Somdev Sangwan
@@ -6,6 +6,8 @@ delay = 0
|
||||
threadCount = 10
|
||||
timeout = 7
|
||||
|
||||
specialAttributes = ['srcdoc', 'src']
|
||||
|
||||
badTags = ('iframe', 'title', 'textarea', 'noembed', 'style', 'template', 'noscript')
|
||||
|
||||
tags = ('html', 'd3v', 'a', 'details') # HTML Tags
|
||||
|
||||
@@ -12,11 +12,15 @@ def filterChecker(url, params, headers, GET, delay, occurences):
|
||||
for i, occurence in zip(range(len(occurences)), occurences.values()):
|
||||
environments.add(occurence['context'][1])
|
||||
location = occurence['context'][0]
|
||||
attribute = occurence['context'][3]
|
||||
positions[str(i)] = occurence['position']
|
||||
if location == 'comment':
|
||||
environments.add('-->')
|
||||
elif location == 'script':
|
||||
environments.add('</scRipT/>')
|
||||
elif attribute == 'srcdoc':
|
||||
environments.add('<')
|
||||
environments.add('>')
|
||||
for environment in environments:
|
||||
if environment == '':
|
||||
efficiencies = [100 for i in range(len(occurences))]
|
||||
|
||||
@@ -5,18 +5,18 @@ from core.config import badTags, fillings, eFillings, lFillings, jFillings, even
|
||||
def generator(occurences, response):
|
||||
scripts = extractScripts(response)
|
||||
index = 0
|
||||
vectors = {10 : set(), 9 : set(), 8 : set(), 7 : set(), 6 : set(), 5 : set(), 4 : set(), 3 : set(), 2 : set(), 1 : set()}
|
||||
vectors = {11 : set(), 10 : set(), 9 : set(), 8 : set(), 7 : set(), 6 : set(), 5 : set(), 4 : set(), 3 : set(), 2 : set(), 1 : set()}
|
||||
for i in occurences:
|
||||
context = occurences[i]['context'][0]
|
||||
breaker = occurences[i]['context'][1]
|
||||
special = occurences[i]['context'][2]
|
||||
attribute = occurences[i]['context'][3]
|
||||
if special not in badTags:
|
||||
special = ''
|
||||
elif context == 'attribute':
|
||||
special = '</' + special + '/>'
|
||||
else:
|
||||
special = ''
|
||||
attribute = occurences[i]['context'][3]
|
||||
if context == 'html':
|
||||
lessBracketEfficiency = occurences[i]['score']['<']
|
||||
greatBracketEfficiency = occurences[i]['score']['>']
|
||||
@@ -50,6 +50,14 @@ def generator(occurences, response):
|
||||
for function in functions:
|
||||
vector = breaker + filling + 'auTOfOcuS' + filling + 'OnFoCUs' + '=' + breaker + function
|
||||
vectors[6].add(vector)
|
||||
if attribute == 'srcdoc':
|
||||
if occurences[i]['score']['<']:
|
||||
if occurences[i]['score']['>']:
|
||||
del ends[:]
|
||||
ends.append('&t;')
|
||||
payloads = genGen(fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, '', '')
|
||||
for payload in payloads:
|
||||
vectors[10].add(payload.replace('<', '<'))
|
||||
elif context == 'comment':
|
||||
lessBracketEfficiency = occurences[i]['score']['<']
|
||||
greatBracketEfficiency = occurences[i]['score']['>']
|
||||
@@ -65,7 +73,10 @@ def generator(occurences, response):
|
||||
try:
|
||||
script = scripts[index]
|
||||
except IndexError:
|
||||
try:
|
||||
script = scripts[0]
|
||||
except:
|
||||
continue
|
||||
closer = jsContexter(script)
|
||||
validBreakers = ['\'', '"', '`']
|
||||
scriptEfficiency = occurences[i]['score']['</scRipT/>']
|
||||
|
||||
@@ -3,6 +3,8 @@ from core.config import badTags
|
||||
from core.config import xsschecker
|
||||
|
||||
def htmlParser(response):
|
||||
rawResponse = response
|
||||
response = response.text
|
||||
tags = [] # tags in which the input is reflected
|
||||
locations = [] # contexts in which the input is reflected
|
||||
attributes = [] # attribute names
|
||||
@@ -19,16 +21,19 @@ def htmlParser(response):
|
||||
location = 'script'
|
||||
elif '</' in deep[0]:
|
||||
location = 'html'
|
||||
elif deep[0][-2:] == '--':
|
||||
location = 'comment'
|
||||
else:
|
||||
if '<script' in response:
|
||||
for i in deep:
|
||||
if i[-2:] == '--':
|
||||
location = 'comment'
|
||||
break
|
||||
continue
|
||||
location = 'script'
|
||||
for char in part:
|
||||
if char == '<':
|
||||
location = 'attribute'
|
||||
break
|
||||
else:
|
||||
if '<' not in response:
|
||||
if rawResponse['Content-Type'] == 'text/html':
|
||||
location = 'html'
|
||||
locations.append(location) # add location to locations list
|
||||
num = 0 # dummy value to keep record of occurence being processed
|
||||
|
||||
21
xsstrike.py
21
xsstrike.py
@@ -10,7 +10,7 @@ print('''%s
|
||||
%s''' % (red, white, end))
|
||||
|
||||
try:
|
||||
from urllib.parse import unquote, urlparse
|
||||
from urllib.parse import quote_plus, unquote, urlparse
|
||||
except ImportError: # throws error in python2
|
||||
print ('%s XSStrike isn\'t compatible with python2.' % bad)
|
||||
quit()
|
||||
@@ -131,7 +131,7 @@ def singleTarget(target, paramData):
|
||||
paramsCopy = copy.deepcopy(params)
|
||||
print ('%s Testing parameter: %s' % (info, paramName))
|
||||
paramsCopy[paramName] = xsschecker
|
||||
response = requester(url, paramsCopy, headers, GET, delay).text
|
||||
response = requester(url, paramsCopy, headers, GET, delay)
|
||||
parsedResponse = htmlParser(response)
|
||||
occurences = parsedResponse[0]
|
||||
positions = parsedResponse[1]
|
||||
@@ -143,7 +143,7 @@ def singleTarget(target, paramData):
|
||||
print ('%s Analysing reflections' % run)
|
||||
efficiencies = filterChecker(url, paramsCopy, headers, GET, delay, occurences)
|
||||
print ('%s Generating payloads' % run)
|
||||
vectors = generator(occurences, response)
|
||||
vectors = generator(occurences, response.text)
|
||||
total = 0
|
||||
for v in vectors.values():
|
||||
total += len(v)
|
||||
@@ -168,9 +168,8 @@ def singleTarget(target, paramData):
|
||||
print ('%s Payload: %s' % (good, vect))
|
||||
print ('%s Efficiency: %i' % (info, bestEfficiency))
|
||||
print ('%s Cofidence: %i' % (info, confidence))
|
||||
if GET:
|
||||
flatParams = flattenParams(paramName, paramsCopy, vect)
|
||||
if '"' not in flatParams and '}' not in flatParams and not skipPOC:
|
||||
if GET and not skipPOC:
|
||||
flatParams = flattenParams(paramName, paramsCopy, quote_plus(vect))
|
||||
webbrowser.open(url + flatParams)
|
||||
choice = input('%s Would you like to continue scanning? [y/N] ' % que).lower()
|
||||
if choice != 'y':
|
||||
@@ -209,18 +208,14 @@ def multiTargets(scheme, host, main_url, form, domURL):
|
||||
for one in inputs:
|
||||
paramData[one['name']] = one['value']
|
||||
for paramName in paramData.keys():
|
||||
signature = url + paramName
|
||||
if signature not in signatures:
|
||||
signatures.add(signature)
|
||||
paramsCopy = copy.deepcopy(paramData)
|
||||
paramsCopy[paramName] = xsschecker
|
||||
response = requester(url, paramsCopy, headers, GET, delay).text
|
||||
try:
|
||||
response = requester(url, paramsCopy, headers, GET, delay)
|
||||
parsedResponse = htmlParser(response)
|
||||
occurences = parsedResponse[0]
|
||||
positions = parsedResponse[1]
|
||||
efficiencies = filterChecker(url, paramsCopy, headers, GET, delay, occurences)
|
||||
vectors = generator(occurences, response)
|
||||
vectors = generator(occurences, response.text)
|
||||
if vectors:
|
||||
for confidence, vects in vectors.items():
|
||||
try:
|
||||
@@ -230,8 +225,6 @@ def multiTargets(scheme, host, main_url, form, domURL):
|
||||
break
|
||||
except IndexError:
|
||||
pass
|
||||
except Exception as e:
|
||||
print ('%s Error: %s' % (bad, e))
|
||||
|
||||
|
||||
if not args.recursive:
|
||||
|
||||
Reference in New Issue
Block a user