Bugfix - XSS Scanner working with Ghost update
parent
62d77ece01
commit
4310733e43
|
@ -1,3 +1,4 @@
|
|||
*.pyc
|
||||
Server/__pycache__/*
|
||||
Server/core
|
||||
TODO.md
|
||||
|
|
10
README.md
10
README.md
|
@ -5,25 +5,21 @@ The extension is working on the background and will notify you if it finds any v
|
|||
![Image of a noticiation](https://github.com/swisskyrepo/DamnWebScanner/blob/master/Screens/Notification.png?raw=true)
|
||||
|
||||
Currently it scans for:
|
||||
- SQL Injection
|
||||
- Cross Site Scripting
|
||||
- SQL Injection : Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
|
||||
- Cross Site Scripting : Using a browser simulator (Ghost)
|
||||
- Local File Inclusion
|
||||
- Remote Commands Execution
|
||||
- Remote Commands Execution using polyglot vectors based on time
|
||||
|
||||
All the features are:
|
||||
- Detect if the server is up with a "/ping" request
|
||||
- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
|
||||
- Basic page to list the vulnerabilities URL and TYPE
|
||||
- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
|
||||
- RCE scanner using polyglot vectors based on time
|
||||
- Re-use your cookies and user-agent to get access to page with cookie-authentication
|
||||
- Export vulnerabilities into a CSV file
|
||||
- Launch scan when a form is submitted or a page is opened via the URL bar
|
||||
|
||||
**Warning :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
|
||||
|
||||
**Warning 2:** XSS Scanner seems to be broken due to an update in the Ghost lib. I'm working on a fix.
|
||||
|
||||
## Install
|
||||
You need to install and configure the server, it uses ghost and flask.
|
||||
1. To get started you only need to start the docker and the dependencies will be installed.
|
||||
|
|
|
@ -10,28 +10,29 @@ import re
|
|||
Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
|
||||
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
|
||||
"""
|
||||
def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
|
||||
def scan_xss(method, vulns, url, fuzz, cookie, useragent, data):
|
||||
#payload = 'javascript://\'/</Title></sTyle></teXtarea></scRipt>--><svg" %0Aonload=confirm(42)//>*/prompt(42)/*<details/open/ontoggle=confirm`42` >'
|
||||
payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--'
|
||||
try:
|
||||
with firefox.start() as session:
|
||||
ghost = Ghost()
|
||||
x = ghost.start()
|
||||
|
||||
# POST
|
||||
if (method == 'POST' and fuzz != ''):
|
||||
inject = dict(data)
|
||||
inject[fuzz] = inject[fuzz] + payload
|
||||
del inject['']
|
||||
page, extra_resources = session.open(url, headers={'Cookie':cookie}, user_agent=useragent)
|
||||
result, resources = session.fill("form", inject)
|
||||
page, resources = session.call("form", "submit", expect_loading=True)
|
||||
result, resources = session.wait_for_alert(1)
|
||||
page, extra_resources = x.open(url, headers={'Cookie':cookie}, user_agent=useragent)
|
||||
result, resources = x.fill("form", inject)
|
||||
page, resources = x.call("form", "submit", expect_loading=True)
|
||||
result, resources = x.wait_for_alert(1)
|
||||
inject = url + ":" + fuzz + ":" + inject[fuzz]
|
||||
|
||||
# GET
|
||||
if (method == 'GET'):
|
||||
inject = url.replace(fuzz+"=", fuzz+"="+payload)
|
||||
page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
|
||||
result, resources = session.wait_for_alert(1)
|
||||
page, extra_resources = x.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
|
||||
result, resources = x.wait_for_alert(1)
|
||||
|
||||
|
||||
# Detect XSS result with an alert
|
||||
|
@ -49,6 +50,7 @@ def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
|
|||
vulns['xss'] += 1
|
||||
vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
|
||||
else:
|
||||
print ("Error",e)
|
||||
print ("\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload)
|
||||
|
||||
|
||||
|
|
|
@ -8,7 +8,6 @@ import datetime
|
|||
import re
|
||||
|
||||
app = Flask(__name__)
|
||||
firefox = Ghost()
|
||||
|
||||
""" Route /ping
|
||||
Description: Simple ping implementation to check if the server is up via the extension
|
||||
|
@ -92,7 +91,7 @@ def index():
|
|||
# Launch scans - iterate through all parameters
|
||||
for fuzz in matches:
|
||||
print ("\n---[ " + method + " - New parameter " + fuzz + " for url: " + url + " ]---")
|
||||
scan_xss(method, vulns, url, fuzz, cookies_ghost, useragent, firefox, data_requests)
|
||||
scan_xss(method, vulns, url, fuzz, cookies_ghost, useragent, data_requests)
|
||||
scan_lfi(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
|
||||
scan_sql_error(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
|
||||
scan_sql_blind_time(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
|
||||
|
|
|
@ -5,6 +5,6 @@
|
|||
<title></title>
|
||||
</head>
|
||||
<body>
|
||||
<p id='info'> TODO </p>
|
||||
<p id='info'> TODO - Will be used in the next release ;) </p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
Loading…
Reference in New Issue