XSStrike/core/dom.py

import re

from core.colors import red, end, yellow


def dom(response):
    highlighted = []
    sources = r'''document\.(URL|documentURI|URLUnencoded|baseURI|cookie|referrer)|location\.(href|search|hash|pathname)|window\.name|history\.(pushState|replaceState)(local|session)Storage'''
    sinks = r'''eval|evaluate|execCommand|assign|navigate|getResponseHeaderopen|showModalDialog|Function|set(Timeout|Interval|Immediate)|execScript|crypto.generateCRMFRequest|ScriptElement\.(src|text|textContent|innerText)|.*?\.onEventName|document\.(write|writeln)|.*?\.innerHTML|Range\.createContextualFragment|(document|window)\.location'''
    scripts = re.findall(r'(?i)(?s)<script[^>]*>(.*?)</script>', response)
    sinkFound, sourceFound = False, False
    for script in scripts:
        script = script.split('\n')
        num = 1
        try:
            for newLine in script:
                line = newLine
                parts = line.split('var ')
                controlledVariables = set()
                allControlledVariables = set()
                if len(parts) > 1:
                    for part in parts:
                        for controlledVariable in allControlledVariables:
                            if controlledVariable in part:
                                controlledVariables.add(re.search(r'[a-zA-Z$_][a-zA-Z0-9$_]+', part).group().replace('$', '\$'))
                pattern = re.finditer(sources, newLine)
                for grp in pattern:
                    if grp:
                        source = newLine[grp.start():grp.end()].replace(' ', '')
                        if source:
                            if len(parts) > 1:
                               for part in parts:
                                    if source in part:
                                        controlledVariables.add(re.search(r'[a-zA-Z$_][a-zA-Z0-9$_]+', part).group().replace('$', '\$'))
                                        sourceFound = True
                            line = line.replace(source, yellow + source + end)
                for controlledVariable in controlledVariables:
                    allControlledVariables.add(controlledVariable)
                for controlledVariable in allControlledVariables:
                    matches = list(filter(None, re.findall(r'\b%s\b' % controlledVariable, line)))
                    if matches:
                        line = re.sub(r'\b%s\b' % controlledVariable, yellow + controlledVariable + end, line)
                pattern = re.finditer(sinks, newLine)
                for grp in pattern:
                    if grp:
                        sink = newLine[grp.start():grp.end()].replace(' ', '')
                        if sink:
                            line = line.replace(sink, red + sink + end)
                            sinkFound = True
                if line != newLine:
                    highlighted.append('%-3s %s' % (str(num), line.lstrip(' ')))
                num += 1
        except MemoryError:
            pass
    if sinkFound and sourceFound:
        return highlighted
    else:
        return []
Add files via upload 2018-10-27 18:58:52 +05:30			`import re`
Fixed HTML comment context handling + Refactor 2018-11-15 15:41:01 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`from core.colors import red, end, yellow`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Update dom.py 2018-11-12 12:59:31 +05:30			`def dom(response):`
Add files via upload 2018-10-27 18:58:52 +05:30			`highlighted = []`
Fixed variables parsing, better highlighting 2019-01-12 09:39:46 +05:30			`sources = r'''document\.(URL\|documentURI\|URLUnencoded\|baseURI\|cookie\|referrer)\|location\.(href\|search\|hash\|pathname)\|window\.name\|history\.(pushState\|replaceState)(local\|session)Storage'''`
			`sinks = r'''eval\|evaluate\|execCommand\|assign\|navigate\|getResponseHeaderopen\|showModalDialog\|Function\|set(Timeout\|Interval\|Immediate)\|execScript\|crypto.generateCRMFRequest\|ScriptElement\.(src\|text\|textContent\|innerText)\|.?\.onEventName\|document\.(write\|writeln)\|.?\.innerHTML\|Range\.createContextualFragment\|(document\|window)\.location'''`
Add files via upload 2019-04-06 20:45:10 +05:30			`scripts = re.findall(r'(?i)(?s)<script[^>]>(.?)</script>', response)`
dom scanning hotfix 2019-04-19 10:17:35 +05:30			`sinkFound, sourceFound = False, False`
Fixed variables parsing, better highlighting 2019-01-12 09:39:46 +05:30			`for script in scripts:`
			`script = script.split('\n')`
			`num = 1`
			`try:`
			`for newLine in script:`
			`line = newLine`
			`parts = line.split('var ')`
			`controlledVariables = set()`
			`allControlledVariables = set()`
			`if len(parts) > 1:`
treat all user controlled variables as sources 2018-12-31 04:34:59 +05:30			`for part in parts:`
Fixed variables parsing, better highlighting 2019-01-12 09:39:46 +05:30			`for controlledVariable in allControlledVariables:`
			`if controlledVariable in part:`
			`controlledVariables.add(re.search(r'[a-zA-Z$_][a-zA-Z0-9$_]+', part).group().replace('$', '\$'))`
			`pattern = re.finditer(sources, newLine)`
			`for grp in pattern:`
			`if grp:`
			`source = newLine[grp.start():grp.end()].replace(' ', '')`
			`if source:`
			`if len(parts) > 1:`
			`for part in parts:`
			`if source in part:`
			`controlledVariables.add(re.search(r'[a-zA-Z$_][a-zA-Z0-9$_]+', part).group().replace('$', '\$'))`
dom scanning hotfix 2019-04-19 10:17:35 +05:30			`sourceFound = True`
Fixed variables parsing, better highlighting 2019-01-12 09:39:46 +05:30			`line = line.replace(source, yellow + source + end)`
			`for controlledVariable in controlledVariables:`
			`allControlledVariables.add(controlledVariable)`
			`for controlledVariable in allControlledVariables:`
			`matches = list(filter(None, re.findall(r'\b%s\b' % controlledVariable, line)))`
			`if matches:`
			`line = re.sub(r'\b%s\b' % controlledVariable, yellow + controlledVariable + end, line)`
			`pattern = re.finditer(sinks, newLine)`
			`for grp in pattern:`
			`if grp:`
			`sink = newLine[grp.start():grp.end()].replace(' ', '')`
			`if sink:`
			`line = line.replace(sink, red + sink + end)`
dom scanning hotfix 2019-04-19 10:17:35 +05:30			`sinkFound = True`
Fixed variables parsing, better highlighting 2019-01-12 09:39:46 +05:30			`if line != newLine:`
			`highlighted.append('%-3s %s' % (str(num), line.lstrip(' ')))`
			`num += 1`
			`except MemoryError:`
			`pass`
dom scanning hotfix 2019-04-19 10:17:35 +05:30			`if sinkFound and sourceFound:`
Add files via upload 2019-04-08 13:48:44 +05:30			`return highlighted`
			`else:`
			`return []`