Untrusted Data Report

Attack Surface has a report feature accessible through the Print Untrusted Data Report button at the bottom of the main window. When you click this button, you'll be presented with a dialog which you will use to choose a directory where the report will be generated. You can access the report through the index.html file which will be created in the directory you selected.

The purpose of the report is persist the data you can access through the Attack Surface interface. Here is a screen shot of index.html:

The left-hand frame contains a Table of Contents and the right-hand frame is for displaying the content. When first lodded, index.html displays the Untrusted Data page. This page provides a listing of all the untrusted data (URL Parameters, Form Parameters, Cookies, and Headers) that Attack Surface has gathered. Each row has a single value in the Name column, but the Value column contains a list which displays all the values associated with that name, regardless of type (where type is URL Parameter, Form Parameter, Cookie, or Header). The table can be sorted by either column by clicking on the header for the desired column. If you are interested in more information about a given name or value, you can click on it to drill down. If you click on a name, like JSESSIONID, you'll see a table similar to the following:

Here we see a table which displays every value associated with the JSESSION name. The table has columns for the Value, Type of data, and the URL representing the request that this value came from.

Let's now click on a value in this table:

This table only displays three rows because there are only three requests that have untrusted data containing this exact value. If we were to click on the JSESSIONID name, we'd be brought back to the page from the previous screen shot.

Let's next explore the Request Body Report, which is a bullet under Untrusted Data in the Table of Contents frame.

This page displays all the requests which have a body size greater than zero bytes. There is only one page listed and its body is of little interest, so we'll skip to the next page (if this had been a file upload request, there would be more interesting data).

The next page is the Potential XSS Report:

The documentation for the interface containing the Potential XSS tab demonstrates how you might use Attack Surface to find XSS vulnerabilities. Here, we just explore what the report looks like. At the top, it lists the untrusted values that appear as values of either URL Parameters, Form Parameters, Cookies, or Headers, but also appear in the body of a response. Below that, for each value in the first table, we have a pair of corresponding tables. The first table in each pair lists the requests and the untrusted data that contains a potential XSS value. The values in the Name and URL columns are hyperlinked so you can drill down further. The second table in each pair is a list of responses that contain that potential XSS value.

Let's now click on a link in the URL column. The result will be a page of Request / Response Details:

Hopefully this page is self-explanatory, but for the sake of completion, here is a second screen shot of the same page, but scrolled to the bottom.

This displays the response in its raw form as well as rendered (responses with content types other than text/html or application/html will not have much to render).

Next we'll take a look at the Table of Content's URL Tree page:

This page displays all the paths that Attack Surface is a aware of in one tree. There is no specific approach to finding vulnerabilities using this page, but this a web site presented in this manner may have some advantages over the flat tables of Burp and ZAP.

Lastly, we'll look at the Requests / Responses page. This page lists all the request / response objects:

Click on the URL link will allow you to drill down into an individual request / response. Screen shots of a request / response page have already been documented above.