XSStrike/core/utils.py

import json
import random
import re
from urllib.parse import urlparse

import core.config
from core.config import xsschecker


def converter(data, url=False):
    if 'str' in str(type(data)):
        if url:
            dictized = {}
            parts = data.split('/')[3:]
            for part in parts:
                dictized[part] = part
            return dictized
        else:
            return json.loads(data)
    else:
        if url:
            url = urlparse(url).scheme + '://' + urlparse(url).netloc
            for part in list(data.values()):
                url += '/' + part
            return url
        else:
            return json.dumps(data)


def counter(string):
    string = re.sub(r'\s|\w', '', string)
    return len(string)


def closest(number, numbers):
    difference = [abs(list(numbers.values())[0]), {}]
    for index, i in numbers.items():
        diff = abs(number - i)
        if diff < difference[0]:
            difference = [diff, {index: i}]
    return difference[1]


def fillHoles(original, new):
    filler = 0
    filled = []
    for x, y in zip(original, new):
        if int(x) == (y + filler):
            filled.append(y)
        else:
            filled.extend([0, y])
            filler += (int(x) - y)
    return filled


def stripper(string, substring, direction='right'):
    done = False
    strippedString = ''
    if direction == 'right':
        string = string[::-1]
    for char in string:
        if char == substring and not done:
            done = True
        else:
            strippedString += char
    if direction == 'right':
        strippedString = strippedString[::-1]
    return strippedString


def extractHeaders(headers):
    headers = headers.replace('\\n', '\n')
    sorted_headers = {}
    matches = re.findall(r'(.*):\s(.*)', headers)
    for match in matches:
        header = match[0]
        value = match[1]
        try:
            if value[-1] == ',':
                value = value[:-1]
            sorted_headers[header] = value
        except IndexError:
            pass
    return sorted_headers


def replaceValue(mapping, old, new, strategy=None):
    """
    Replace old values with new ones following dict strategy.

    The parameter strategy is None per default for inplace operation.
    A copy operation is injected via strateg values like copy.copy
    or copy.deepcopy

    Note: A dict is returned regardless of modifications.
    """
    anotherMap = strategy(mapping) if strategy else mapping
    if old in anotherMap.values():
        for k in anotherMap.keys():
            if anotherMap[k] == old:
                anotherMap[k] = new
    return anotherMap


def getUrl(url, GET):
    if GET:
        return url.split('?')[0]
    else:
        return url


def extractScripts(response):
    scripts = []
    matches = re.findall(r'(?s)<script.*?>(.*?)</script>', response.lower())
    for match in matches:
        if xsschecker in match:
            scripts.append(match)
    return scripts


def randomUpper(string):
    return ''.join(random.choice((x, y)) for x, y in zip(string.upper(), string.lower()))


def flattenParams(currentParam, params, payload):
    flatted = []
    for name, value in params.items():
        if name == currentParam:
            value = payload
        flatted.append(name + '=' + value)
    return '?' + '&'.join(flatted)


def genGen(fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, badTag=None):
    vectors = []
    r = randomUpper  # randomUpper randomly converts chars of a string to uppercase
    for tag in tags:
        if tag == 'd3v' or tag == 'a':
            bait = xsschecker
        else:
            bait = ''
        for eventHandler in eventHandlers:
            # if the tag is compatible with the event handler
            if tag in eventHandlers[eventHandler]:
                for function in functions:
                    for filling in fillings:
                        for eFilling in eFillings:
                            for lFilling in lFillings:
                                for end in ends:
                                    if tag == 'd3v' or tag == 'a':
                                        if '>' in ends:
                                            end = '>'  # we can't use // as > with "a" or "d3v" tag
                                    breaker = ''
                                    if badTag:
                                        breaker = '</' + r(badTag) + '>'
                                    vector = breaker + '<' + r(tag) + filling + r(
                                        eventHandler) + eFilling + '=' + eFilling + function + lFilling + end + bait
                                    vectors.append(vector)
    return vectors


def getParams(url, data, GET):
    params = {}
    if '=' in url:
        data = url.split('?')[1]
        if data[:1] == '?':
            data = data[1:]
    elif data:
        if getVar('jsonData') or getVar('path'):
            params = data
        else:
            try:
                params = json.loads(data.replace('\'', '"'))
                return params
            except json.decoder.JSONDecodeError:
                pass
    else:
        return None
    if not params:
        parts = data.split('&')
        for part in parts:
            each = part.split('=')
            try:
                params[each[0]] = each[1]
            except IndexError:
                params = None
    return params


def writer(obj, path):
    kind = str(type(obj)).split('\'')[0]
    if kind == 'list' or kind == 'tuple':
        obj = '\n'.join(obj)
    elif kind == 'dict':
        obj = json.dumps(obj, indent=4)
    savefile = open(path, 'w+')
    savefile.write(str(obj.encode('utf-8')))
    savefile.close()


def reader(path):
    with open(path, 'r') as f:
        result = [line.rstrip(
                    '\n').encode('utf-8').decode('utf-8') for line in f]
    return result

def js_extractor(response):
    """Extract js files from the response body"""
    scripts = []
    matches = re.findall(r'<(?:script|SCRIPT).*?(?:src|SRC)=([^\s>]+)', response)
    for match in matches:
        match = match.replace('\'', '').replace('"', '').replace('`', '')
        scripts.append(match)
    return scripts


def handle_anchor(parent_url, url):
    if parent_url.count('/') > 2:
        replacable = re.search(r'/[^/]*?$', parent_url).group()
        if replacable != '/':
            parent_url = parent_url.replace(replacable, '')
    scheme = urlparse(parent_url).scheme
    if url[:4] == 'http':
        return url
    elif url[:2] == '//':
        return scheme + ':' + url
    elif url[:1] == '/':
        return parent_url + url
    else:
        if parent_url.endswith('/') or url.startswith('/'):
            return parent_url + url
        else:
            return parent_url + '/' + url


def deJSON(data):
    return data.replace('\\\\', '\\')


def getVar(name):
    return core.config.globalVariables[name]

def updateVar(name, data, mode=None):
    if mode:
        if mode == 'append':
            core.config.globalVariables[name].append(data)
        elif mode == 'add':
            core.config.globalVariables[name].add(data)
    else:
        core.config.globalVariables[name] = data

def isBadContext(position, non_executable_contexts):
    badContext = ''
    for each in non_executable_contexts:
        if each[0] < position < each[1]:
            badContext = each[2]
            break
    return badContext

def equalize(array, number):
    if len(array) < number:
        array.append('')
Verbose switch, Fixes #71, Fixes #93 2018-11-13 12:43:47 +05:30			`import json`
Add files via upload 2018-10-27 18:58:52 +05:30			`import random`
Fixed HTML comment context handling + Refactor 2018-11-15 15:41:01 +05:30			`import re`
URL rewriting support 2018-11-22 13:43:25 +05:30			`from urllib.parse import urlparse`
Fixed HTML comment context handling + Refactor 2018-11-15 15:41:01 +05:30
added counter and jsonize function 2018-11-22 01:47:04 +05:30			`import core.config`
Fixed HTML comment context handling + Refactor 2018-11-15 15:41:01 +05:30			`from core.config import xsschecker`
Verbose switch, Fixes #71, Fixes #93 2018-11-13 12:43:47 +05:30
Logging functionality (#193) * Add files via upload * Add files via upload * Logging functionality (Resolves #146) * Created customized logger and setup file * Start replacing prints * Custom StreamHandler to allow '\r' as line terminator and updated more prints * Remove setup.py * Logger functionality to write red lines and records without format * Possibility to set logging level when logging without format and usage of debug level instead of verboseOutput * Replace utils logger function calls * Fixes * Import missing info color * Move xsstrike.py imports to properly initialize loggers and add logger method to debug data using json * Minor fix 2019-01-21 04:57:55 +05:30
URL rewriting support 2018-11-22 13:43:25 +05:30			`def converter(data, url=False):`
added counter and jsonize function 2018-11-22 01:47:04 +05:30			`if 'str' in str(type(data)):`
URL rewriting support 2018-11-22 13:43:25 +05:30			`if url:`
			`dictized = {}`
			`parts = data.split('/')[3:]`
			`for part in parts:`
			`dictized[part] = part`
			`return dictized`
			`else:`
			`return json.loads(data)`
added counter and jsonize function 2018-11-22 01:47:04 +05:30			`else:`
URL rewriting support 2018-11-22 13:43:25 +05:30			`if url:`
			`url = urlparse(url).scheme + '://' + urlparse(url).netloc`
			`for part in list(data.values()):`
			`url += '/' + part`
			`return url`
			`else:`
			`return json.dumps(data)`
added counter and jsonize function 2018-11-22 01:47:04 +05:30

			`def counter(string):`
Fixes #167 2018-12-07 23:43:45 +05:30			`string = re.sub(r'\s\|\w', '', string)`
added counter and jsonize function 2018-11-22 01:47:04 +05:30			`return len(string)`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Handle dynamic number of reflections (Fixes #78) 2018-10-30 16:28:56 +05:30			`def closest(number, numbers):`
			`difference = [abs(list(numbers.values())[0]), {}]`
			`for index, i in numbers.items():`
			`diff = abs(number - i)`
			`if diff < difference[0]:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`difference = [diff, {index: i}]`
Handle dynamic number of reflections (Fixes #78) 2018-10-30 16:28:56 +05:30			`return difference[1]`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Handle dynamic number of reflections (Fixes #78) 2018-10-30 16:28:56 +05:30			`def fillHoles(original, new):`
			`filler = 0`
			`filled = []`
			`for x, y in zip(original, new):`
			`if int(x) == (y + filler):`
			`filled.append(y)`
			`else:`
			`filled.extend([0, y])`
			`filler += (int(x) - y)`
			`return filled`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
added stripping function 2018-10-28 23:54:57 +05:30			`def stripper(string, substring, direction='right'):`
			`done = False`
			`strippedString = ''`
			`if direction == 'right':`
			`string = string[::-1]`
			`for char in string:`
			`if char == substring and not done:`
			`done = True`
			`else:`
			`strippedString += char`
			`if direction == 'right':`
			`strippedString = strippedString[::-1]`
			`return strippedString`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`def extractHeaders(headers):`
Update utils.py 2018-12-20 12:36:47 +05:30			`headers = headers.replace('\\n', '\n')`
Add files via upload 2018-10-27 18:58:52 +05:30			`sorted_headers = {}`
			`matches = re.findall(r'(.):\s(.)', headers)`
			`for match in matches:`
			`header = match[0]`
			`value = match[1]`
			`try:`
			`if value[-1] == ',':`
			`value = value[:-1]`
			`sorted_headers[header] = value`
			`except IndexError:`
			`pass`
			`return sorted_headers`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
optimized utilities 2018-11-18 22:46:31 +01:00			`def replaceValue(mapping, old, new, strategy=None):`
			`"""`
			`Replace old values with new ones following dict strategy.`

			`The parameter strategy is None per default for inplace operation.`
			`A copy operation is injected via strateg values like copy.copy`
			`or copy.deepcopy`

			`Note: A dict is returned regardless of modifications.`
			`"""`
			`anotherMap = strategy(mapping) if strategy else mapping`
			`if old in anotherMap.values():`
			`for k in anotherMap.keys():`
			`if anotherMap[k] == old:`
			`anotherMap[k] = new`
			`return anotherMap`
Add files via upload 2018-10-27 18:58:52 +05:30
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Verbose switch, Fixes #71, Fixes #93 2018-11-13 12:43:47 +05:30			`def getUrl(url, GET):`
Add files via upload 2018-10-27 18:58:52 +05:30			`if GET:`
			`return url.split('?')[0]`
			`else:`
			`return url`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`def extractScripts(response):`
			`scripts = []`
			`matches = re.findall(r'(?s)<script.?>(.?)</script>', response.lower())`
			`for match in matches:`
			`if xsschecker in match:`
			`scripts.append(match)`
			`return scripts`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`def randomUpper(string):`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`return ''.join(random.choice((x, y)) for x, y in zip(string.upper(), string.lower()))`

Add files via upload 2018-10-27 18:58:52 +05:30
			`def flattenParams(currentParam, params, payload):`
			`flatted = []`
			`for name, value in params.items():`
			`if name == currentParam:`
			`value = payload`
			`flatted.append(name + '=' + value)`
			`return '?' + '&'.join(flatted)`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
+1 utility & minor changes 2019-04-19 07:53:00 +05:30			`def genGen(fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, badTag=None):`
Add files via upload 2018-10-27 18:58:52 +05:30			`vectors = []`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`r = randomUpper # randomUpper randomly converts chars of a string to uppercase`
Add files via upload 2018-10-27 18:58:52 +05:30			`for tag in tags:`
			`if tag == 'd3v' or tag == 'a':`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`bait = xsschecker`
Add files via upload 2018-10-27 18:58:52 +05:30			`else:`
			`bait = ''`
			`for eventHandler in eventHandlers:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`# if the tag is compatible with the event handler`
Add files via upload 2018-10-27 18:58:52 +05:30			`if tag in eventHandlers[eventHandler]:`
			`for function in functions:`
			`for filling in fillings:`
			`for eFilling in eFillings:`
			`for lFilling in lFillings:`
			`for end in ends:`
			`if tag == 'd3v' or tag == 'a':`
			`if '>' in ends:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`end = '>' # we can't use // as > with "a" or "d3v" tag`
+1 utility & minor changes 2019-04-19 07:53:00 +05:30			`breaker = ''`
			`if badTag:`
			`breaker = '</' + r(badTag) + '>'`
			`vector = breaker + '<' + r(tag) + filling + r(`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`eventHandler) + eFilling + '=' + eFilling + function + lFilling + end + bait`
Add files via upload 2018-10-27 18:58:52 +05:30			`vectors.append(vector)`
			`return vectors`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`def getParams(url, data, GET):`
keep both methods of supplying post data 2018-11-22 02:02:39 +05:30			`params = {}`
handle GET method without parameters 2018-11-22 02:14:06 +05:30			`if '=' in url:`
			`data = url.split('?')[1]`
			`if data[:1] == '?':`
			`data = data[1:]`
keep both methods of supplying post data 2018-11-22 02:02:39 +05:30			`elif data:`
Add files via upload 2019-04-06 20:45:10 +05:30			`if getVar('jsonData') or getVar('path'):`
keep both methods of supplying post data 2018-11-22 02:02:39 +05:30			`params = data`
			`else:`
			`try:`
			`params = json.loads(data.replace('\'', '"'))`
			`return params`
			`except json.decoder.JSONDecodeError:`
			`pass`
handle GET method without parameters 2018-11-22 02:14:06 +05:30			`else:`
			`return None`
keep both methods of supplying post data 2018-11-22 02:02:39 +05:30			`if not params:`
fixed POST data handling 2018-11-21 21:46:15 +05:30			`parts = data.split('&')`
			`for part in parts:`
			`each = part.split('=')`
			`try:`
			`params[each[0]] = each[1]`
			`except IndexError:`
			`params = None`
Fixed HTML comment context handling + Refactor 2018-11-15 15:41:01 +05:30			`return params`
optimized utilities 2018-11-18 22:46:31 +01:00

			`def writer(obj, path):`
			`kind = str(type(obj)).split('\'')[0]`
			`if kind == 'list' or kind == 'tuple':`
			`obj = '\n'.join(obj)`
			`elif kind == 'dict':`
			`obj = json.dumps(obj, indent=4)`
			`savefile = open(path, 'w+')`
Fixes #172 2018-12-19 00:00:54 +05:30			`savefile.write(str(obj.encode('utf-8')))`
optimized utilities 2018-11-18 22:46:31 +01:00			`savefile.close()`


			`def reader(path):`
			`with open(path, 'r') as f:`
Add files via upload 2019-04-06 20:45:10 +05:30			`result = [line.rstrip(`
optimized utilities 2018-11-18 22:46:31 +01:00			`'\n').encode('utf-8').decode('utf-8') for line in f]`
			`return result`
Add files via upload 2019-04-06 20:45:10 +05:30
			`def js_extractor(response):`
			`"""Extract js files from the response body"""`
			`scripts = []`
			`matches = re.findall(r'<(?:script\|SCRIPT).*?(?:src\|SRC)=([^\s>]+)', response)`
			`for match in matches:`
			match = match.replace('\'', '').replace('"', '').replace('`', '')
			`scripts.append(match)`
			`return scripts`


			`def handle_anchor(parent_url, url):`
			`if parent_url.count('/') > 2:`
			`replacable = re.search(r'/[^/]*?$', parent_url).group()`
			`if replacable != '/':`
			`parent_url = parent_url.replace(replacable, '')`
			`scheme = urlparse(parent_url).scheme`
			`if url[:4] == 'http':`
			`return url`
			`elif url[:2] == '//':`
			`return scheme + ':' + url`
			`elif url[:1] == '/':`
			`return parent_url + url`
			`else:`
			`if parent_url.endswith('/') or url.startswith('/'):`
			`return parent_url + url`
			`else:`
			`return parent_url + '/' + url`


			`def deJSON(data):`
			`return data.replace('\\\\', '\\')`


			`def getVar(name):`
			`return core.config.globalVariables[name]`

			`def updateVar(name, data, mode=None):`
			`if mode:`
			`if mode == 'append':`
			`core.config.globalVariables[name].append(data)`
			`elif mode == 'add':`
			`core.config.globalVariables[name].add(data)`
			`else:`
			`core.config.globalVariables[name] = data`
+ utility to correlate contexts with reflections 2019-04-10 18:04:43 +05:30
			`def isBadContext(position, non_executable_contexts):`
			`badContext = ''`
			`for each in non_executable_contexts:`
			`if each[0] < position < each[1]:`
			`badContext = each[2]`
			`break`
			`return badContext`
+1 utility & minor changes 2019-04-19 07:53:00 +05:30
			`def equalize(array, number):`
			`if len(array) < number:`
			`array.append('')`