diff options
| author | Maximilian Hils <git@maximilianhils.com> | 2017-10-22 18:02:28 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-22 18:02:28 +0200 |
| commit | f31d5dc3ebefec9a88e55354dce6b2f812eb9796 (patch) | |
| tree | f24991f712f5eeb788ae49d44e8e6462a5f2e2aa | |
| parent | 58ecef258b9b5fdc8335cc629a5d9ca61590a785 (diff) | |
| parent | 04a06eb6b5b5813b4ec630fc1451b1734fbb22fc (diff) | |
| download | mitmproxy-f31d5dc3ebefec9a88e55354dce6b2f812eb9796.tar.gz mitmproxy-f31d5dc3ebefec9a88e55354dce6b2f812eb9796.tar.bz2 mitmproxy-f31d5dc3ebefec9a88e55354dce6b2f812eb9796.zip | |
Merge pull request #2591 from ddworken/master
Added scanning for CSS injection and iframe injection to XSS scanner
| -rwxr-xr-x | examples/complex/xss_scanner.py | 15 | ||||
| -rw-r--r-- | test/examples/test_xss_scanner.py | 8 |
2 files changed, 17 insertions, 6 deletions
diff --git a/examples/complex/xss_scanner.py b/examples/complex/xss_scanner.py index d954adf3..4b35c6c1 100755 --- a/examples/complex/xss_scanner.py +++ b/examples/complex/xss_scanner.py @@ -85,14 +85,19 @@ def get_cookies(flow: http.HTTPFlow) -> Cookies: def find_unclaimed_URLs(body: Union[str, bytes], requestUrl: bytes) -> None: """ Look for unclaimed URLs in script tags and log them if found""" + def getValue(attrs: List[Tuple[str, str]], attrName: str) -> str: + for name, value in attrs: + if attrName == name: + return value + class ScriptURLExtractor(HTMLParser): script_URLs = [] def handle_starttag(self, tag, attrs): - if tag == "script" and "src" in [name for name, value in attrs]: - for name, value in attrs: - if name == "src": - self.script_URLs.append(value) + if (tag == "script" or tag == "iframe") and "src" in [name for name, value in attrs]: + self.script_URLs.append(getValue(attrs, "src")) + if tag == "link" and getValue(attrs, "rel") == "stylesheet" and "href" in [name for name, value in attrs]: + self.script_URLs.append(getValue(attrs, "href")) parser = ScriptURLExtractor() try: @@ -105,7 +110,7 @@ def find_unclaimed_URLs(body: Union[str, bytes], requestUrl: bytes) -> None: try: gethostbyname(domain) except gaierror: - ctx.log.error("XSS found in %s due to unclaimed URL \"%s\" in script tag." % (requestUrl, url)) + ctx.log.error("XSS found in %s due to unclaimed URL \"%s\"." % (requestUrl, url)) def test_end_of_URL_injection(original_body: str, request_URL: str, cookies: Cookies) -> VulnData: diff --git a/test/examples/test_xss_scanner.py b/test/examples/test_xss_scanner.py index 14ee6902..e15d7e10 100644 --- a/test/examples/test_xss_scanner.py +++ b/test/examples/test_xss_scanner.py @@ -314,7 +314,13 @@ class TestXSSScanner(): assert logger.args == [] xss.find_unclaimed_URLs("<html><script src=\"http://unclaimedDomainName.com\"></script></html>", "https://example.com") - assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com" in script tag.' + assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".' + xss.find_unclaimed_URLs("<html><iframe src=\"http://unclaimedDomainName.com\"></iframe></html>", + "https://example.com") + assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".' + xss.find_unclaimed_URLs("<html><link rel=\"stylesheet\" href=\"http://unclaimedDomainName.com\"></html>", + "https://example.com") + assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".' def test_log_XSS_data(self, monkeypatch, logger): logger.args = [] |