A Python script that identifies executed XSS attacks in the eLearning portal ILIAS.
Up to version 5.4.10 of the elearning portal ILIAS it was possible to execute cross-site scripting attacks (XSS for short). For this purpose, JavaScript code could be placed on different parts of the portal. Due to reports from project members in conjunction with the Albstadt-Sigmaringen University of Applied Sciences, the possibility of these attacks was fixed by the ILIAS community in version 5.4.10. See the following references:
ILIAS Patch Version 5.4.10: https://docu.ilias.de/goto_docu_pg_118823_35.html
Explanation of XSS-attacks: https://owasp.org/www-community/attacks/xss/
Note: The script can also be executed successfully in newer versions of 5.4.x. Only the malicious parts are no longer executed in ILIAS.
To use this script, you have to install it's dependencies first. This can be done with the additional requirements file and Python 3.7 with PIP.
To do so, run the command pip3 install -r requirements.txt in the folder where the requirements.txt file is placed.
- Python 3.7
- pip
- requirements from
requirements.txt
This program searches through the ILIAS database to find potential XSS attacks The default mode searches the table 'page_object' and the history mode the table 'page_history'
usage: Ilias_XSS_Database_search.py [-h] [--password] [--database DATABASE]
[--database-ip DATABASE_IP]
[--search-all-pages] [--search-history]
[--url URL] [--show-complete-entry]
[--show-only-critical]
[--disable-highlighting] [--quiet]
[--output OUTPUT] [--noOutput]
[--use-date]
[--check-local-users] [--show-md5-only] [--show-passwords]
database_user
optional arguments:
-h, --help show this help message and exit
Database options: Specify options to connect to the database
user Set the user to connect to the database
--password, -p Enter the password for the user to connect to the
database
--database DATABASE Set the database for the ILIAS installation. Default:
'ilias'
--database-ip DATABASE_IP
Set the database IP address for the ILIAS database.
Default: 'localhost'
Search options: Specify option for the database search
--search-all-pages Show every possible XSS attempts, even on pages where
the XSS is not possible (e.g. wiki page)
--search-history If set, the program will search though the history
instead of the current active content.
--check-local-users Check, which users are locally saved in the ILIAS DB
--show-md5-only In combination with --check-local-users, show only users
which password is hashed with md5
--show-passwords In combination with --check-local-users and/or --show-md5-only,
show users with their passwords
Output: Set options for the output
--url URL, -u URL Set a different url for the link output.
--show-complete-entry
Prints the whole entry instead of just the HTML tags.
--show-only-critical Show only entries with critical keywords, e.g. script,
onerror, onload
--disable-highlighting
Disables the console highlighting for critical
keywords
--quiet, -q Disables the console output
--output OUTPUT, -o OUTPUT
Save the result to a file. Only .csv and .txt are
valid extensions!
--noOutput generate no log file, if this and --output is not set,
a log file is automatically generated in /var/log
--use-date Save the result to a file named with actual date.
Works with --output to determine the output dir.
Created by: Marius Binal (https://github.com/marius56) and Bastian Buck (https://github.com/bstnbuck)