyone else. I can get there, but I’m just simply not used to writing code all the time.
As I previously said, I work with a bunch of world class hackers and devs, so almost any questions that I have are answered within minutes or even seconds of asking it. Seriously, the Secure Ideas crew are top notch, phenomenal people to work with. So, when I started out the journey to writing my own userscript for this purpose, I googled what I could, and then asked questions. I learned a lot while working through this process, which is why I’m writing this blog post - I want to share some of this information with you, Dear Reader.
So, here are some tips that helped me out when I was working through the userscript I wrote. (And honestly, I’m hoping that it helps me to remember this later when I need to write another one. :D)
- Have a clear plan of what the end goal is - Having a clear idea of what you want out of your userscript (and really, any tool that you write), will help you with writing it. When I first started writing the script, all I knew was that I needed it to fill out forms. The end. Eventually, I realized that there were some other things that I wanted/needed it to do that I hadn’t thought about at first. That’s ok, sometimes you just have to roll with it. It’s virtually impossible to think through all the scenarios you might have, but having a good game plan will help with the writing process.
- Use a good IDE or source code editor - Integrated Development Environments (IDE) and source code editors have been around for many years. When I started writing code some 20 years ago, I was just using Notepad. And I stuck with that for, well, until I discovered Notepad++ about 10 years ago. I’ve not had a lot of formal training as a developer, so IDEs and editors scared me, primarily because I wasn’t sure how to use them, and there’s a lot to them. Then, Visual Studio Code, aka VS Code, came along. VS Code is a super simple solution to code editing, complete with syntax highlighting, debugging, git functionality, and several other functions built in. It also has an extensive plugin base to add to it. If you’re not familiar with it for writing code, it’s worth checking out.
While I spent many frustrating hours trying to figure out how to write this specific tool for auto filling web forms, I’m happy with how it came out. With that being said, there’s still a lot of work to be done with it, as I want to make it a little more page agnostic, so that it can be used across the board with minimal code editing. Maybe when I get that done, I’ll post more info about what the process was, and how I got the end product.
Now that you have a little bit of a framework for writing scripts, Go Hack Something Today! (Thanks Ogs!)