Class: Watobo::Modules::Active::Xss::Xss_ng

Inherits:

ActiveCheck

• Object
• Session
• ActiveCheck
• Watobo::Modules::Active::Xss::Xss_ng

Defined in:

modules/active/xss/xss_ng.rb

Constant Summary

Constants included from Constants

Constants::AC_GROUP_APACHE, Constants::AC_GROUP_DOMINO, Constants::AC_GROUP_ENUMERATION, Constants::AC_GROUP_FILE_INCLUSION, Constants::AC_GROUP_FLASH, Constants::AC_GROUP_GENERIC, Constants::AC_GROUP_JBOSS, Constants::AC_GROUP_JOOMLA, Constants::AC_GROUP_SAP, Constants::AC_GROUP_SQL, Constants::AC_GROUP_TYPO3, Constants::AC_GROUP_XSS, Constants::AUTH_TYPE_BASIC, Constants::AUTH_TYPE_DIGEST, Constants::AUTH_TYPE_NONE, Constants::AUTH_TYPE_NTLM, Constants::CHAT_SOURCE_AUTO_SCAN, Constants::CHAT_SOURCE_FUZZER, Constants::CHAT_SOURCE_INTERCEPT, Constants::CHAT_SOURCE_MANUAL, Constants::CHAT_SOURCE_MANUAL_SCAN, Constants::CHAT_SOURCE_PROXY, Constants::CHAT_SOURCE_UNDEF, Constants::DEFAULT_PORT_HTTP, Constants::DEFAULT_PORT_HTTPS, Constants::FINDING_TYPE_HINT, Constants::FINDING_TYPE_INFO, Constants::FINDING_TYPE_UNDEFINED, Constants::FINDING_TYPE_VULN, Constants::FIRST_TIME_FILE, Constants::GUI_REGULAR_FONT_SIZE, Constants::GUI_SMALL_FONT_SIZE, Constants::ICON_PATH, Constants::LOG_DEBUG, Constants::LOG_INFO, Constants::SCAN_CANCELED, Constants::SCAN_FINISHED, Constants::SCAN_PAUSED, Constants::SCAN_STARTED, Constants::TE_CHUNKED, Constants::TE_COMPRESS, Constants::TE_DEFLATE, Constants::TE_GZIP, Constants::TE_IDENTITY, Constants::TE_NONE, Constants::VULN_RATING_CRITICAL, Constants::VULN_RATING_HIGH, Constants::VULN_RATING_INFO, Constants::VULN_RATING_LOW, Constants::VULN_RATING_MEDIUM, Constants::VULN_RATING_UNDEFINED

Instance Method Summary

• #generateChecks(chat) ⇒ Object
• #initialize(project, prefs = {}) ⇒ Xss_ng constructor

  A new instance of Xss_ng.

• #reset ⇒ Object

Methods included from CheckInfoMixin::InfoMethods

#check_group, #check_name

Constructor Details

#initialize(project, prefs = {}) ⇒ Xss_ng

Returns a new instance of Xss_ng.

# File 'modules/active/xss/xss_ng.rb', line 65

def initialize(project, prefs={})
  super(project, prefs)
  
  
  @envelop = "watobo"
  @env_count = 0
  @evasions = [ "%0a", "%00"]
  @xss_chars= %w( < > ' " ) 
  @escape_chars = ['\\']       
  @additional_parms = []
  
  def reset
    @additional_parms = []
    @env_count = 0
  end
  
  
end

Instance Method Details

#generateChecks(chat) ⇒ Object

# File 'modules/active/xss/xss_ng.rb', line 85

def generateChecks(chat)    
  begin   
    # 
    if chat.response.respond_to? :input_fields           
    chat.response.input_fields do |field|                
      @additional_parms << field.to_www_form_parm if chat.request.method_post?
      @additional_parms << field.to_url_parm
     
    end
    end
    
    @parm_list = chat.request.parameters(:data, :url)
    @parm_list.concat @additional_parms
    @parm_list.each do |parm|
     #log_console( "#{parm.location} - #{parm.name} = #{parm.value}")
     
      checks = []
      @xss_chars.each do |xss|
        @env_count += 1
        
        check_id = "#{@envelop}#{@env_count}"
         checks << [ xss.dup, "#{xss}", check_id ]
         checks << [xss.dup, "#{parm.value}#{xss}", check_id ]
         checks << [xss.dup, "#{xss}#{parm.value}", check_id ]
            
        end
        checker = proc {
          results = {}
          rating = 0
             test_request = nil
            test_response = nil
            
            # first we check, if parameter is injectable
            test = chat.copyRequest
           
            proof = "INJ#{Time.now.to_i.to_s}"
            parm.value = proof
            test.set parm
            
            test_request,test_response = doRequest(test)
            
            
            next [ test_request, test_response ] unless test_response.has_body?
                             
            next [ test_request, test_response ] unless test_response.body =~ /#{proof}/i
            
          
          checks.each do |xss, check, check_id|
           
           # accept only one (escape) char between check_id and check string
            proof = "#{check_id}([^#{Regexp.quote(check)}]?(#{Regexp.quote(check)}){1})"
            next if results.has_key? xss
            test = chat.copyRequest
           
            parm.value = check_id + CGI.escape(check)
            test.set parm
            
            test_request,test_response = doRequest(test)
                             
            if not test_response then
              if $DEBUG
              puts "[#{Module.nesting[0].name}] got no response :("
              puts test
              end
            elsif test_response.join =~ /#{proof}/i
              match = $1
            #puts "MATCH: [ #{match} ] / [ #{check} ]"
              if match == check
              results[xss] = { :match => :full, :check => check, :proof => proof }
              end
              
              unless results.has_key? xss
                @escape_chars.each do |ec|
                  ep = Regexp.quote("#{ec}#{xss}")
                #  puts "Escaped: #{match} / #{ep}"
                  results[xss] = { :match => :escaped, :check => check, :proof => proof, :escape_char => "#{ec}"} if match =~ /#{ep}/
                end
              end
              
            end
            
          end
          
         puts results.to_yaml if $DEBUG
          xss_combo = ""
          combo_patterns = []
         results.each do |k,v|
           mp = CGI.escape(k)
           rp = CGI.escape(@xss_chars.join)
           xss_combo += CGI.escape(k)
           #puts "[#{k}] - #{v}"
           case v[:match]
             
           when :full
               rating += 100/@xss_chars.length                         
               combo_patterns << k 
             when :escaped
                rating += 100/(@xss_chars.length*4)
                combo_patterns << Regexp.quote("#{v[:escape_char]}#{k}") 
             end
         end                   
          
          if rating > 0
            test = chat.copyRequest
            #puts "COMBO-REQUEST: #{xss_combo}"
            parm.value = "#{@envelop}#{@env_count}#{xss_combo}"
            pattern = "(#{@envelop}#{@env_count}(#{combo_patterns.join("|")})+)"
            test.set parm
              
            match = ""
            
            test_request,test_response = doRequest(test)
            if not test_response then
              puts "got no response :("
            elsif test_response.join =~ /#{pattern}/i
              match = $1
              #puts "MATCH: #{match}"
            end
           
           fclass = "Reflected XSS - #{rating}%"
           fclass = "Reflected XSS (POST) - #{rating}%" if parm.location == :data
            addFinding( test_request, test_response,
                       :check_pattern => xss_combo, 
            :proof_pattern => "#{match}", 
            :test_item => parm.name,
            :class => fclass, 
            :chat => chat,
            :title => "[#{parm.name}] - #{test_request.path}"
            )
          end
         
          [ test_request, test_response ]
        }
        yield checker
     
    end
    
  rescue => bang
    puts bang
    puts bang.backtrace if $DEBUG
    puts "ERROR!! #{Module.nesting[0].name}"
    raise
    
    
  end
end

#reset ⇒ Object

# File 'modules/active/xss/xss_ng.rb', line 76

def reset
  @additional_parms = []
  @env_count = 0
end