Class: Ronin::Vulns::ReflectedXSS

Inherits:
WebVuln show all
Defined in:
lib/ronin/vulns/reflected_xss.rb,
lib/ronin/vulns/reflected_xss/context.rb,
lib/ronin/vulns/reflected_xss/test_string.rb

Overview

Represents a (Reflected) Cross Site Scripting (XSS) vulnerability.

Features

  • Tests a URL with just one HTTP request (per param).
  • Tests which HTML special characters are allowed.
  • Identifies the context, tag name, and/or attribute name of the XSS.
  • Determines viability of XSS based on the context.
  • Includes random data in the test values.

Defined Under Namespace

Classes: Context, TestString

Constant Summary collapse

HTML_TEST_STRING =

HTML special characters to test.

TestString.build("'\"= /><")

Instance Attribute Summary collapse

Attributes inherited from WebVuln

#cookie, #cookie_param, #form_data, #form_param, #header_name, #headers, #http, #password, #query_param, #query_params, #referer, #request_method, #url, #user

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from WebVuln

#encode_payload, #exploit, #exploit_cookie, #exploit_form_data, #exploit_headers, #exploit_query_params, #initialize, #original_value, #random_value, #request, scan, scan_cookie_params, scan_form_params, scan_headers, scan_query_params, test, #to_curl, #to_http, #to_s

Constructor Details

This class inherits a constructor from Ronin::Vulns::WebVuln

Instance Attribute Details

#allowed_charsSet<String>? (readonly)

The characters that are allowed and will not be escaped or filtered.

Returns:

  • (Set<String>, nil) 


45
46
47
 
# File 'lib/ronin/vulns/reflected_xss.rb', line 45

def allowed_chars
  @allowed_chars
end

#contextContext? (readonly)

The context the XSS occurred in.

Returns:



50
51
52
 
# File 'lib/ronin/vulns/reflected_xss.rb', line 50

def context
  @context
end

Class Method Details

.vuln_typeSymbol

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

This method is abstract.
Note:

This is used internally to map an vulnerability class to a printable type.

Returns the type or kind of vulnerability.

Returns:

  • (Symbol) 


177
178
179
 
# File 'lib/ronin/vulns/reflected_xss.rb', line 177

def self.vuln_type
  :reflected_xss
end

Instance Method Details

#test_chars(test_string) {|body, match| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Tests whether characters in the test string will be escaped/filtered or passed through and updates #allowed_chars.

Parameters:

  • test_string (TestString)

    The test string to send.

Yields:

  • (body, match)

    If a block is given, it will be passed the response body and the regular expression match data, if the response contains the test string.

Yield Parameters:

  • body (String)

    The response body.

  • match (MatchData)

    The matched data for the test string.



105
106
107
108
109
110
111
112
 
# File 'lib/ronin/vulns/reflected_xss.rb', line 105

def test_chars(test_string)
  test_string(test_string) do |body,match|
    @allowed_chars ||= Set.new
    @allowed_chars.merge(match.captures.compact)

    yield body, match if block_given?
  end
end

#test_html_chars {|body, match| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Tests which HTML characters are accepted or escaped/filtered.

Yields:

  • (body, match)

    If a block is given, it will be passed the response body and the regular expression match data, if the response contains the test string.

Yield Parameters:

  • body (String)

    The response body.

  • match (MatchData)

    The matched data for the test string.



133
134
135
 
# File 'lib/ronin/vulns/reflected_xss.rb', line 133

def test_html_chars(&block)
  test_chars(HTML_TEST_STRING,&block)
end

#test_string(test_string) {|body, match| ... } ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Tests the test string by sending an HTTP request with the test string embedded.

Parameters:

Yields:

  • (body, match)

    If the response was text/html and the test string appears (at least partially) in the response body, the response body and match data will be yielded.

Yield Parameters:

  • body (String)

    The response body.

  • match (MatchData)

    The matched data for the test string.



71
72
73
74
75
76
77
78
79
80
81
82
83
 
# File 'lib/ronin/vulns/reflected_xss.rb', line 71

def test_string(test_string)
  test_string = test_string.wrap(random_value,random_value)

  response     = exploit("#{original_value}#{test_string}")
  content_type = response.content_type
  body         = response.body

  if content_type && content_type.include?('text/html')
    if (match = test_string.match(body))
      yield body, match
    end
  end
end

#vulnerable?Boolean

Note:

If the URL is vulnerable, #allowed_chars and #context will be set.

Tests whether the URL is vulnerable to (Reflected) Cross Site Scripting (XSS).

Returns:

  • (Boolean)

    Indicates whether the URL is vulnerable to (Reflected) Cross Site Scripting (XSS).



148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
 
# File 'lib/ronin/vulns/reflected_xss.rb', line 148

def vulnerable?
  # test HTML special characters
  test_html_chars do |body,match|
    xss_index = match.begin(0)

    # determine the contents which the XSS occurs
    if (@context = Context.identify(body,xss_index))
      # determine whether enough special HTML characters are allowed to
      # escape the context which the XSS occurs.
      return @context.viable?(@allowed_chars)
    end
  end

  return false
end