#!/usr/bin/python3
from colors import COLOR_MANAGER
import Classes
import Methods
# --------------- {Consts} ---------------
COLOR = COLOR_MANAGER.rgb(255, 255, 0)
# -------------------------------- {Global variables} ---------------------------------
curr_text_input = dict()
curr_char = ""
blind_problem = Classes.CheckResult(
"These text inputs allowed blind Command injection, "
f"the query ' ping -c {Methods.WAITING_TIME} 127.0.0.1' "
f"has slowed down the server's response.", "",
"The plugin submits the action form with the query "
f"' ping -c {Methods.WAITING_TIME} 127.0.0.1',\n"
f"if the server's response is delayed, "
f"it must indicate of Command injection vulnerability.")
non_blind_problem = Classes.CheckResult(
"These text inputs *may* have allowed Command injection,"
" the plugin has detected an echo message that "
f"indicate about a Command injection vulnerability.", "",
"The plugin submits the action form with a 'echo check' "
"in each of the text inputs,\n"
"and counting the amount of 'check' strings in compare of the amount of 'echo' "
"strings in the DOM of the resulted page.\n"
"If there are more 'check' than 'echo' it might indicate of a non blind "
"Command injection.")
#!/usr/bin/python3
from colors import COLOR_MANAGER
import Classes
import Methods
# ---------------------------------- {Consts} --------------------------
COLOR = COLOR_MANAGER.rgb(100, 100, 255)
OUTSIDE_URL = "https://google.com"
# ---------------------------- {Global variables} ----------------------------
current_referer = None
problem_get = Classes.CheckResult("The use of GET request when submitting the form might be vulnerable.",
"You can change the method of the request to POST.",
"The plugin checks the DOM of the action form,\n"
"in case of GET method, we recommend to change it or make sure it is secure.\n"
"For a CSRF attacker it will be much harder to use this form for his attack"
" if the form uses POST method.")
problem_referer = Classes.CheckResult("The form submission did not detect the 'Referer' header,"
" which was not the same page that has the vulnerable form.",
"You can validate the 'Referer' header of the request,"
" so it will perform only actions from the current page.",
"The plugin submits the action form with 3 different referer header values,\n"
"first one is the URL of the page, the second one is https://google.com, "
"and the third one is another page from the session, with the same domain.\n"
"If the first result is the same as the other results, "
"it might point out that the action form is letting other sources to use it.")
success_message = ""
def check(data):
"""
def check_dom(data: Classes.Data):
"""
This function is in charge of running all the DOM XSS checks and scans and to deliver a CheckResult object back to the main `check` method.
@param data: The data object of the program.
@type data: Classes.Data
@return: The CheckResult with the DOM XSS analysis.
@rtype: Classes.CheckResult
"""
dom_xss_result = Classes.CheckResult(DOM_XSS_PROBLEM_STR,
DOM_XSS_SOLUTION_STR,
DOM_XSS_EXPLANATION_STR)
data.mutex.acquire()
pages = data.pages
data.mutex.release()
for page in pages:
if "html" not in page.type:
if "javascript" in page.type:
# Look for sources and sinks in javascript source code.
if analyse_javascript(page.content):
javascript_page_result_str = f"Found javascript code that is quite possibly vulnerable to DOM based XSS:\n" \
f"The Line is: {find_script_by_src(page.parent.content, page.url)}\n" \
f"From page {page.parent.url}\n"
dom_xss_result.add_page_result(
Classes.PageResult(page.parent,
javascript_page_result_str), '\n')
else:
continue # Ignore non javascript pages.
possible_vulns = {}
vulnerable_dom_scripts = {}
vulnerable_input_scripts = {}
try:
possible_vulns = determine_possible_vulns(page.content)
vulnerable_dom_scripts, vulnerable_input_scripts = further_analyse(
possible_vulns, find_input_fields(page.content))
except Exception as e:
continue # No vulnerability was found.
# Deliver analysis results.
if len(vulnerable_dom_scripts.keys()) > 0:
for script_index in vulnerable_dom_scripts.keys():
script_tuple = vulnerable_dom_scripts.get(script_index, None)
if script_tuple is None:
continue
script_result_str = f"Found a quite possibly vulnerable script to DOM based XSS (Script Index [{script_index}]).\nThe script is: {str(script_tuple[0])}\nThe sink patterns are: {str(script_tuple[1])}\nThe source patterns are: {str(script_tuple[2])}\nDanger level is {str(script_tuple[3])}\n"
dom_xss_result.add_page_result(
Classes.PageResult(page, script_result_str), '\n')
if len(vulnerable_input_scripts.keys()) > 0:
for script_index in vulnerable_input_scripts.keys():
script_tuple = vulnerable_input_scripts.get(script_index, None)
if script_tuple is None:
continue
input_result_str = f"Found a quite possibly vulnerable script to DOM based XSS (Script Index [{script_index}]).\nThe script is: {str(script_tuple[0])}\nThe sink patterns are: {str(script_tuple[1])}\nThe input sources are: {str(script_tuple[2])}\nDanger level is {str(script_tuple[3])}\n"
dom_xss_result.add_page_result(
Classes.PageResult(page, input_result_str), '\n')
return dom_xss_result
def check(data: Classes.Data):
domxss_result: Classes.CheckResult = check_dom(data)
xss_result: Classes.CheckResult = Classes.CheckResult(
XSS_PROBLEM_STR, XSS_SOLUTION_STR, XSS_EXPLANATION_STR)
stored_xss_result: Classes.CheckResult = Classes.CheckResult(
STORED_XSS_PROBLEM_STR, STORED_XSS_SOLUTION_STR,
STORED_XSS_EXPLANATION_STR)
all_xss_results: Classes.CheckResults = Classes.CheckResults("XSS", COLOR)
data.mutex.acquire()
aggressive = data.aggressive
pages = data.pages
data.mutex.release()
if not aggressive:
all_xss_results.warning = "Unfortunately this plugin cannot perform any aggressive checks since the -A flag was not checked, please use -h to learn more about this flag.\n"
vulnerable_pages = []
for page in pages:
# Only check html pages.
if 'html' not in page.type:
continue
# Get Content Security Policy Information.
csp_info: dict = csp_check(page)
if csp_info is not None:
# Get information about the script CSP info.
allowed_script_sources: dict = {}
for key, value in csp_info['allow_scripts']:
if value:
allowed_script_sources[key] = value
# Get information about the img CSP info.
allowed_image_sources: dict = {}
for key, value in csp_info['allow_images']:
if value:
allowed_image_sources[key] = value
# Show conclusion of the Content Security Policy evaluation.
if '*' not in allowed_script_sources.keys(
) and not '*' in allowed_image_sources.keys():
problem_str = "Page is protected by 'Content-Security-Policy' Headers and therefor is protected from general xss vulnerabilities.\nYou should still check for 'Content-Security-Policy' bypass vulnerabilities.\n"
if len(allowed_script_sources.keys()) > 0:
problem_str += f"Please also note that some interesting `script-src` CSP Headers were also found: {allowed_script_sources.keys()}\n"
if len(allowed_image_sources.keys()) > 0:
problem_str += f"Please also note that some interesting `img-src` CSP Headers were also found: {allowed_image_sources.keys()}\n"
xss_result.add_page_result(
Classes.PageResult(page, problem_str))
continue
csp_conclusion = "The XSS plugin has checked the 'Content-Security-Policy' Headers.\n"
str_to_add = str(
"The response headers did not contain any Content-Security-Policy Headers and therefor all XSS payloads might be effective!\n"
if csp_info is None else
f"The 'Content-Security-Policy' Headers that were found were in `script-src` {allowed_script_sources.keys()} and in `img-src` {allowed_image_sources.keys()}\n"
)
csp_conclusion += str_to_add
xss_result.add_page_result(Classes.PageResult(page, csp_conclusion))
# Do not perform this aggressive method if the aggressive flag is not checked.
if not aggressive:
# Skip this page.
continue
else:
# Perform payload injection and check for stored xss.
# Use the Content Security Policy information to select the appropriate payloads.
allowed_sources: tuple = (True, True)
if csp_info is not None:
allowed_sources = ('*' in allowed_script_sources.keys(), '*'
in allowed_image_sources.keys())
# Select appropriate payloads according to the CSP information.
allowed_payloads = select_payloads(allowed_sources)
# Try to trigger an alert with all the selected available payloads.
vulnerable_forms: dict = brute_force_alert(data, page,
allowed_payloads)
if vulnerable_forms is None:
continue # Page has no forms and therefor we do not check it.
for vulnerable_form_id in vulnerable_forms.keys():
# Get information about successful attack.
vulnerable_form = vulnerable_forms[vulnerable_form_id][0]
vulnerable_input = vulnerable_forms[vulnerable_form_id][1]
successful_payload = vulnerable_forms[vulnerable_form_id][2]
special_string = vulnerable_forms[vulnerable_form_id][3]
xss_result.add_page_result(
Classes.PageResult(
page,
f"Found a form that had caused an alert to pop from the following payload: '{successful_payload}'.\nThe Vulnerable Form is (Form Index [{vulnerable_form_id}]):\n{vulnerable_form}\nThe Vulnerable Input is:\n{vulnerable_input}\n"
))
vulnerable_pages.append(
(page, special_string
)) # Will be used by the stored xss checks later.
# Check each of the already vulnerable pages for stored xss.
vulnerable_stored: list = check_for_stored(data, vulnerable_pages)
if vulnerable_stored is not None and len(vulnerable_stored) != 0:
for page_with_stored in vulnerable_stored:
stored_xss_result.add_page_result(
Classes.PageResult(
page_with_stored,
f"This page had shown an alert after refreshing it which strongly indicates it may vulnerable to stored xss.\n"
))
# Deliver Analysis.
all_xss_results.results.append(xss_result)
all_xss_results.results.append(domxss_result)
all_xss_results.results.append(stored_xss_result)
data.mutex.acquire()
data.results_queue.put(all_xss_results)
data.mutex.release()
QUERY_WORDS = ["sleep", "limit"]
# ----------------------- {Global variables} ------------------------------
comments = {
"#": [f"sleep({Methods.WAITING_TIME})"],
"-- ": [f"sleep({Methods.WAITING_TIME})"],
"--": [
f"dbms_pipe.receive_message(('a'),{Methods.WAITING_TIME})",
f"WAITFOR DELAY '0:0:{Methods.WAITING_TIME}'",
f"pg_sleep({Methods.WAITING_TIME})"
]
}
query = str()
non_blind_problem = Classes.CheckResult(
"", "",
"The plugin submits the action forms and check for 'error' or 'fail'"
" words in the resulted page, it might indicate false positives,"
" it made for sleep function blocking.\n"
"You can check yourself if these are just irrelevant error messages.")
blind_problem = Classes.CheckResult(
"", "", "The plugin uses the sleep function of SQL "
"to slow down the server's response.\n"
"Compares between the response time and if the difference"
" is close to 10 seconds, it must indicate SQL injection vulnerability.")
def check(data):
"""
This function checks the website for SQL injection.
@param data: The data object of the program.
@type data: Classes.Data
