def _analyzeResult( self, mutant, response ):
'''
Do we have a reflected XSS?
@return: None, record all the results in the kb.
'''
# Add to the stored XSS checking
self._addToPermanentXssChecking( mutant, response.id )
#
# Only one thread at the time can enter here. This is because I want to report each
# vulnerability only once, and by only adding the "if self._hasNoBug" statement, that
# could not be done.
#
if True:
#
# I will only report the XSS vulnerability once.
#
if self._hasNoBug( 'xss' , 'xss' , mutant.getURL() , mutant.getVar() ):
# Internal variable for the analysis process
vulnerable = False
if mutant.getModValue() in response:
# Ok, we MAY have found a xss. Let's remove some false positives.
if mutant.getModValue().lower().count( 'javas' ):
# I have to check if javascript was written inside a SRC parameter of html
# afaik it is the only place this type (<IMG SRC="javascript:alert('XSS');">)
# of xss works.
if self._checkHTML( mutant.getModValue(), response ):
vulnerable = True
else:
# Not a javascript type of xss, it's a <SCRIPT>...</SCRIPT> type
vulnerable = True
# Save it to the KB
if vulnerable:
v = vuln.vuln( mutant )
v.setPluginName(self.getName())
v.setId( response.id )
v.setName( 'Cross site scripting vulnerability' )
v.setSeverity(severity.MEDIUM)
msg = 'Cross Site Scripting was found at: ' + mutant.foundAt()
msg += ' This vulnerability affects ' + ','.join(mutant.affected_browsers)
v.setDesc( msg )
v.addToHighlight( mutant.getModValue() )
kb.append( self, 'xss', v )
def end( self ):
'''
This method is called to check for permanent Xss.
Many times a xss isn't on the page we get after the GET/POST of the xss string.
This method searches for the xss string on all the pages that are available.
@return: None, vulns are saved to the kb.
'''
# self._tm.join( self )
if self._check_stored_xss:
for fuzzable_request in self._fuzzableRequests:
response = self._sendMutant(fuzzable_request, analyze=False,
useCache=False)
for mutant, mutant_response_id in self._xssMutants:
# Remember that httpResponse objects have a faster "__in__" than
# the one in strings; so string in response.getBody() is slower than
# string in response
if mutant.getModValue() in response:
v = vuln.vuln( mutant )
v.setPluginName(self.getName())
v.setURL( fuzzable_request.getURL() )
v.setDc( fuzzable_request.getDc() )
v.setMethod( fuzzable_request.getMethod() )
v['permanent'] = True
v['write_payload'] = mutant
v['read_payload'] = fuzzable_request
v.setName( 'Permanent cross site scripting vulnerability' )
v.setSeverity(severity.HIGH)
msg = 'Permanent Cross Site Scripting was found at: ' + response.getURL()
msg += ' . Using method: ' + v.getMethod() + '. The XSS was sent to the'
msg += ' URL: ' + mutant.getURL()+ '. ' + mutant.printModValue()
v.setDesc( msg )
v.setId( [response.id, mutant_response_id] )
v.addToHighlight( mutant.getModValue() )
kb.append( self, 'xss', v )
break
self.printUniq( kb.getData( 'xss', 'xss' ), 'VAR' )
