Bugfix - XSS Scanner working with Ghost update

.gitignore

@@ -1,3 +1,4 @@
 *.pyc
 Server/__pycache__/*
+Server/core
 TODO.md

README.md

@@ -5,25 +5,21 @@ The extension is working on the background and will notify you if it finds any v
 ![Image of a noticiation](https://github.com/swisskyrepo/DamnWebScanner/blob/master/Screens/Notification.png?raw=true)
 
 Currently it scans for:
-- SQL Injection
-- Cross Site Scripting
+- SQL Injection : Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
+- Cross Site Scripting : Using a browser simulator (Ghost)
 - Local File Inclusion
-- Remote Commands Execution
+- Remote Commands Execution using polyglot vectors based on time
 
 All the features are:
 - Detect if the server is up with a "/ping" request
 - New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
 - Basic page to list the vulnerabilities URL and TYPE
-- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
-- RCE scanner using polyglot vectors based on time
 - Re-use your cookies and user-agent to get access to page with cookie-authentication
 - Export vulnerabilities into a CSV file
 - Launch scan when a form is submitted or a page is opened via the URL bar
 
 **Warning :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
 
-**Warning 2:** XSS Scanner seems to be broken due to an update in the Ghost lib. I'm working on a fix.
-
 ## Install
 You need to install and configure the server, it uses ghost and flask.
 1. To get started you only need to start the docker and the dependencies will be installed.

Server/scans.py

@@ -10,37 +10,38 @@ import re
 Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
 """
-def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
+def scan_xss(method, vulns, url, fuzz, cookie, useragent, data):
 	#payload = 'javascript://\'/</Title></sTyle></teXtarea></scRipt>--><svg" %0Aonload=confirm(42)//>*/prompt(42)/*<details/open/ontoggle=confirm`42` >'
 	payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--'
 	try:
-		with firefox.start() as session:
+		ghost = Ghost()
+		x = ghost.start()
 
-			# POST
-			if (method == 'POST' and fuzz != ''):
-				inject = dict(data)
-				inject[fuzz] = inject[fuzz] + payload
-				del inject['']
-				page, extra_resources = session.open(url, headers={'Cookie':cookie}, user_agent=useragent)
-				result, resources     = session.fill("form", inject)
-				page, resources       = session.call("form", "submit", expect_loading=True)
-				result, resources     = session.wait_for_alert(1)
-				inject = url + ":" + fuzz + ":" + inject[fuzz]
+		# POST
+		if (method == 'POST' and fuzz != ''):
+			inject = dict(data)
+			inject[fuzz] = inject[fuzz] + payload
+			del inject['']
+			page, extra_resources = x.open(url, headers={'Cookie':cookie}, user_agent=useragent)
+			result, resources     = x.fill("form", inject)
+			page, resources       = x.call("form", "submit", expect_loading=True)
+			result, resources     = x.wait_for_alert(1)
+			inject = url + ":" + fuzz + ":" + inject[fuzz]
 
-			# GET
-			if (method == 'GET'):
-				inject                = url.replace(fuzz+"=", fuzz+"="+payload)
-				page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
-				result, resources     = session.wait_for_alert(1)
+		# GET
+		if (method == 'GET'):
+			inject                = url.replace(fuzz+"=", fuzz+"="+payload)
+			page, extra_resources = x.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
+			result, resources     = x.wait_for_alert(1)
 
 
-			# Detect XSS result with an alert
-			if result == '1':
-				print ("\t\t\033[93mXSS Detected\033[0m for ", fuzz, " with the payload :", payload)
-				vulns['xss']  += 1
-				vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
-			else:
-				print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload)
+		# Detect XSS result with an alert
+		if result == '1':
+			print ("\t\t\033[93mXSS Detected\033[0m for ", fuzz, " with the payload :", payload)
+			vulns['xss']  += 1
+			vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
+		else:
+			print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload)
 
 	except Exception as e:
 		if "confirm" in str(e) : #or "alert" in str(e):
@@ -49,6 +50,7 @@ def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
 			vulns['xss']  += 1
 			vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
 		else:
+			print ("Error",e)
 			print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload)
 
 

Server/server.py

@@ -8,7 +8,6 @@ import datetime
 import re
 
 app     = Flask(__name__)
-firefox = Ghost()
 
 """ Route /ping
 Description: Simple ping implementation to check if the server is up via the extension
@@ -92,7 +91,7 @@ def index():
 	# Launch scans - iterate through all parameters
 	for fuzz in matches:
 		print ("\n---[ " + method + " - New parameter " + fuzz + " for url: " + url + " ]---")
-		scan_xss(method, vulns, url, fuzz, cookies_ghost, useragent, firefox, data_requests)
+		scan_xss(method, vulns, url, fuzz, cookies_ghost, useragent, data_requests)
 		scan_lfi(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
 		scan_sql_error(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
 		scan_sql_blind_time(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)

Server/templates/index.html

@@ -5,6 +5,6 @@
 		<title></title>
 	</head>
 	<body>
-			<p id='info'> TODO </p>
+			<p id='info'> TODO - Will be used in the next release ;) </p>
 	</body>
 </html>