diff --git a/README.md b/README.md
index 1e09afd..7f8760d 100755
--- a/README.md
+++ b/README.md
@@ -8,6 +8,18 @@ Currently it scans for:
- Local File Inclusion
- Remote Commands Execution
+All the features are:
+- Detect if the server is up
+- Start/Stop button
+- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
+- Basic page to list the vulnerabilities URL and TYPE
+- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
+- RCE scanner using polyglot vectors based on time
+- New logo for the extension
+- Re-use your cookies and user-agent to get access to page with cookie-authentication
+- Export vulnerabilities into a CSV file
+- Launch scan when a form is submitted or a page is opened via the URL bar
+
**Warnings :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
## Install
@@ -36,22 +48,6 @@ var config_server = "http://127.0.0.1:8000";
4 - Browse the internet ! (Don't forget to start the extension by clicking the 'START' button)
You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App
-## New features
-- Detect if the server is up
-- Start/Stop button
-- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
-- Basic page to list the vulnerabilities URL and TYPE
-- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
-- RCE scanner using polyglot vectors based on time
-- New logo for the extension
-- Re-use your cookies and user-agent to get access to page with cookie-authentication
-- Export vulnerabilities into a CSV file
-- Launch scan when a form is submitted or a page is opened via the URL bar
-
-## TODO - Work in progress
-- Should detect target in source code.. (list of targets, then launch scan)
-- Do xss for POST with data dict
-
## Thanks
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
- Polyglot vector for XSS injection 1 [One vector to rule them all](http://www.thespanner.co.uk/2010/09/15/one-vector-to-rule-them-all/)
diff --git a/Server/scans.py b/Server/scans.py
index eee88d7..d96b7cd 100644
--- a/Server/scans.py
+++ b/Server/scans.py
@@ -6,21 +6,33 @@ import requests
import datetime
import re
-"""scan_xss /!\ TODO : POST request (check method, data)
+"""scan_xss
Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
"""
def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)>" >|\>@gmail.com\'-->" >">\'">]]>%>?>">[img=1,name=/alert(1)/.source]"'
-
+ print repr(fuzz),"fuzz"
try:
with firefox.start() as session:
-
- # Send GET XSS
- inject = url.replace(fuzz+"=", fuzz+"="+payload)
- page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
- result, resources = session.wait_for_alert(1)
+
+ # POST
+ if (method == 'POST' and fuzz != ''):
+ inject = dict(data)
+ inject[fuzz] = inject[fuzz] + payload
+ del inject['']
+ page, extra_resources = session.open(url, headers={'Cookie':cookie}, user_agent=useragent)
+ result, resources = session.fill("form", inject)
+ page, resources = session.call("form", "submit", expect_loading=True)
+ result, resources = session.wait_for_alert(1)
+ inject = url + ":" + fuzz + ":" + inject[fuzz]
+
+ # GET
+ if (method == 'GET'):
+ inject = url.replace(fuzz+"=", fuzz+"="+payload)
+ page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
+ result, resources = session.wait_for_alert(1)
+
# Detect XSS result with an alert
if result == '1':
@@ -31,7 +43,13 @@ def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
except Exception, e:
- print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
+ if "alert" in str(e):
+ print "\t\t\033[93mXSS Detected \033[0m for ", fuzz, " with the payload :", payload
+ inject = url + ":" + fuzz + ":" + payload
+ vulns['xss'] += 1
+ vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
+ else:
+ print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
"""scan_sql