Adding headless templates
sandeep
parent
1c94e7bc22
commit
4bcb6fbc04
|
|
@ -0,0 +1,43 @@
|
|||
id: dvwa-headless-automatic-login
|
||||
info:
|
||||
name: DVWA Headless Automatic Login
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: headlress
|
||||
|
||||
headless:
|
||||
- steps:
|
||||
- args:
|
||||
url: "{{BaseURL}}/login.php"
|
||||
action: navigate
|
||||
- action: waitload
|
||||
- args:
|
||||
by: x
|
||||
xpath: /html/body/div/div[2]/form/fieldset/input
|
||||
action: click
|
||||
- action: waitload
|
||||
- args:
|
||||
by: x
|
||||
value: admin
|
||||
xpath: /html/body/div/div[2]/form/fieldset/input
|
||||
action: text
|
||||
- args:
|
||||
by: x
|
||||
xpath: /html/body/div/div[2]/form/fieldset/input[2]
|
||||
action: click
|
||||
- action: waitload
|
||||
- args:
|
||||
by: x
|
||||
value: password
|
||||
xpath: /html/body/div/div[2]/form/fieldset/input[2]
|
||||
action: text
|
||||
- args:
|
||||
by: x
|
||||
xpath: /html/body/div/div[2]/form/fieldset/p/input
|
||||
action: click
|
||||
- action: waitload
|
||||
matchers:
|
||||
- part: resp
|
||||
type: word
|
||||
words:
|
||||
- "You have logged in as"
|
||||
|
|
@ -0,0 +1,65 @@
|
|||
id: postmessage-tracker
|
||||
|
||||
info:
|
||||
name: Postmessage Tracker
|
||||
author: pd-team
|
||||
severity: info
|
||||
reference: https://github.com/vinothsparrow/iframe-broker/blob/main/static/script.js
|
||||
tags: headless,postmessage
|
||||
|
||||
headless:
|
||||
- steps:
|
||||
- action: setheader
|
||||
args:
|
||||
part: response
|
||||
key: Content-Security-Policy
|
||||
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
|
||||
- action: script
|
||||
args:
|
||||
hook: true
|
||||
code: |
|
||||
(function() {window.alerts = [];
|
||||
|
||||
function logger(found) {
|
||||
window.alerts.push(found);
|
||||
}
|
||||
|
||||
function getStackTrace () {
|
||||
var stack;
|
||||
try {
|
||||
throw new Error('');
|
||||
}
|
||||
catch (error) {
|
||||
stack = error.stack || '';
|
||||
}
|
||||
stack = stack.split('\n').map(function (line) { return line.trim(); });
|
||||
return stack.splice(stack[0] == 'Error' ? 2 : 1);
|
||||
}
|
||||
|
||||
var oldListener = Window.prototype.addEventListener;
|
||||
|
||||
Window.prototype.addEventListener = function(type, listener, useCapture) {
|
||||
if(type === 'message') {
|
||||
logger(getStackTrace());
|
||||
}
|
||||
return oldListener.apply(this, arguments);
|
||||
};
|
||||
})();
|
||||
- args:
|
||||
url: "{{BaseURL}}"
|
||||
action: navigate
|
||||
- action: waitload
|
||||
- action: script
|
||||
name: alerts
|
||||
args:
|
||||
code: "window.alerts"
|
||||
matchers:
|
||||
- type: word
|
||||
part: alerts
|
||||
words:
|
||||
- "at Window.addEventListener"
|
||||
extractors:
|
||||
- type: kval
|
||||
part: alerts
|
||||
kval:
|
||||
- alerts
|
||||
|
|
@ -0,0 +1,95 @@
|
|||
id: prototype-pollution-check
|
||||
|
||||
info:
|
||||
name: Prototype Pollution Check
|
||||
author: pd-team
|
||||
severity: medium
|
||||
reference: https://github.com/msrkp/PPScan
|
||||
tags: headless
|
||||
headless:
|
||||
- steps:
|
||||
- action: setheader
|
||||
args:
|
||||
part: response
|
||||
key: Content-Security-Policy
|
||||
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
|
||||
- action: setheader
|
||||
args:
|
||||
part: response
|
||||
key: X-Frame-Options
|
||||
value: foo
|
||||
- action: setheader
|
||||
args:
|
||||
part: response
|
||||
key: If-None-Match
|
||||
value: foo
|
||||
- action: script
|
||||
args:
|
||||
hook: true
|
||||
code: |
|
||||
// Hooking code adapted from https://github.com/msrkp/PPScan/blob/main/scripts/content_script.js
|
||||
(function() {window.alerts = [];
|
||||
|
||||
function logger(found) {
|
||||
window.alerts.push(found);
|
||||
}
|
||||
|
||||
function check() {
|
||||
loc = location.href;
|
||||
|
||||
if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) {
|
||||
setTimeout(function() {
|
||||
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") {
|
||||
logger(location.href);
|
||||
}
|
||||
var url = new URL(location.origin + location.pathname);
|
||||
url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy";
|
||||
location = url.href;
|
||||
}, 5 * 1000);
|
||||
} else if (loc.search("a0def12bce") != -1) {
|
||||
setTimeout(function() {
|
||||
if (Object.prototype.a0def12bce == "ddcb362f1d60") {
|
||||
logger(location.href);
|
||||
}
|
||||
window.close();
|
||||
}, 5 * 1000);
|
||||
} else {
|
||||
var url = new URL(loc);
|
||||
url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60");
|
||||
url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60");
|
||||
location = url.href;
|
||||
}
|
||||
}
|
||||
|
||||
window.onload = function() {
|
||||
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
|
||||
logger(location.href);
|
||||
} else {
|
||||
check();
|
||||
}
|
||||
};
|
||||
|
||||
var timerID = setInterval(function() {
|
||||
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
|
||||
logger(location.href);
|
||||
clearInterval(timerID);
|
||||
}
|
||||
}, 5 * 1000)})();
|
||||
- args:
|
||||
url: "{{BaseURL}}"
|
||||
action: navigate
|
||||
- action: waitload
|
||||
- action: script
|
||||
name: alerts
|
||||
args:
|
||||
code: "window.alerts"
|
||||
matchers:
|
||||
- type: word
|
||||
part: alerts
|
||||
words:
|
||||
- "__proto__"
|
||||
extractors:
|
||||
- type: kval
|
||||
part: alerts
|
||||
kval:
|
||||
- alerts
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
id: window-name-domxss
|
||||
|
||||
info:
|
||||
name: window.name DOM XSS
|
||||
author: pd-team
|
||||
severity: medium
|
||||
reference: https://public-firing-range.appspot.com/dom/index.html
|
||||
tags: headless,xss,domxss
|
||||
|
||||
headless:
|
||||
- steps:
|
||||
- action: setheader
|
||||
args:
|
||||
part: response
|
||||
key: Content-Security-Policy
|
||||
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
|
||||
- action: script
|
||||
args:
|
||||
hook: true
|
||||
code: |
|
||||
(function() {window.alerts = [];
|
||||
|
||||
function logger(found) {
|
||||
window.alerts.push(found);
|
||||
}
|
||||
|
||||
function getStackTrace () {
|
||||
var stack;
|
||||
try {
|
||||
throw new Error('');
|
||||
}
|
||||
catch (error) {
|
||||
stack = error.stack || '';
|
||||
}
|
||||
stack = stack.split('\n').map(function (line) { return line.trim(); });
|
||||
return stack.splice(stack[0] == 'Error' ? 2 : 1);
|
||||
}
|
||||
window.name = "{{randstr_1}}'\"<>";
|
||||
|
||||
var oldEval = eval;
|
||||
var oldDocumentWrite = document.write;
|
||||
var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set;
|
||||
Object.defineProperty(Element.prototype, 'innerHTML', {
|
||||
set: function innerHTML_Setter(val) {
|
||||
if (val.includes("{{randstr_1}}'\"<>")) {
|
||||
logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()});
|
||||
}
|
||||
return setter.call(this, val)
|
||||
}
|
||||
});
|
||||
eval = function(data) {
|
||||
if (data.includes("{{randstr_1}}'\"<>")) {
|
||||
logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()});
|
||||
}
|
||||
return oldEval.apply(this, arguments);
|
||||
};
|
||||
document.write = function(data) {
|
||||
if (data.includes("{{randstr_1}}'\"<>")) {
|
||||
logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()});
|
||||
}
|
||||
return oldEval.apply(this, arguments);
|
||||
};
|
||||
})();
|
||||
- args:
|
||||
url: "{{BaseURL}}"
|
||||
action: navigate
|
||||
- action: waitload
|
||||
- action: script
|
||||
name: alerts
|
||||
args:
|
||||
code: "window.alerts"
|
||||
matchers:
|
||||
- type: word
|
||||
part: alerts
|
||||
words:
|
||||
- "sink:"
|
||||
extractors:
|
||||
- type: kval
|
||||
part: alerts
|
||||
kval:
|
||||
- alerts
|
||||
Loading…
Reference in New Issue