XSStrike/core/dom.py

import re

from core.colors import red, end, yellow


def dom(response):
    highlighted = []
    allControlledVariables = set()
    response = response.split('\n')
    sources = r"""location\.|\.([.\[]\s*["']?\s*arguments|dialogArguments|innerHTML|write|open|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)[^\w\-]|(localStorage|sessionStorage|Database)[^\w\-]"""
    sinks = r"""( (src|href|data|location|code|value|action)=)|(replace|assign|navigate|getResponseHeader|open|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\("""
    num = 1
    try:
        for newLine in response:
            line = newLine
            parts = line.split('var ')
            controlledVariables = set()
            if len(parts) > 1:
                for part in parts:
                    for controlledVariable in allControlledVariables:
                        if controlledVariable in part:
                            controlledVariables.add(part.split(' ')[0])
            pattern = re.findall(sources, newLine)
            for grp in pattern:
                source = ''.join(grp)
                if source:
                    parts = newLine.split('var ')
                    for part in parts:
                        if source in part:
                            controlledVariables.add(part.split(' ')[0])
                    line = line.replace(source, yellow + source + end)
            for controlledVariable in controlledVariables:
                allControlledVariables.add(controlledVariable)
            for controlledVariable in allControlledVariables:
                matches = list(filter(None, re.findall(r'\b%s\b' % controlledVariable, line)))
                if matches:
                    line = re.sub(r'\b%s\b' % controlledVariable, yellow + controlledVariable + end, line)
            pattern = re.findall(sinks, newLine)
            for grp in pattern:
                sink = ''.join(grp)
                if sink:
                    line = line.replace(sink, red + sink + end)
            if line != newLine:
                highlighted.append('%-3s %s' % (str(num), line.lstrip(' ')))
            num += 1
    except MemoryError:
        pass
    return highlighted
Add files via upload 2018-10-27 18:58:52 +05:30			`import re`
Fixed HTML comment context handling + Refactor 2018-11-15 15:41:01 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`from core.colors import red, end, yellow`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Update dom.py 2018-11-12 12:59:31 +05:30			`def dom(response):`
Add files via upload 2018-10-27 18:58:52 +05:30			`highlighted = []`
treat all user controlled variables as sources 2018-12-31 04:34:59 +05:30			`allControlledVariables = set()`
Add files via upload 2018-10-27 18:58:52 +05:30			`response = response.split('\n')`
better regex for locating sources 2018-10-30 12:49:36 +05:30			`sources = r"""location\.\|\.([.\[]\s["']?\sarguments\|dialogArguments\|innerHTML\|write\|open\|showModalDialog\|cookie\|URL\|documentURI\|baseURI\|referrer\|name\|opener\|parent\|top\|content\|self\|frames)[^\w\-]\|(localStorage\|sessionStorage\|Database)[^\w\-]"""`
			`sinks = r"""( (src\|href\|data\|location\|code\|value\|action)=)\|(replace\|assign\|navigate\|getResponseHeader\|open\|showModalDialog\|eval\|evaluate\|execCommand\|execScript\|setTimeout\|setInterval)\("""`
Add files via upload 2018-10-27 18:58:52 +05:30			`num = 1`
potential fix for #93 2018-11-12 23:31:57 +05:30			`try:`
			`for newLine in response:`
			`line = newLine`
treat all user controlled variables as sources 2018-12-31 04:34:59 +05:30			`parts = line.split('var ')`
			`controlledVariables = set()`
			`if len(parts) > 1:`
			`for part in parts:`
			`for controlledVariable in allControlledVariables:`
			`if controlledVariable in part:`
			`controlledVariables.add(part.split(' ')[0])`
			`pattern = re.findall(sources, newLine)`
potential fix for #93 2018-11-12 23:31:57 +05:30			`for grp in pattern:`
			`source = ''.join(grp)`
no more weird characters while scanning DOM 2018-11-23 23:20:06 +05:30			`if source:`
treat all user controlled variables as sources 2018-12-31 04:34:59 +05:30			`parts = newLine.split('var ')`
			`for part in parts:`
			`if source in part:`
			`controlledVariables.add(part.split(' ')[0])`
no more weird characters while scanning DOM 2018-11-23 23:20:06 +05:30			`line = line.replace(source, yellow + source + end)`
treat all user controlled variables as sources 2018-12-31 04:34:59 +05:30			`for controlledVariable in controlledVariables:`
			`allControlledVariables.add(controlledVariable)`
			`for controlledVariable in allControlledVariables:`
			`matches = list(filter(None, re.findall(r'\b%s\b' % controlledVariable, line)))`
			`if matches:`
			`line = re.sub(r'\b%s\b' % controlledVariable, yellow + controlledVariable + end, line)`
			`pattern = re.findall(sinks, newLine)`
potential fix for #93 2018-11-12 23:31:57 +05:30			`for grp in pattern:`
			`sink = ''.join(grp)`
no more weird characters while scanning DOM 2018-11-23 23:20:06 +05:30			`if sink:`
			`line = line.replace(sink, red + sink + end)`
potential fix for #93 2018-11-12 23:31:57 +05:30			`if line != newLine:`
			`highlighted.append('%-3s %s' % (str(num), line.lstrip(' ')))`
			`num += 1`
			`except MemoryError:`
			`pass`
Update dom.py 2018-11-12 12:59:31 +05:30			`return highlighted`