URL rewriting support (Resolves #145)

core/config.py

@@ -1,4 +1,4 @@
-changes = '''browser engine integration for zero false positives;coverage of event handler context;bug fixes'''
+changes = '''URL rewriting support'''
 globalVariables = {}  # it holds variables during runtime for collaboration across modules
 
 defaultEditor = 'nano'

core/fuzzer.py

@@ -6,16 +6,7 @@ from urllib.parse import unquote
 from core.colors import end, red, green, yellow, bad, good, info
 from core.config import fuzzes, xsschecker
 from core.requester import requester
-from core.utils import replaceValue
-
-
-def counter(string):
-    special = '\'"=/:*&)(}{][><'
-    count = 0
-    for char in list(string):
-        if char in special:
-            count += 1
-    return count
+from core.utils import replaceValue, counter
 
 
 def fuzzer(url, params, headers, GET, delay, timeout, WAF, encoding):

core/requester.py

@@ -5,14 +5,17 @@ import warnings
 
 import core.config
 from core.config import globalVariables
-from core.utils import jsonize
+from core.utils import converter
 
 warnings.filterwarnings('ignore')  # Disable SSL related warnings
 
 
 def requester(url, data, headers, GET, delay, timeout):
     if core.config.globalVariables['jsonData']:
-        data = jsonize(data)
+        data = converter(data)
+    elif core.config.globalVariables['path']:
+        url = converter(data, url)
+        data = []
     time.sleep(delay)
     user_agents = ['Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0',
                    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36'

core/utils.py

@@ -1,16 +1,30 @@
 import json
 import random
 import re
+from urllib.parse import urlparse
 
 import core.config
 from core.colors import info, red, end
 from core.config import xsschecker
 
-def jsonize(data):
+def converter(data, url=False):
     if 'str' in str(type(data)):
-        return json.loads(data)
+        if url:
+            dictized = {}
+            parts = data.split('/')[3:]
+            for part in parts:
+                dictized[part] = part
+            return dictized
+        else:
+            return json.loads(data)
     else:
-        return json.dumps(data)
+        if url:
+            url = urlparse(url).scheme + '://' + urlparse(url).netloc
+            for part in list(data.values()):
+                url += '/' + part
+            return url
+        else:
+            return json.dumps(data)
 
 
 def counter(string):
@@ -19,15 +33,13 @@ def counter(string):
 
 
 def verboseOutput(data, name, verbose):
-    if verbose:
-        print ('%s %s %s%s%s' % (info, name, red, ('-' * 50), end))
+    if core.config.globalVariables['verbose']:
         if str(type(data)) == '<class \'dict\'>':
             try:
                 print (json.dumps(data, indent=2))
             except TypeError:
                 print (data)
         print (data)
-        print ('%s%s%s' % (red, ('-' * 60), end))
 
 
 def closest(number, numbers):
@@ -160,7 +172,7 @@ def getParams(url, data, GET):
         if data[:1] == '?':
             data = data[1:]
     elif data:
-        if core.config.globalVariables['jsonData']:
+        if core.config.globalVariables['jsonData'] or core.config.globalVariables['path']:
             params = data
         else:
             try:

modes/scan.py

@@ -6,6 +6,7 @@ from core.arjun import arjun
 from core.browserEngine import browserEngine
 from core.checker import checker
 from core.colors import good, bad, end, info, green, run, red, que
+import core.config
 from core.config import xsschecker, minEfficiency
 from core.dom import dom
 from core.filterChecker import filterChecker
@@ -88,6 +89,8 @@ def scan(target, paramData, verbose, encoding, headers, delay, timeout, skipDOM,
         progress = 0
         for confidence, vects in vectors.items():
             for vect in vects:
+                if core.config.globalVariables['path']:
+                    vect = vect.replace('/', '%2F')
                 printVector = vect
                 progress += 1
                 print ('%s Progress: %i/%i' % (run, progress, total), end='\r')

xsstrike.py

@@ -13,7 +13,7 @@ from core.encoders import base64
 from core.photon import photon
 from core.prompt import prompt
 from core.updater import updater
-from core.utils import extractHeaders, verboseOutput, reader, jsonize
+from core.utils import extractHeaders, verboseOutput, reader, converter
 
 from modes.bruteforcer import bruteforcer
 from modes.crawl import crawl
@@ -51,6 +51,8 @@ parser.add_argument('--crawl', help='crawl',
                     dest='recursive', action='store_true')
 parser.add_argument('--json', help='treat post data as json',
                     dest='jsonData', action='store_true')
+parser.add_argument('--path', help='inject payloads in the path',
+                    dest='path', action='store_true')
 parser.add_argument(
     '--seeds', help='load crawling seeds from a file', dest='args_seeds')
 parser.add_argument(
@@ -81,8 +83,9 @@ else:
 # Pull all parameter values of dict from argparse namespace into local variables of name == key
 # The following works, but the static checkers are too static ;-) locals().update(vars(args))
 target = args.target
+path = args.path
 jsonData = args.jsonData
-paramData = jsonize(args.paramData) if jsonData else args.paramData 
+paramData = args.paramData 
 encode = args.encode
 fuzz = args.fuzz
 update = args.update
@@ -103,6 +106,11 @@ blindXSS = args.blindXSS
 
 core.config.globalVariables = vars(args)
 
+if path:
+    paramData = converter(target, target)
+elif jsonData:
+    paramData = converter(paramData)
+
 if args_file:
     if args_file == 'default':
         payloadList = core.config.payloads