We get really excited here at Secure Ideas about sharing knowledge with others. Our mission statement is “Provide the best penetration testing experience possible.” One of the ways we accomplish this is by sharing as much information with our clients about the pentesting process as possible. Walking through attack vectors and mitigation techniques with our clients is a lot of fun, because we get to teach. We love to teach and train people to do what we do, which brings me to the topic of today’s blog: tips on how to start writing your own browser userscripts for use with TamperMonkey or Greasemonkey.
Recently, I found myself in need of a tool to fill out a lot of form inputs in a web application for an API pentest. I’m talking about a lot of inputs, in several pages. Most of the inputs needed to be filled with testing payloads, generally payloads containing data like “testing1” or “fuzzme17”. Some of the inputs needed to be specific to the datatype the form was expecting, like dates. A couple of the inputs were very specific to the API I was testing (think API keys). Being that there were a lot of forms with several inputs per form, I DID NOT want to do this manually. There had to be a better way.
I ended up first looking for a Chrome extension that would do it, but didn’t find any that I liked. There were a few that were made to automatically fill out form inputs, but they didn’t really suit my needs. I asked around, and someone had mentioned userscripts. I had heard of userscripts, but had not actually used nor written any before. Honestly, I needed something to write a blog post about, so I decided that I should write my own tool to do exactly what I needed - autofill in a bunch of different forms with various fuzzing payloads.
Many of you may be familiar with userscripts, but for those who are not, I’ll elaborate here. I’ve found several different definitions of userscripts online, but I’ll distill them to this: A userscript is code (most often JavaScript) written by the user of a web application to enhance or alter the application to suit the user’s needs. Since almost all web applications today use JavaScript in some form, it’s not hard to whip up a little code to make an application do what you want it to. Userscripts are generally used in conjunction with a browser extension like GreaseMonkey or Tampermonkey, but the browser’s console can be used quickly and easily to do the alterations. So grab the GreaseMonkey or TamperMonkey extensions, and find some user scripts that already exist for examples. It’s amazing what can be done with these extensions! I personally prefer TamperMonkey.
Now, for most hackers, coding comes easy. For me, not so much. Anyone that knows me can tell you (because I talk about it ALL THE TIME) that I come from the system administrator side of IT, not the dev side. For those of you who may not get what I’m trying to say, I work with a TON of former developers here, and they’re all world class hackers. I’m a good network hacker because of my former life as a network/sysadmin and helpdesk guru, but when it comes to writing my own tools, or trying to write anything that is more than a few lines of code…well, it takes me about 5x longer than anyone else. I can get there, but I’m just simply not used to writing code all the time.
As I previously said, I work with a bunch of world class hackers and devs, so almost any questions that I have are answered within minutes or even seconds of asking it. Seriously, the Secure Ideas crew are top notch, phenomenal people to work with. So, when I started out the journey to writing my own userscript for this purpose, I googled what I could, and then asked questions. I learned a lot while working through this process, which is why I’m writing this blog post - I want to share some of this information with you, Dear Reader.
So, here are some tips that helped me out when I was working through the userscript I wrote. (And honestly, I’m hoping that it helps me to remember this later when I need to write another one. :D)
While I spent many frustrating hours trying to figure out how to write this specific tool for auto filling web forms, I’m happy with how it came out. With that being said, there’s still a lot of work to be done with it, as I want to make it a little more page agnostic, so that it can be used across the board with minimal code editing. Maybe when I get that done, I’ll post more info about what the process was, and how I got the end product.
Now that you have a little bit of a framework for writing scripts, Go Hack Something Today! (Thanks Ogs!)
Aaron