def _analyzeResult( self, mutant, response ): ''' Do we have a reflected XSS? @return: None, record all the results in the kb. ''' # Add to the stored XSS checking self._addToPermanentXssChecking( mutant, response.id ) # # Only one thread at the time can enter here. This is because I want to report each # vulnerability only once, and by only adding the "if self._hasNoBug" statement, that # could not be done. # if True: # # I will only report the XSS vulnerability once. # if self._hasNoBug( 'xss' , 'xss' , mutant.getURL() , mutant.getVar() ): # Internal variable for the analysis process vulnerable = False if mutant.getModValue() in response: # Ok, we MAY have found a xss. Let's remove some false positives. if mutant.getModValue().lower().count( 'javas' ): # I have to check if javascript was written inside a SRC parameter of html # afaik it is the only place this type (<IMG SRC="javascript:alert('XSS');">) # of xss works. if self._checkHTML( mutant.getModValue(), response ): vulnerable = True else: # Not a javascript type of xss, it's a <SCRIPT>...</SCRIPT> type vulnerable = True # Save it to the KB if vulnerable: v = vuln.vuln( mutant ) v.setPluginName(self.getName()) v.setId( response.id ) v.setName( 'Cross site scripting vulnerability' ) v.setSeverity(severity.MEDIUM) msg = 'Cross Site Scripting was found at: ' + mutant.foundAt() msg += ' This vulnerability affects ' + ','.join(mutant.affected_browsers) v.setDesc( msg ) v.addToHighlight( mutant.getModValue() ) kb.append( self, 'xss', v )
def end( self ): ''' This method is called to check for permanent Xss. Many times a xss isn't on the page we get after the GET/POST of the xss string. This method searches for the xss string on all the pages that are available. @return: None, vulns are saved to the kb. ''' # self._tm.join( self ) if self._check_stored_xss: for fuzzable_request in self._fuzzableRequests: response = self._sendMutant(fuzzable_request, analyze=False, useCache=False) for mutant, mutant_response_id in self._xssMutants: # Remember that httpResponse objects have a faster "__in__" than # the one in strings; so string in response.getBody() is slower than # string in response if mutant.getModValue() in response: v = vuln.vuln( mutant ) v.setPluginName(self.getName()) v.setURL( fuzzable_request.getURL() ) v.setDc( fuzzable_request.getDc() ) v.setMethod( fuzzable_request.getMethod() ) v['permanent'] = True v['write_payload'] = mutant v['read_payload'] = fuzzable_request v.setName( 'Permanent cross site scripting vulnerability' ) v.setSeverity(severity.HIGH) msg = 'Permanent Cross Site Scripting was found at: ' + response.getURL() msg += ' . Using method: ' + v.getMethod() + '. The XSS was sent to the' msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue() v.setDesc( msg ) v.setId( [response.id, mutant_response_id] ) v.addToHighlight( mutant.getModValue() ) kb.append( self, 'xss', v ) break self.printUniq( kb.getData( 'xss', 'xss' ), 'VAR' )