Class: Ronin::Vulns::ReflectedXSS::Context

Inherits:

Object

• Object
• Ronin::Vulns::ReflectedXSS::Context

Defined in:

lib/ronin/vulns/reflected_xss/context.rb

Overview

Represents information about the context which the XSS occurs within.

Constant Summary

IDENTIFIER =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

HTML identifier regexp

/[A-Za-z0-9_-]+/

ATTR_NAME =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

HTML attribute name regexp.

IDENTIFIER

ATTR =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

HTML attribute regexp.

/#{ATTR_NAME}(?:\s*=\s*"[^"]+"|\s*=\s*'[^']+'|=[^"'\s]+)?/

ATTR_LIST =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

HTML attribute list regexp.

/(?:\s+#{ATTR})*/

COMMENT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

HTML comment regexp.

/<![^>]*>/

TAG_NAME =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

HTML tag name regexp.

IDENTIFIER

IN_TAG_BODY =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within a tag's inner HTML.

%r{<(#{TAG_NAME})#{ATTR_LIST}\s*(?:>|/>)([^<>]|#{COMMENT})*\z}

IN_DOUBLE_QUOTED_ATTR_VALUE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within a double-quoted attribute value.

/<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\s*=\s*"[^"]+\z/

IN_SINGLE_QUOTED_ATTR_VALUE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within a single-quoted attribute value.

/<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\s*=\s*'[^']+\z/

IN_UNQUOTED_ATTR_VALUE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within an unquoted attribute value.

/<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})=[^"'\s]+\z/

IN_ATTR_NAME =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within an attribute's name.

/<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\z/

IN_ATTR_LIST =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within a tag's attribute list.

/<(#{TAG_NAME})#{ATTR_LIST}\s+\z/

IN_TAG_NAME =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within a tag's name.

/<(#{TAG_NAME})\z/

IN_COMMENT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Regexp matching when an XSS occurs within a comment.

/<![^>]*\z/

MINIMAL_REQUIRED_CHARS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

The minimum set of required characters needed for an XSS.

Set['>', ' ', '/', '<']

REQUIRED_CHARS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

The mapping of contexts and their required characters.

{
  double_quoted_attr_value: MINIMAL_REQUIRED_CHARS + ['"'],
  single_quoted_attr_value: MINIMAL_REQUIRED_CHARS + ["'"],
  unquoted_attr_value:      MINIMAL_REQUIRED_CHARS,

  attr_name: MINIMAL_REQUIRED_CHARS,
  attr_list: MINIMAL_REQUIRED_CHARS,
  tag_name:  MINIMAL_REQUIRED_CHARS,
  tag_body:  MINIMAL_REQUIRED_CHARS,
  comment:   MINIMAL_REQUIRED_CHARS
}

Instance Attribute Summary

• #attr ⇒ String^? readonly

  The attribute name that the XSS occurs in.

• #location ⇒ :double_quoted_attr_value, ... readonly

  Where in the HTML the XSS occurs.

• #tag ⇒ String^? readonly

  The name of the parent tag which the XSS occurs in.

Class Method Summary

• .identify(body, index) ⇒ Context private

  Determine the context of the XSS by checking the characters that come before the given index.

Instance Method Summary

• #initialize(location, tag: nil, attr: nil) ⇒ Context constructor private

  Initializes the context.

• #viable?(allowed_chars) ⇒ Boolean private

  Determines if the XSS is viable, given the context and the allowed characters.

Constructor Details

#initialize(location, tag: nil, attr: nil) ⇒ Context

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Initializes the context.

Parameters:

• location (:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body, :comment)
• tag (String, nil) (defaults to: nil)
• attr (String, nil) (defaults to: nil)

# File 'lib/ronin/vulns/reflected_xss/context.rb', line 77

def initialize(location, tag: nil, attr: nil)
  @location = location

  @tag  = tag
  @attr = attr
end

Instance Attribute Details

#attr ⇒ String^? (readonly)

The attribute name that the XSS occurs in.

Returns:

• (String, nil)

# File 'lib/ronin/vulns/reflected_xss/context.rb', line 64

def attr
  @attr
end

#location ⇒ :double_quoted_attr_value, ... (readonly)

Where in the HTML the XSS occurs.

Returns:

• (:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body, :comment) —

  The context which the XSS occurs in.

  • :tag_body occurred within a tag's body (ex: <tag>XSS...</tag>)
  • :double_quoted_attr_value - occurred in a double quoted attribute value (ex: <tag name="XSS">...</tag>)
  • :single_quoted_attr_value - occurred in a single quoted attribute value (ex: <tag name='XSS'>...</tag>)
  • :unquoted_attr_value - occurred in an unquoted attribute value (ex: <tag name=XSS>...</tag>)
  • :attr_name - occurred in an attribute name (ex: <tag nameXSS ...>)
  • :attr_list - occurred in the attribute list (ex: <tag XSS>...</tag>)
  • :tag_name - occurred in the tag name (ex: <tagXSS>...</tag>)
  • :comment - occurred in a comment (ex: <!-- XSS -->)

# File 'lib/ronin/vulns/reflected_xss/context.rb', line 50

def location
  @location
end

#tag ⇒ String^? (readonly)

The name of the parent tag which the XSS occurs in.

Returns:

• (String, nil)

# File 'lib/ronin/vulns/reflected_xss/context.rb', line 57

def tag
  @tag
end

Class Method Details

.identify(body, index) ⇒ Context

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Determine the context of the XSS by checking the characters that come before the given index.

Parameters:

• body (String) —

  The HTML response body to inspect.

• index (Integer) —

  The index which the XSS occurs at.

Returns:

• (Context) —

  The context which the XSS occurs in.

# File 'lib/ronin/vulns/reflected_xss/context.rb', line 171

def self.identify(body,index)
  prefix = body[0,index]

  if    (match = prefix.match(IN_TAG_BODY))
    new(:tag_body, tag: match[1])
  elsif (match = prefix.match(IN_DOUBLE_QUOTED_ATTR_VALUE))
    new(:double_quoted_attr_value, tag: match[1], attr: match[2])
  elsif (match = prefix.match(IN_SINGLE_QUOTED_ATTR_VALUE))
    new(:single_quoted_attr_value, tag: match[1], attr: match[2])
  elsif (match = prefix.match(IN_UNQUOTED_ATTR_VALUE))
    new(:unquoted_attr_value, tag: match[1], attr: match[2])
  elsif (match = prefix.match(IN_ATTR_NAME))
    new(:attr_name, tag: match[1], attr: match[2])
  elsif (match = prefix.match(IN_ATTR_LIST))
    new(:attr_list, tag: match[1])
  elsif (match = prefix.match(IN_TAG_NAME))
    new(:tag_name, tag: match[1])
  elsif prefix.match?(IN_COMMENT)
    new(:comment)
  end
end

Instance Method Details

#viable?(allowed_chars) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Determines if the XSS is viable, given the context and the allowed characters.

Parameters:

• allowed_chars (Set<String>) —

  The allowed characters.

Returns:

• (Boolean) —

  Specifies whether enough characters are allowed to perform an XSS in the given context.

# File 'lib/ronin/vulns/reflected_xss/context.rb', line 226

def viable?(allowed_chars)
  required_chars = REQUIRED_CHARS.fetch(@location) do
    raise(NotImplementedError,"cannot determine viability for unknown XSS location type: #{@location.inspect}")
  end

  allowed_chars.superset?(required_chars)
end