Description:

This page is meant to enable people to easily showcase XSS flaws that use POST instead of GET. By linking to this page and providing GETed variables this page will build a form as specified which lets you show users the XSS flaw.

Usage:

It should be obvious that the variables are passed in the querystring, any parameters for this script not meant to be used in constructing the form start with xss_. The target of the form is supplied via the xss_target variable. After that follows an ampersand (&), then the rest of the parameters to create, so for instance the following url:
?xss_target=http://babelfish.altavista.com/tr&doit=done&intl=1&tt=urltext&trtext=This+is+a+test&lp=en_de&btnTrTxt=Translate
would create a form to translate 'This is a test' into german using Altavistas babelfish.
On that line I've highlighted the xss_target variable in grey, the url (forms target) in green, keys (form elements names) in blue and values (the values of those elements) in red.
It should be noted that xss_note can also be supplied as a variable and the value will just be printed on the page into a <p> tag, allowing you to leave a note of any kind to whomever views your showcase XSS.
If you want an ampersand in the variables without it splitting the variable in two use %26.

Summary:
xss_target = action attribute of form
xss_note = optional note to reader
any variables not starting with xss_ are form element names and their value in the elements value

What is this?

Note from XSSer:\n

".htmlentities($_GET['xss_note'])."

\n"; //create a new form, supply target $frm = new form($target); //Get the rest of the GETed vars - I have to do this the long way (not using $_GET) because PHP likes converting . to _ in the query string. $params = explode("&",getenv("QUERY_STRING")); foreach ($params as $i => $pair) { $pair = explode('=',$params[$i]); if (strncmp($pair[0],'xss_',4) !== 0) //xss_* variables are reserved for other purposes for this script. { $key = $pair[0]; array_shift($pair); $value = implode('=',$pair); // There can be an = in the value field too $frm->add_input(new input($key,$value)); } } //Create the form echo $frm->create_form(); //Next we create a textarea so people can easily copy paste the forms code ?>
target = htmlentities($target,ENT_QUOTES); } public function add_input(input $input) { array_push($this->inputs,$input); } private function create_submit_button() { return ""; } public function escape() { foreach ($this->inputs as $input) { $input->escape(); } } public function create_form() { $html = "
\n"; foreach ($this->inputs as $input) { $html .= "\t{$input->create()}
\n"; } $html .= "\t{$this->create_submit_button()}
\n"; $html .= "
"; return $html; } } class input { private $name; private $value; private $type; //A constant for the width of the elements, they're just wide so people can easily read everything in them. private $element_width = '80%'; public function __construct($name,$value,$type='text') { $this->name = htmlentities(urldecode($name),ENT_QUOTES); $this->value = htmlentities(urldecode($value),ENT_QUOTES); $this->type = htmlentities(urldecode($type),ENT_QUOTES); } public function escape() { $this->value = htmlentities($this->value,ENT_QUOTES); $this->name = htmlentities($this->name,ENT_QUOTES); $this->type = htmlentities($this->type,ENT_QUOTES); } public function create() { return "{$this->name}:"; } } ?>