From d3243103756dbe2df51d9cd66ef221ca08f90bf6 Mon Sep 17 00:00:00 2001 From: forgedhallpass <13679401+forgedhallpass@users.noreply.github.com> Date: Thu, 28 Jul 2022 14:21:08 +0300 Subject: [PATCH] Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 --- headless/postmessage-outgoing-tracker.yaml | 41 +++++----- headless/postmessage-tracker.yaml | 51 ++++++------ headless/prototype-pollution-check.yaml | 92 +++++++++++----------- headless/window-name-domxss.yaml | 81 +++++++++---------- 4 files changed, 132 insertions(+), 133 deletions(-) diff --git a/headless/postmessage-outgoing-tracker.yaml b/headless/postmessage-outgoing-tracker.yaml index a200db4661..8eb3834c59 100644 --- a/headless/postmessage-outgoing-tracker.yaml +++ b/headless/postmessage-outgoing-tracker.yaml @@ -19,33 +19,32 @@ headless: args: hook: true code: | - (function() {window.alerts = []; + () => { + window.alerts = []; - function logger(found) { - window.alerts.push(found); - } + logger = found => window.alerts.push(found); - function getStackTrace () { - var stack; - try { - throw new Error(''); + function getStackTrace() { + var stack; + try { + throw new Error(''); + } catch (error) { + stack = error.stack || ''; + } + + stack = stack.split('\n').map(line => line.trim()); + return stack.splice(stack[0] == 'Error' ? 2 : 1); } - catch (error) { - stack = error.stack || ''; - } - stack = stack.split('\n').map(function (line) { return line.trim(); }); - return stack.splice(stack[0] == 'Error' ? 2 : 1); - } - var oldSender = window.postMessage; + var oldSender = window.postMessage; - window.postMessage = function(data, origin) { - if(origin == '*'){ - logger({stack: getStackTrace(), args: {data, origin}}); - return oldSender.apply(this, arguments); + window.postMessage = (data, origin) => { + if (origin == '*') { + logger({stack: getStackTrace(), args: {data, origin}}); + return oldSender.apply(this, arguments); } }; - })(); + } - args: url: "{{BaseURL}}" action: navigate @@ -53,7 +52,7 @@ headless: - action: script name: alerts args: - code: "window.alerts" + code: window.alerts matchers: - type: word part: alerts diff --git a/headless/postmessage-tracker.yaml b/headless/postmessage-tracker.yaml index d0a1e79480..d02c8b34d9 100644 --- a/headless/postmessage-tracker.yaml +++ b/headless/postmessage-tracker.yaml @@ -19,33 +19,32 @@ headless: args: hook: true code: | - (function() {window.alerts = []; + () => { + window.alerts = []; - function logger(found) { - window.alerts.push(found); + logger = found => window.alerts.push(found); + + function getStackTrace() { + var stack; + try { + throw new Error(''); + } catch (error) { + stack = error.stack || ''; + } + + stack = stack.split('\n').map(line => line.trim()); + return stack.splice(stack[0] == 'Error' ? 2 : 1); + } + + var oldListener = Window.prototype.addEventListener; + + Window.prototype.addEventListener = (type, listener, useCapture) => { + if (type === 'message') { + logger(getStackTrace()); + } + return oldListener.apply(this, arguments); + }; } - - function getStackTrace () { - var stack; - try { - throw new Error(''); - } - catch (error) { - stack = error.stack || ''; - } - stack = stack.split('\n').map(function (line) { return line.trim(); }); - return stack.splice(stack[0] == 'Error' ? 2 : 1); - } - - var oldListener = Window.prototype.addEventListener; - - Window.prototype.addEventListener = function(type, listener, useCapture) { - if(type === 'message') { - logger(getStackTrace()); - } - return oldListener.apply(this, arguments); - }; - })(); - args: url: "{{BaseURL}}" action: navigate @@ -53,7 +52,7 @@ headless: - action: script name: alerts args: - code: "window.alerts" + code: window.alerts matchers: - type: word part: alerts diff --git a/headless/prototype-pollution-check.yaml b/headless/prototype-pollution-check.yaml index e5a3eac027..927969426c 100644 --- a/headless/prototype-pollution-check.yaml +++ b/headless/prototype-pollution-check.yaml @@ -30,53 +30,53 @@ headless: hook: true code: | // Hooking code adapted from https://github.com/msrkp/PPScan/blob/main/scripts/content_script.js - (function() {window.alerts = []; + () => { + window.alerts = []; - function logger(found) { - window.alerts.push(found); + logger = found => window.alerts.push(found); + + function check() { + loc = location.href; + + if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) { + setTimeout(function() { + if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") { + logger(location.href); + } + var url = new URL(location.origin + location.pathname); + url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy"; + location = url.href; + }, 5 * 1000); + } else if (loc.search("a0def12bce") != -1) { + setTimeout(function() { + if (Object.prototype.a0def12bce == "ddcb362f1d60") { + logger(location.href); + } + window.close(); + }, 5 * 1000); + } else { + var url = new URL(loc); + url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60"); + url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60"); + location = url.href; + } + } + + window.onload = function() { + if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { + logger(location.href); + } else { + check(); + } + }; + + var timerID = setInterval(function() { + if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { + logger(location.href); + clearInterval(timerID); + } + }, 5 * 1000); } - - function check() { - loc = location.href; - - if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) { - setTimeout(function() { - if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") { - logger(location.href); - } - var url = new URL(location.origin + location.pathname); - url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy"; - location = url.href; - }, 5 * 1000); - } else if (loc.search("a0def12bce") != -1) { - setTimeout(function() { - if (Object.prototype.a0def12bce == "ddcb362f1d60") { - logger(location.href); - } - window.close(); - }, 5 * 1000); - } else { - var url = new URL(loc); - url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60"); - url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60"); - location = url.href; - } - } - - window.onload = function() { - if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { - logger(location.href); - } else { - check(); - } - }; - - var timerID = setInterval(function() { - if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { - logger(location.href); - clearInterval(timerID); - } - }, 5 * 1000)})(); - args: url: "{{BaseURL}}" action: navigate @@ -84,7 +84,7 @@ headless: - action: script name: alerts args: - code: "window.alerts" + code: window.alerts matchers: - type: word part: alerts diff --git a/headless/window-name-domxss.yaml b/headless/window-name-domxss.yaml index 7c202f7d8b..3db2a58466 100644 --- a/headless/window-name-domxss.yaml +++ b/headless/window-name-domxss.yaml @@ -19,49 +19,50 @@ headless: args: hook: true code: | - (function() {window.alerts = []; + () => { + window.alerts = []; - function logger(found) { - window.alerts.push(found); - } + logger = found => window.alerts.push(found); - function getStackTrace () { - var stack; - try { - throw new Error(''); - } - catch (error) { - stack = error.stack || ''; - } - stack = stack.split('\n').map(function (line) { return line.trim(); }); - return stack.splice(stack[0] == 'Error' ? 2 : 1); - } - window.name = "{{randstr_1}}'\"<>"; - - var oldEval = eval; - var oldDocumentWrite = document.write; - var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set; - Object.defineProperty(Element.prototype, 'innerHTML', { - set: function innerHTML_Setter(val) { - if (val.includes("{{randstr_1}}'\"<>")) { - logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()}); + function getStackTrace() { + var stack; + try { + throw new Error(''); } - return setter.call(this, val) + catch (error) { + stack = error.stack || ''; + } + stack = stack.split('\n').map(function (line) { return line.trim(); }); + return stack.splice(stack[0] == 'Error' ? 2 : 1); } - }); - eval = function(data) { - if (data.includes("{{randstr_1}}'\"<>")) { - logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()}); - } - return oldEval.apply(this, arguments); - }; - document.write = function(data) { - if (data.includes("{{randstr_1}}'\"<>")) { - logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()}); - } - return oldEval.apply(this, arguments); - }; - })(); + window.name = "{{randstr_1}}'\"<>"; + + var oldEval = eval; + var oldDocumentWrite = document.write; + var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set; + Object.defineProperty(Element.prototype, 'innerHTML', { + set: function innerHTML_Setter(val) { + if (val.includes("{{randstr_1}}'\"<>")) { + logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()}); + } + return setter.call(this, val) + } + }); + + eval = function(data) { + if (data.includes("{{randstr_1}}'\"<>")) { + logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()}); + } + return oldEval.apply(this, arguments); + }; + + document.write = function(data) { + if (data.includes("{{randstr_1}}'\"<>")) { + logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()}); + } + return oldEval.apply(this, arguments); + }; + } - args: url: "{{BaseURL}}" action: navigate @@ -69,7 +70,7 @@ headless: - action: script name: alerts args: - code: "window.alerts" + code: window.alerts matchers: - type: word part: alerts