diff options
Diffstat (limited to 'examples/complex')
| -rw-r--r-- | examples/complex/__init__.py | 0 | ||||
| -rw-r--r-- | examples/complex/har_dump.py | 5 | ||||
| -rw-r--r-- | examples/complex/sslstrip.py | 4 | ||||
| -rwxr-xr-x | examples/complex/xss_scanner.py | 6 |
4 files changed, 9 insertions, 6 deletions
diff --git a/examples/complex/__init__.py b/examples/complex/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/examples/complex/__init__.py diff --git a/examples/complex/har_dump.py b/examples/complex/har_dump.py index 33a2f79f..e3cea9fd 100644 --- a/examples/complex/har_dump.py +++ b/examples/complex/har_dump.py @@ -87,7 +87,10 @@ def response(flow): } # HAR timings are integers in ms, so we re-encode the raw timings to that format. - timings = dict([(k, int(1000 * v)) for k, v in timings_raw.items()]) + timings = { + k: int(1000 * v) if v != -1 else -1 + for k, v in timings_raw.items() + } # full_time is the sum of all timings. # Timings set to -1 will be ignored as per spec. diff --git a/examples/complex/sslstrip.py b/examples/complex/sslstrip.py index c862536f..69b9ea9e 100644 --- a/examples/complex/sslstrip.py +++ b/examples/complex/sslstrip.py @@ -38,7 +38,7 @@ def response(flow: http.HTTPFlow) -> None: flow.response.content = flow.response.content.replace(b'https://', b'http://') # strip meta tag upgrade-insecure-requests in response body - csp_meta_tag_pattern = b'<meta.*http-equiv=["\']Content-Security-Policy[\'"].*upgrade-insecure-requests.*?>' + csp_meta_tag_pattern = br'<meta.*http-equiv=["\']Content-Security-Policy[\'"].*upgrade-insecure-requests.*?>' flow.response.content = re.sub(csp_meta_tag_pattern, b'', flow.response.content, flags=re.IGNORECASE) # strip links in 'Location' header @@ -52,7 +52,7 @@ def response(flow: http.HTTPFlow) -> None: # strip upgrade-insecure-requests in Content-Security-Policy header if re.search('upgrade-insecure-requests', flow.response.headers.get('Content-Security-Policy', ''), flags=re.IGNORECASE): csp = flow.response.headers['Content-Security-Policy'] - flow.response.headers['Content-Security-Policy'] = re.sub('upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE) + flow.response.headers['Content-Security-Policy'] = re.sub(r'upgrade-insecure-requests[;\s]*', '', csp, flags=re.IGNORECASE) # strip secure flag from 'Set-Cookie' headers cookies = flow.response.headers.get_all('Set-Cookie') diff --git a/examples/complex/xss_scanner.py b/examples/complex/xss_scanner.py index cdaaf478..d5f4aaab 100755 --- a/examples/complex/xss_scanner.py +++ b/examples/complex/xss_scanner.py @@ -1,4 +1,4 @@ -""" +r""" __ __ _____ _____ _____ \ \ / // ____/ ____| / ____| @@ -86,7 +86,7 @@ def get_cookies(flow: http.HTTPFlow) -> Cookies: return {name: value for name, value in flow.request.cookies.fields} -def find_unclaimed_URLs(body: str, requestUrl: bytes) -> None: +def find_unclaimed_URLs(body, requestUrl): """ Look for unclaimed URLs in script tags and log them if found""" def getValue(attrs: List[Tuple[str, str]], attrName: str) -> Optional[str]: for name, value in attrs: @@ -111,7 +111,7 @@ def find_unclaimed_URLs(body: str, requestUrl: bytes) -> None: try: socket.gethostbyname(domain) except socket.gaierror: - ctx.log.error("XSS found in %s due to unclaimed URL \"%s\"." % (requestUrl, url)) + ctx.log.error(f"XSS found in {requestUrl} due to unclaimed URL \"{url}\".") def test_end_of_URL_injection(original_body: str, request_URL: str, cookies: Cookies) -> VulnData: |