class Payload(db.Model):
"""
Payload model contains the following parameters:
payload = payload used in xss injection testing.
url = url where payload is submitted to
method = method of request to faciliate xss testing
paramater = parameter which contains the payload
notes = notes
Payload provides primary key to Capture, which stores
a xss capture.
"""
__tablename__ = 'payloads'
id = db.Column(db.Integer, primary_key=True)
payload = db.Column(db.String(500))
url = db.Column(db.String(500))
method = db.Column(db.String(12))
parameter = db.Column(db.String(50))
notes = db.Column(db.String(200))
assessment = db.Column(db.Integer, db.ForeignKey('assessments.id'))
# When payloads are deleted, cascade the delete and remove associated captures
captures = db.relationship("Capture",
cascade="all,delete",
backref="payloads")
def as_dict(self):
"""
Return JSON API object
"""
# Replace $1 template with configured hostname
payload = self.payload.replace(
"$1", "//{}/x?u={}".format(app.config['HOSTNAME'], str(self.id)))
payload_dict = {
"id": self.id,
"assessments": [i.as_dict() for i in self.assessments],
"payload": payload,
"url": self.url,
"method": self.method,
"parameter": self.parameter,
"notes": self.notes
}
return payload_dict
def show_assessment_ids(self):
"""
Print payload assessments as a list of assessment ids.
"""
return [i.id for i in self.assessments]
def show_assessment_names(self):
"""
Print payload assessments as a string of assessment names.
"""
return ','.join([i.name for i in self.assessments])
class Puppyscript(db.Model):
"""
Puppyscript model contains the following parameters:
name = name of javascript file.
code = code that will be executed when a sleepy puppy payload is executed
notes = notes
Puppyscript is many to many with payload.
"""
__tablename__ = 'puppyscript'
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(500), nullable=False)
code = db.Column(db.Text(), nullable=False)
notes = db.Column(db.String(500))
payloads = db.relationship("Payload",
backref='puppyscript',
secondary=taxonomy)
def show_puppyscript_ids(self):
"""
Print puppyscripts as a list of Puppyscript ids.
"""
return [i.id for i in self.Puppyscripts]
def show_puppyscript_names(self):
"""
Print puppyscripts as a string of Puppyscript ids.
"""
return ','.join([i.name for i in self.Puppyscripts])
def as_dict(self, payload=1, assessment=1):
"""
Return Assessment model as JSON object
If you need to expose additional variables to your Puppyscript
templates, this is the place to do it.
"""
js_dict = {}
js_dict['name'] = self.name
js_dict['code'] = render_template_string(
self.code,
hostname=app.config['CALLBACK_HOSTNAME'],
callback_protocol=app.config.get('CALLBACK_PROTOCOL', 'https'),
payload=payload,
assessment=assessment)
return js_dict
def __repr__(self):
return str(self.name)
class Assessment(db.Model):
"""
Assessemt model contains the following parameters:
name = name of the assessment you are working on.
payloads = payloads assocaited with the assessment
"""
__tablename__ = 'assessments'
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(500))
payloads = db.relationship("Payload", secondary=assessment_associations, backref="assessments")
def as_dict(self):
"""Return Assessment model as JSON object"""
return {c.name: getattr(self, c.name) for c in self.__table__.columns}
def __repr__(self):
return str(self.name)