Class: Watobo::Modules::Active::Xss::Xss_simple

Inherits:
ActiveCheck
  • Object
show all
Defined in:
modules/active/xss/xss_simple.rb

Constant Summary

Constants included from Constants

Constants::AC_GROUP_APACHE, Constants::AC_GROUP_DOMINO, Constants::AC_GROUP_ENUMERATION, Constants::AC_GROUP_FILE_INCLUSION, Constants::AC_GROUP_FLASH, Constants::AC_GROUP_GENERIC, Constants::AC_GROUP_JBOSS, Constants::AC_GROUP_JOOMLA, Constants::AC_GROUP_SAP, Constants::AC_GROUP_SQL, Constants::AC_GROUP_TYPO3, Constants::AC_GROUP_XSS, Constants::AUTH_TYPE_BASIC, Constants::AUTH_TYPE_DIGEST, Constants::AUTH_TYPE_NONE, Constants::AUTH_TYPE_NTLM, Constants::CHAT_SOURCE_AUTO_SCAN, Constants::CHAT_SOURCE_FUZZER, Constants::CHAT_SOURCE_INTERCEPT, Constants::CHAT_SOURCE_MANUAL, Constants::CHAT_SOURCE_MANUAL_SCAN, Constants::CHAT_SOURCE_PROXY, Constants::CHAT_SOURCE_UNDEF, Constants::DEFAULT_PORT_HTTP, Constants::DEFAULT_PORT_HTTPS, Constants::FINDING_TYPE_HINT, Constants::FINDING_TYPE_INFO, Constants::FINDING_TYPE_UNDEFINED, Constants::FINDING_TYPE_VULN, Constants::FIRST_TIME_FILE, Constants::GUI_REGULAR_FONT_SIZE, Constants::GUI_SMALL_FONT_SIZE, Constants::ICON_PATH, Constants::LOG_DEBUG, Constants::LOG_INFO, Constants::SCAN_CANCELED, Constants::SCAN_FINISHED, Constants::SCAN_PAUSED, Constants::SCAN_STARTED, Constants::TE_CHUNKED, Constants::TE_COMPRESS, Constants::TE_DEFLATE, Constants::TE_GZIP, Constants::TE_IDENTITY, Constants::TE_NONE, Constants::VULN_RATING_CRITICAL, Constants::VULN_RATING_HIGH, Constants::VULN_RATING_INFO, Constants::VULN_RATING_LOW, Constants::VULN_RATING_MEDIUM, Constants::VULN_RATING_UNDEFINED

Instance Method Summary collapse

Methods included from CheckInfoMixin::InfoMethods

#check_group, #check_name

Constructor Details

#initialize(project, prefs = {}) ⇒ Xss_simple

Returns a new instance of Xss_simple.


65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# File 'modules/active/xss/xss_simple.rb', line 65

def initialize(project, prefs={})
  super(project, prefs)
  
  
  
  @xss_checks=[ 
  ["<script>watobo</script>", "<script>watobo</script>"],
  ["%3Cscript%3Ewatobo%3C/script%3E", "<script>watobo</script>"],
  ["%0a<script>watobo</script>", "<script>watobo</script>"],              # prepend %0A can circumvent checks ... seen in the wild
  ["%0a%3Cscript%3Ewatobo%3C/script%3E", "<script>watobo</script>"],   # prepend %0A can circumvent checks ... seen in the wild
  ["<watobo", "<watobo"],
  ["%00<watobo", "<watobo"],
  ["%3Cwatobo%3E", "<watobo>"], 
  ]
  
  
end

Instance Method Details

#generateChecks(chat) ⇒ Object


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# File 'modules/active/xss/xss_simple.rb', line 84

def generateChecks(chat)    
  #
  #  Check GET-Parameters
  #
  begin
    
    
    urlParmNames(chat).each do |parm|
     # puts parm
      # puts "#{Module.nesting[0].name}: run check on chat-id (#{chat.id}) with parm (#{parm})"
      @xss_checks.each do |check, pattern|
        checker = proc {
          test_request = nil
          test_response = nil
          test = chat.copyRequest
          test.replace_get_parm(parm, check)
          test_request,test_response = doRequest(test)
                             
          if not test_response then
            puts "got no respons :("
          elsif test_response.join =~ /(#{pattern})/i
            match = $1
          #    puts "found xss (get)"
         #   test_chat = Chat.new(test,test_response,chat.id)
            
          #  resource = "/" + test_request.resource
            
            addFinding(test_request, test_response,
                       :check_pattern => "#{check}", 
            :proof_pattern => "#{match}", 
            :test_item => parm,
            :class => "Reflected XSS [GET]", 
            :chat => chat,
            :title => "[#{parm}] - #{test_request.path}"
            )
          end
          #@project.new_finding(:short_name=>"#{parm}", :check=>"#{check}", :proof=>"#{pattern}", :kategory=>"XSS-Post", :type=>"Vuln", :chat=>test_chat, :rating=>"High")
          [ test_request, test_response ]
        }
        yield checker
      end
    end
    
    
    
    #
    #  Check POST-Parameters
    #
    
    postParmNames(chat).each do |parm|
      #puts "#{chat.id}: run check on post parm #{parm}"
      @xss_checks.each do |check, pattern|
        
        
        checker = proc {
          
          test = chat.copyRequest
          # modify the test request
          test.replace_post_parm(parm, check)
          test_request,test_response = doRequest(test)
          
          match = nil
          if test_response.join =~ /(#{pattern})/i
            match = $1
         #   puts "Reflected XSS [POST] - #{parm}"
          #  test_chat = Chat.new(test, test_response, chat.id)
           # resource = "/" + test_request.resource
            addFinding(test_request, test_response,
            :test_item => parm,
                       :check_pattern => "#{check}", 
            :proof_pattern => "#{match}", 
            :class => "Reflected XSS [POST]", 
            :chat => chat,
            :title => "[#{parm}] - #{test_request.path}"
            )
          end
          # don't use 'return' here
          [ test_request, test_response ]
        }
        yield checker
      end
    end
    
  rescue => bang
    puts bang
    puts bang.backtrace if $DEBUG
    puts "ERROR!! #{Module.nesting[0].name}"
    raise
    
    
  end
end