diff options
| author | David Dworken <david@daviddworken.com> | 2017-10-17 23:39:33 -0400 |
|---|---|---|
| committer | David Dworken <david@daviddworken.com> | 2017-10-17 23:39:33 -0400 |
| commit | 04a06eb6b5b5813b4ec630fc1451b1734fbb22fc (patch) | |
| tree | 26ea8ce5af6319ef5ff49b2e1cf9d2adaa05e8be | |
| parent | d5173f3905b5ceb08276538aafbd815a62772119 (diff) | |
| download | mitmproxy-04a06eb6b5b5813b4ec630fc1451b1734fbb22fc.tar.gz mitmproxy-04a06eb6b5b5813b4ec630fc1451b1734fbb22fc.tar.bz2 mitmproxy-04a06eb6b5b5813b4ec630fc1451b1734fbb22fc.zip | |
Added scanning for CSS injection and iframe injection
| -rwxr-xr-x | examples/complex/xss_scanner.py | 15 | ||||
| -rw-r--r-- | test/examples/test_xss_scanner.py | 8 |
2 files changed, 17 insertions, 6 deletions
diff --git a/examples/complex/xss_scanner.py b/examples/complex/xss_scanner.py index d954adf3..4b35c6c1 100755 --- a/examples/complex/xss_scanner.py +++ b/examples/complex/xss_scanner.py @@ -85,14 +85,19 @@ def get_cookies(flow: http.HTTPFlow) -> Cookies: def find_unclaimed_URLs(body: Union[str, bytes], requestUrl: bytes) -> None: """ Look for unclaimed URLs in script tags and log them if found""" + def getValue(attrs: List[Tuple[str, str]], attrName: str) -> str: + for name, value in attrs: + if attrName == name: + return value + class ScriptURLExtractor(HTMLParser): script_URLs = [] def handle_starttag(self, tag, attrs): - if tag == "script" and "src" in [name for name, value in attrs]: - for name, value in attrs: - if name == "src": - self.script_URLs.append(value) + if (tag == "script" or tag == "iframe") and "src" in [name for name, value in attrs]: + self.script_URLs.append(getValue(attrs, "src")) + if tag == "link" and getValue(attrs, "rel") == "stylesheet" and "href" in [name for name, value in attrs]: + self.script_URLs.append(getValue(attrs, "href")) parser = ScriptURLExtractor() try: @@ -105,7 +110,7 @@ def find_unclaimed_URLs(body: Union[str, bytes], requestUrl: bytes) -> None: try: gethostbyname(domain) except gaierror: - ctx.log.error("XSS found in %s due to unclaimed URL \"%s\" in script tag." % (requestUrl, url)) + ctx.log.error("XSS found in %s due to unclaimed URL \"%s\"." % (requestUrl, url)) def test_end_of_URL_injection(original_body: str, request_URL: str, cookies: Cookies) -> VulnData: diff --git a/test/examples/test_xss_scanner.py b/test/examples/test_xss_scanner.py index 14ee6902..e15d7e10 100644 --- a/test/examples/test_xss_scanner.py +++ b/test/examples/test_xss_scanner.py @@ -314,7 +314,13 @@ class TestXSSScanner(): assert logger.args == [] xss.find_unclaimed_URLs("<html><script src=\"http://unclaimedDomainName.com\"></script></html>", "https://example.com") - assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com" in script tag.' + assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".' + xss.find_unclaimed_URLs("<html><iframe src=\"http://unclaimedDomainName.com\"></iframe></html>", + "https://example.com") + assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".' + xss.find_unclaimed_URLs("<html><link rel=\"stylesheet\" href=\"http://unclaimedDomainName.com\"></html>", + "https://example.com") + assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".' def test_log_XSS_data(self, monkeypatch, logger): logger.args = [] |