--  PSL - Simple subset
--  Copyright (C) 2002-2016 Tristan Gingold
--
--  This program is free software: you can redistribute it and/or modify
--  it under the terms of the GNU General Public License as published by
--  the Free Software Foundation, either version 2 of the License, or
--  (at your option) any later version.
--
--  This program is distributed in the hope that it will be useful,
--  but WITHOUT ANY WARRANTY; without even the implied warranty of
--  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--  GNU General Public License for more details.
--
--  You should have received a copy of the GNU General Public License
--  along with this program.  If not, see <gnu.org/licenses>.

with Types; use Types;

with PSL.Types; use PSL.Types;
with PSL.Errors; use PSL.Errors;

package body PSL.Subsets is
   procedure Check_Simple (N : Node) is
   begin
      case Get_Kind (N) is
         when N_Not_Bool =>
            if Get_Psl_Type (Get_Boolean (N)) /= Type_Boolean then
               Error_Msg_Sem
                 ("operand of a negation operator must be a boolean", N);
            end if;
         when N_Never =>
            case Get_Psl_Type (Get_Property (N)) is
               when Type_Sequence | Type_Boolean =>
                  null;
               when others =>
                  Error_Msg_Sem ("operand of a 'never' operator must be "
                                   & "a boolean or a sequence", N);
            end case;
         when N_Eventually =>
            case Get_Psl_Type (Get_Property (N)) is
               when Type_Sequence | Type_Boolean =>
                  null;
               when others =>
                  Error_Msg_Sem ("operand of an 'eventually!' operator must be"
                                   & " a boolean or a sequence", N);
            end case;
         when N_And_Bool =>
            if Get_Psl_Type (Get_Left (N)) /= Type_Boolean then
               Error_Msg_Sem ("left-hand side operand of logical 'and' must be"
                                & " a boolean", N);
            end if;
         when N_Or_Bool =>
            if Get_Psl_Type (Get_Left (N)) /= Type_Boolean then
               Error_Msg_Sem ("left-hand side operand of logical 'or' must be"
                                & " a boolean", N);
            end if;
         when N_Log_Imp_Prop =>
            if Get_Psl_Type (Get_Left (N)) /= Type_Boolean then
               Error_Msg_Sem ("left-hand side operand of logical '->' must be"
                                & " a boolean", N);
            end if;
            --  FIXME: <->
         when N_Until =>
            if not Get_Inclusive_Flag (N) then
               if Get_Psl_Type (Get_Right (N)) /= Type_Boolean then
                  Error_Msg_Sem ("right-hand side of a non-overlapping "
                                   & "'until*' operator must be a boolean", N);
               end if;
            else
               if Get_Psl_Type (Get_Right (N)) /= Type_Boolean
                 or else Get_Psl_Type (Get_Left (N)) /= Type_Boolean
               then
                  Error_Msg_Sem ("both operands of an overlapping 'until*'"
                                   & " operator are boolean", N);
               end if;
            end if;
         when N_Before =>
            if Get_Psl_Type (Get_Right (N)) /= Type_Boolean
              or else Get_Psl_Type (Get_Left (N)) /= Type_Boolean
            then
               Error_Msg_Sem ("both operands of a 'before*'"
                                & " operator are boolean", N);
            end if;
         when others =>
            null;
      end case;

      --  Recursion.
      case Get_Kind (N) is
         when N_Error =>
            null;
         when N_Hdl_Mod_Name =>
            null;
         when N_Vunit
            | N_Vmode
            | N_Vprop =>
            declare
               Item : Node;
            begin
               Item := Get_Item_Chain (N);
               while Item /= Null_Node loop
                  Check_Simple (Item);
                  Item := Get_Chain (Item);
               end loop;
            end;
         when N_Name_Decl =>
            null;
         when N_Assert_Directive
            | N_Property_Declaration =>
            Check_Simple (Get_Property (N));
         when N_Endpoint_Declaration
            | N_Sequence_Declaration =>
            Check_Simple (Get_Sequence (N));
         when N_Clock_Event =>
            Check_Simple (Get_Property (N));
            Check_Simple (Get_Boolean (N));
         when N_Always
            | N_Never
            | N_Eventually
            | N_Strong =>
            Check_Simple (Get_Property (N));
         when N_Braced_SERE
            | N_Clocked_SERE =>
            Check_Simple (Get_SERE (N));
         when N_Concat_SERE
            | N_Fusion_SERE
            | N_Within_SERE =>
            Check_Simple (Get_Left (N));
            Check_Simple (Get_Right (N));
         when N_Name =>
            null;
         when N_Star_Repeat_Seq
            | N_Plus_Repeat_Seq =>
            declare
               N2 : constant Node := Get_Sequence (N);
            begin
               if N2 /= Null_Node then
                  Check_Simple (N2);
               end if;
            end;
         when N_Goto_Repeat_Seq
            | N_Equal_Repeat_Seq =>
            null;
         when N_Match_And_Seq
            | N_And_Seq
            | N_Or_Seq =>
            Check_Simple (Get_Left (N));
            Check_Simple (Get_Right (N));
         when N_Imp_Seq
            | N_Overlap_Imp_Seq =>
            Check_Simple (Get_Sequence (N));
            Check_Simple (Get_Property (N));
         when N_Log_Imp_Prop
            | N_Log_Equiv_Prop
            | N_Until
            | N_Before
            | N_Or_Prop
            | N_And_Prop
            | N_And_Bool
            | N_Or_Bool
            | N_Imp_Bool
            | N_Equiv_Bool =>
            Check_Simple (Get_Left (N));
            Check_Simple (Get_Right (N));
         when N_Next
            | N_Next_A
            | N_Next_E
            | N_Paren_Prop =>
            Check_Simple (Get_Property (N));
         when N_Next_Event
           | N_Next_Event_A
           | N_Next_Event_E
           | N_Abort
           | N_Async_Abort
           | N_Sync_Abort =>
            Check_Simple (Get_Boolean (N));
            Check_Simple (Get_Property (N));
         when N_Not_Bool
           | N_Paren_Bool =>
            Check_Simple (Get_Boolean (N));
         when N_Const_Parameter
           | N_Sequence_Parameter
           | N_Boolean_Parameter
           | N_Property_Parameter =>
            null;
         when N_Actual =>
            null;
         when N_Sequence_Instance
           | N_Endpoint_Instance
           | N_Property_Instance =>
            null;
         when N_True
           | N_False
           | N_Number
           | N_Inf
           | N_EOS
           | N_HDL_Expr
           | N_HDL_Bool =>
            null;
      end case;
   end Check_Simple;

   function Is_Async_Abort (N : Node) return Boolean is
   begin
      case Get_Kind (N) is
         when N_Async_Abort
            | N_Abort =>
            return True;
         when N_Sync_Abort =>
            return False;
         when others =>
            raise Internal_Error;
      end case;
   end Is_Async_Abort;

end PSL.Subsets;
'>128</a>
<a id='n129' href='#n129'>129</a>
<a id='n130' href='#n130'>130</a>
<a id='n131' href='#n131'>131</a>
<a id='n132' href='#n132'>132</a>
<a id='n133' href='#n133'>133</a>
<a id='n134' href='#n134'>134</a>
<a id='n135' href='#n135'>135</a>
<a id='n136' href='#n136'>136</a>
<a id='n137' href='#n137'>137</a>
<a id='n138' href='#n138'>138</a>
<a id='n139' href='#n139'>139</a>
<a id='n140' href='#n140'>140</a>
<a id='n141' href='#n141'>141</a>
<a id='n142' href='#n142'>142</a>
<a id='n143' href='#n143'>143</a>
<a id='n144' href='#n144'>144</a>
<a id='n145' href='#n145'>145</a>
<a id='n146' href='#n146'>146</a>
<a id='n147' href='#n147'>147</a>
<a id='n148' href='#n148'>148</a>
<a id='n149' href='#n149'>149</a>
<a id='n150' href='#n150'>150</a>
<a id='n151' href='#n151'>151</a>
<a id='n152' href='#n152'>152</a>
<a id='n153' href='#n153'>153</a>
<a id='n154' href='#n154'>154</a>
<a id='n155' href='#n155'>155</a>
<a id='n156' href='#n156'>156</a>
<a id='n157' href='#n157'>157</a>
<a id='n158' href='#n158'>158</a>
<a id='n159' href='#n159'>159</a>
<a id='n160' href='#n160'>160</a>
<a id='n161' href='#n161'>161</a>
<a id='n162' href='#n162'>162</a>
<a id='n163' href='#n163'>163</a>
<a id='n164' href='#n164'>164</a>
<a id='n165' href='#n165'>165</a>
<a id='n166' href='#n166'>166</a>
<a id='n167' href='#n167'>167</a>
<a id='n168' href='#n168'>168</a>
<a id='n169' href='#n169'>169</a>
<a id='n170' href='#n170'>170</a>
<a id='n171' href='#n171'>171</a>
<a id='n172' href='#n172'>172</a>
<a id='n173' href='#n173'>173</a>
<a id='n174' href='#n174'>174</a>
<a id='n175' href='#n175'>175</a>
<a id='n176' href='#n176'>176</a>
<a id='n177' href='#n177'>177</a>
<a id='n178' href='#n178'>178</a>
<a id='n179' href='#n179'>179</a>
<a id='n180' href='#n180'>180</a>
<a id='n181' href='#n181'>181</a>
<a id='n182' href='#n182'>182</a>
<a id='n183' href='#n183'>183</a>
<a id='n184' href='#n184'>184</a>
<a id='n185' href='#n185'>185</a>
<a id='n186' href='#n186'>186</a>
<a id='n187' href='#n187'>187</a>
<a id='n188' href='#n188'>188</a>
<a id='n189' href='#n189'>189</a>
<a id='n190' href='#n190'>190</a>
<a id='n191' href='#n191'>191</a>
<a id='n192' href='#n192'>192</a>
<a id='n193' href='#n193'>193</a>
<a id='n194' href='#n194'>194</a>
<a id='n195' href='#n195'>195</a>
<a id='n196' href='#n196'>196</a>
<a id='n197' href='#n197'>197</a>
<a id='n198' href='#n198'>198</a>
<a id='n199' href='#n199'>199</a>
<a id='n200' href='#n200'>200</a>
<a id='n201' href='#n201'>201</a>
<a id='n202' href='#n202'>202</a>
<a id='n203' href='#n203'>203</a>
<a id='n204' href='#n204'>204</a>
<a id='n205' href='#n205'>205</a>
<a id='n206' href='#n206'>206</a>
<a id='n207' href='#n207'>207</a>
<a id='n208' href='#n208'>208</a>
<a id='n209' href='#n209'>209</a>
<a id='n210' href='#n210'>210</a>
<a id='n211' href='#n211'>211</a>
<a id='n212' href='#n212'>212</a>
<a id='n213' href='#n213'>213</a>
<a id='n214' href='#n214'>214</a>
<a id='n215' href='#n215'>215</a>
<a id='n216' href='#n216'>216</a>
<a id='n217' href='#n217'>217</a>
<a id='n218' href='#n218'>218</a>
<a id='n219' href='#n219'>219</a>
<a id='n220' href='#n220'>220</a>
<a id='n221' href='#n221'>221</a>
<a id='n222' href='#n222'>222</a>
<a id='n223' href='#n223'>223</a>
<a id='n224' href='#n224'>224</a>
<a id='n225' href='#n225'>225</a>
<a id='n226' href='#n226'>226</a>
<a id='n227' href='#n227'>227</a>
<a id='n228' href='#n228'>228</a>
<a id='n229' href='#n229'>229</a>
<a id='n230' href='#n230'>230</a>
<a id='n231' href='#n231'>231</a>
<a id='n232' href='#n232'>232</a>
<a id='n233' href='#n233'>233</a>
<a id='n234' href='#n234'>234</a>
<a id='n235' href='#n235'>235</a>
<a id='n236' href='#n236'>236</a>
<a id='n237' href='#n237'>237</a>
<a id='n238' href='#n238'>238</a>
<a id='n239' href='#n239'>239</a>
<a id='n240' href='#n240'>240</a>
<a id='n241' href='#n241'>241</a>
<a id='n242' href='#n242'>242</a>
<a id='n243' href='#n243'>243</a>
<a id='n244' href='#n244'>244</a>
<a id='n245' href='#n245'>245</a>
<a id='n246' href='#n246'>246</a>
<a id='n247' href='#n247'>247</a>
<a id='n248' href='#n248'>248</a>
<a id='n249' href='#n249'>249</a>
<a id='n250' href='#n250'>250</a>
<a id='n251' href='#n251'>251</a>
<a id='n252' href='#n252'>252</a>
<a id='n253' href='#n253'>253</a>
<a id='n254' href='#n254'>254</a>
<a id='n255' href='#n255'>255</a>
<a id='n256' href='#n256'>256</a>
<a id='n257' href='#n257'>257</a>
<a id='n258' href='#n258'>258</a>
<a id='n259' href='#n259'>259</a>
<a id='n260' href='#n260'>260</a>
<a id='n261' href='#n261'>261</a>
<a id='n262' href='#n262'>262</a>
<a id='n263' href='#n263'>263</a>
<a id='n264' href='#n264'>264</a>
<a id='n265' href='#n265'>265</a>
<a id='n266' href='#n266'>266</a>
<a id='n267' href='#n267'>267</a>
<a id='n268' href='#n268'>268</a>
<a id='n269' href='#n269'>269</a>
<a id='n270' href='#n270'>270</a>
<a id='n271' href='#n271'>271</a>
<a id='n272' href='#n272'>272</a>
<a id='n273' href='#n273'>273</a>
<a id='n274' href='#n274'>274</a>
<a id='n275' href='#n275'>275</a>
<a id='n276' href='#n276'>276</a>
<a id='n277' href='#n277'>277</a>
<a id='n278' href='#n278'>278</a>
<a id='n279' href='#n279'>279</a>
<a id='n280' href='#n280'>280</a>
<a id='n281' href='#n281'>281</a>
<a id='n282' href='#n282'>282</a>
<a id='n283' href='#n283'>283</a>
<a id='n284' href='#n284'>284</a>
<a id='n285' href='#n285'>285</a>
<a id='n286' href='#n286'>286</a>
<a id='n287' href='#n287'>287</a>
<a id='n288' href='#n288'>288</a>
<a id='n289' href='#n289'>289</a>
<a id='n290' href='#n290'>290</a>
<a id='n291' href='#n291'>291</a>
<a id='n292' href='#n292'>292</a>
<a id='n293' href='#n293'>293</a>
<a id='n294' href='#n294'>294</a>
<a id='n295' href='#n295'>295</a>
<a id='n296' href='#n296'>296</a>
<a id='n297' href='#n297'>297</a>
<a id='n298' href='#n298'>298</a>
<a id='n299' href='#n299'>299</a>
<a id='n300' href='#n300'>300</a>
<a id='n301' href='#n301'>301</a>
<a id='n302' href='#n302'>302</a>
<a id='n303' href='#n303'>303</a>
<a id='n304' href='#n304'>304</a>
<a id='n305' href='#n305'>305</a>
<a id='n306' href='#n306'>306</a>
<a id='n307' href='#n307'>307</a>
<a id='n308' href='#n308'>308</a>
<a id='n309' href='#n309'>309</a>
<a id='n310' href='#n310'>310</a>
<a id='n311' href='#n311'>311</a>
<a id='n312' href='#n312'>312</a>
<a id='n313' href='#n313'>313</a>
<a id='n314' href='#n314'>314</a>
<a id='n315' href='#n315'>315</a>
<a id='n316' href='#n316'>316</a>
<a id='n317' href='#n317'>317</a>
<a id='n318' href='#n318'>318</a>
<a id='n319' href='#n319'>319</a>
<a id='n320' href='#n320'>320</a>
<a id='n321' href='#n321'>321</a>
<a id='n322' href='#n322'>322</a>
<a id='n323' href='#n323'>323</a>
<a id='n324' href='#n324'>324</a>
<a id='n325' href='#n325'>325</a>
<a id='n326' href='#n326'>326</a>
<a id='n327' href='#n327'>327</a>
<a id='n328' href='#n328'>328</a>
<a id='n329' href='#n329'>329</a>
<a id='n330' href='#n330'>330</a>
<a id='n331' href='#n331'>331</a>
<a id='n332' href='#n332'>332</a>
<a id='n333' href='#n333'>333</a>
<a id='n334' href='#n334'>334</a>
<a id='n335' href='#n335'>335</a>
<a id='n336' href='#n336'>336</a>
<a id='n337' href='#n337'>337</a>
<a id='n338' href='#n338'>338</a>
<a id='n339' href='#n339'>339</a>
<a id='n340' href='#n340'>340</a>
<a id='n341' href='#n341'>341</a>
<a id='n342' href='#n342'>342</a>
<a id='n343' href='#n343'>343</a>
<a id='n344' href='#n344'>344</a>
<a id='n345' href='#n345'>345</a>
<a id='n346' href='#n346'>346</a>
<a id='n347' href='#n347'>347</a>
<a id='n348' href='#n348'>348</a>
<a id='n349' href='#n349'>349</a>
<a id='n350' href='#n350'>350</a>
<a id='n351' href='#n351'>351</a>
<a id='n352' href='#n352'>352</a>
<a id='n353' href='#n353'>353</a>
<a id='n354' href='#n354'>354</a>
<a id='n355' href='#n355'>355</a>
<a id='n356' href='#n356'>356</a>
<a id='n357' href='#n357'>357</a>
<a id='n358' href='#n358'>358</a>
<a id='n359' href='#n359'>359</a>
<a id='n360' href='#n360'>360</a>
<a id='n361' href='#n361'>361</a>
<a id='n362' href='#n362'>362</a>
<a id='n363' href='#n363'>363</a>
<a id='n364' href='#n364'>364</a>
<a id='n365' href='#n365'>365</a>
<a id='n366' href='#n366'>366</a>
<a id='n367' href='#n367'>367</a>
<a id='n368' href='#n368'>368</a>
<a id='n369' href='#n369'>369</a>
<a id='n370' href='#n370'>370</a>
<a id='n371' href='#n371'>371</a>
<a id='n372' href='#n372'>372</a>
<a id='n373' href='#n373'>373</a>
<a id='n374' href='#n374'>374</a>
<a id='n375' href='#n375'>375</a>
<a id='n376' href='#n376'>376</a>
<a id='n377' href='#n377'>377</a>
<a id='n378' href='#n378'>378</a>
<a id='n379' href='#n379'>379</a>
<a id='n380' href='#n380'>380</a>
<a id='n381' href='#n381'>381</a>
<a id='n382' href='#n382'>382</a>
<a id='n383' href='#n383'>383</a>
<a id='n384' href='#n384'>384</a>
<a id='n385' href='#n385'>385</a>
<a id='n386' href='#n386'>386</a>
<a id='n387' href='#n387'>387</a>
<a id='n388' href='#n388'>388</a>
<a id='n389' href='#n389'>389</a>
<a id='n390' href='#n390'>390</a>
<a id='n391' href='#n391'>391</a>
<a id='n392' href='#n392'>392</a>
<a id='n393' href='#n393'>393</a>
<a id='n394' href='#n394'>394</a>
<a id='n395' href='#n395'>395</a>
<a id='n396' href='#n396'>396</a>
<a id='n397' href='#n397'>397</a>
<a id='n398' href='#n398'>398</a>
<a id='n399' href='#n399'>399</a>
<a id='n400' href='#n400'>400</a>
<a id='n401' href='#n401'>401</a>
<a id='n402' href='#n402'>402</a>
<a id='n403' href='#n403'>403</a>
<a id='n404' href='#n404'>404</a>
<a id='n405' href='#n405'>405</a>
<a id='n406' href='#n406'>406</a>
<a id='n407' href='#n407'>407</a>
<a id='n408' href='#n408'>408</a>
<a id='n409' href='#n409'>409</a>
<a id='n410' href='#n410'>410</a>
<a id='n411' href='#n411'>411</a>
<a id='n412' href='#n412'>412</a>
<a id='n413' href='#n413'>413</a>
<a id='n414' href='#n414'>414</a>
<a id='n415' href='#n415'>415</a>
<a id='n416' href='#n416'>416</a>
<a id='n417' href='#n417'>417</a>
</pre></td>
<td class='lines'><pre><code><style>pre { line-height: 125%; margin: 0; }
td.linenos pre { color: #000000; background-color: #f0f0f0; padding: 0 5px 0 5px; }
span.linenos { color: #000000; background-color: #f0f0f0; padding: 0 5px 0 5px; }
td.linenos pre.special { color: #000000; background-color: #ffffc0; padding: 0 5px 0 5px; }
span.linenos.special { color: #000000; background-color: #ffffc0; padding: 0 5px 0 5px; }
.highlight .hll { background-color: #ffffcc }
.highlight { background: #ffffff; }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */</style><div class="highlight"><pre><span></span><span class="sa">r</span><span class="sd">&quot;&quot;&quot;</span>

<span class="sd"> __   __ _____ _____     _____</span>
<span class="sd"> \ \ / // ____/ ____|   / ____|</span>
<span class="sd">  \ V /| (___| (___    | (___   ___ __ _ _ __  _ __   ___ _ __</span>
<span class="sd">   &gt; &lt;  \___ \\___ \    \___ \ / __/ _` | &#39;_ \| &#39;_ \ / _ \ &#39;__|</span>
<span class="sd">  / . \ ____) |___) |   ____) | (_| (_| | | | | | | |  __/ |</span>
<span class="sd"> /_/ \_\_____/_____/   |_____/ \___\__,_|_| |_|_| |_|\___|_|</span>


<span class="sd">This script automatically scans all visited webpages for XSS and SQLi vulnerabilities.</span>

<span class="sd">Usage: mitmproxy -s xss_scanner.py</span>

<span class="sd">This script scans for vulnerabilities by injecting a fuzzing payload (see PAYLOAD below) into 4 different places</span>
<span class="sd">and examining the HTML to look for XSS and SQLi injection vulnerabilities. The XSS scanning functionality works by</span>
<span class="sd">looking to see whether it is possible to inject HTML based off of of where the payload appears in the page and what</span>
<span class="sd">characters are escaped. In addition, it also looks for any script tags that load javascript from unclaimed domains.</span>
<span class="sd">The SQLi scanning functionality works by using regular expressions to look for errors from a number of different</span>
<span class="sd">common databases. Since it is only looking for errors, it will not find blind SQLi vulnerabilities.</span>

<span class="sd">The 4 places it injects the payload into are:</span>
<span class="sd">1. URLs         (e.g. https://example.com/ -&gt; https://example.com/PAYLOAD/)</span>
<span class="sd">2. Queries      (e.g. https://example.com/index.html?a=b -&gt; https://example.com/index.html?a=PAYLOAD)</span>
<span class="sd">3. Referers     (e.g. The referer changes from https://example.com to PAYLOAD)</span>
<span class="sd">4. User Agents  (e.g. The UA changes from Chrome to PAYLOAD)</span>

<span class="sd">Reports from this script show up in the event log (viewable by pressing e) and formatted like:</span>

<span class="sd">===== XSS Found ====</span>
<span class="sd">XSS URL: http://daviddworken.com/vulnerableUA.php</span>
<span class="sd">Injection Point: User Agent</span>
<span class="sd">Suggested Exploit: &lt;script&gt;alert(0)&lt;/script&gt;</span>
<span class="sd">Line: 1029zxcs&#39;d&quot;ao&lt;ac&gt;so[sb]po(pc)se;sl/bsl\eq=3847asd</span>

<span class="sd">&quot;&quot;&quot;</span>

<span class="kn">from</span> <span class="nn">html.parser</span> <span class="kn">import</span> <span class="n">HTMLParser</span>
<span class="kn">from</span> <span class="nn">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Union</span><span class="p">,</span> <span class="n">Tuple</span><span class="p">,</span> <span class="n">Optional</span><span class="p">,</span> <span class="n">List</span><span class="p">,</span> <span class="n">NamedTuple</span>
<span class="kn">from</span> <span class="nn">urllib.parse</span> <span class="kn">import</span> <span class="n">urlparse</span>
<span class="kn">import</span> <span class="nn">re</span>
<span class="kn">import</span> <span class="nn">socket</span>

<span class="kn">import</span> <span class="nn">requests</span>

<span class="kn">from</span> <span class="nn">mitmproxy</span> <span class="kn">import</span> <span class="n">http</span>
<span class="kn">from</span> <span class="nn">mitmproxy</span> <span class="kn">import</span> <span class="n">ctx</span>


<span class="c1"># The actual payload is put between a frontWall and a backWall to make it easy</span>
<span class="c1"># to locate the payload with regular expressions</span>
<span class="n">FRONT_WALL</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;1029zxc&quot;</span>
<span class="n">BACK_WALL</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;3847asd&quot;</span>
<span class="n">PAYLOAD</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;&quot;&quot;s&#39;d&quot;ao&lt;ac&gt;so[sb]po(pc)se;sl/bsl</span><span class="se">\\</span><span class="s2">eq=&quot;&quot;&quot;</span>
<span class="n">FULL_PAYLOAD</span> <span class="o">=</span> <span class="n">FRONT_WALL</span> <span class="o">+</span> <span class="n">PAYLOAD</span> <span class="o">+</span> <span class="n">BACK_WALL</span>

<span class="c1"># A XSSData is a named tuple with the following fields:</span>
<span class="c1">#   - url -&gt; str</span>
<span class="c1">#   - injection_point -&gt; str</span>
<span class="c1">#   - exploit -&gt; str</span>
<span class="c1">#   - line -&gt; str</span>
<span class="n">XSSData</span> <span class="o">=</span> <span class="n">NamedTuple</span><span class="p">(</span><span class="s1">&#39;XSSData&#39;</span><span class="p">,</span> <span class="p">[(</span><span class="s1">&#39;url&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">),</span>
                                 <span class="p">(</span><span class="s1">&#39;injection_point&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">),</span>
                                 <span class="p">(</span><span class="s1">&#39;exploit&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">),</span>
                                 <span class="p">(</span><span class="s1">&#39;line&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">)])</span>

<span class="c1"># A SQLiData is named tuple with the following fields:</span>
<span class="c1">#   - url -&gt; str</span>
<span class="c1">#   - injection_point -&gt; str</span>
<span class="c1">#   - regex -&gt; str</span>
<span class="c1">#   - dbms -&gt; str</span>
<span class="n">SQLiData</span> <span class="o">=</span> <span class="n">NamedTuple</span><span class="p">(</span><span class="s1">&#39;SQLiData&#39;</span><span class="p">,</span> <span class="p">[(</span><span class="s1">&#39;url&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">),</span>
                                   <span class="p">(</span><span class="s1">&#39;injection_point&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">),</span>
                                   <span class="p">(</span><span class="s1">&#39;regex&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">),</span>
                                   <span class="p">(</span><span class="s1">&#39;dbms&#39;</span><span class="p">,</span> <span class="nb">str</span><span class="p">)])</span>


<span class="n">VulnData</span> <span class="o">=</span> <span class="n">Tuple</span><span class="p">[</span><span class="n">Optional</span><span class="p">[</span><span class="n">XSSData</span><span class="p">],</span> <span class="n">Optional</span><span class="p">[</span><span class="n">SQLiData</span><span class="p">]]</span>
<span class="n">Cookies</span> <span class="o">=</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]</span>


<span class="k">def</span> <span class="nf">get_cookies</span><span class="p">(</span><span class="n">flow</span><span class="p">:</span> <span class="n">http</span><span class="o">.</span><span class="n">HTTPFlow</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Cookies</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Return a dict going from cookie names to cookie values</span>
<span class="sd">          - Note that it includes both the cookies sent in the original request and</span>
<span class="sd">            the cookies sent by the server &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="p">{</span><span class="n">name</span><span class="p">:</span> <span class="n">value</span> <span class="k">for</span> <span class="n">name</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">flow</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">cookies</span><span class="o">.</span><span class="n">fields</span><span class="p">}</span>


<span class="k">def</span> <span class="nf">find_unclaimed_URLs</span><span class="p">(</span><span class="n">body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">requestUrl</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kc">None</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Look for unclaimed URLs in script tags and log them if found&quot;&quot;&quot;</span>
    <span class="k">def</span> <span class="nf">getValue</span><span class="p">(</span><span class="n">attrs</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="n">Tuple</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]],</span> <span class="n">attrName</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span>
        <span class="k">for</span> <span class="n">name</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">attrs</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">attrName</span> <span class="o">==</span> <span class="n">name</span><span class="p">:</span>
                <span class="k">return</span> <span class="n">value</span>
        <span class="k">return</span> <span class="kc">None</span>

    <span class="k">class</span> <span class="nc">ScriptURLExtractor</span><span class="p">(</span><span class="n">HTMLParser</span><span class="p">):</span>
        <span class="n">script_URLs</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="p">[]</span>

        <span class="k">def</span> <span class="nf">handle_starttag</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">tag</span><span class="p">,</span> <span class="n">attrs</span><span class="p">):</span>
            <span class="k">if</span> <span class="p">(</span><span class="n">tag</span> <span class="o">==</span> <span class="s2">&quot;script&quot;</span> <span class="ow">or</span> <span class="n">tag</span> <span class="o">==</span> <span class="s2">&quot;iframe&quot;</span><span class="p">)</span> <span class="ow">and</span> <span class="s2">&quot;src&quot;</span> <span class="ow">in</span> <span class="p">[</span><span class="n">name</span> <span class="k">for</span> <span class="n">name</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">attrs</span><span class="p">]:</span>
                <span class="bp">self</span><span class="o">.</span><span class="n">script_URLs</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">getValue</span><span class="p">(</span><span class="n">attrs</span><span class="p">,</span> <span class="s2">&quot;src&quot;</span><span class="p">))</span>
            <span class="k">if</span> <span class="n">tag</span> <span class="o">==</span> <span class="s2">&quot;link&quot;</span> <span class="ow">and</span> <span class="n">getValue</span><span class="p">(</span><span class="n">attrs</span><span class="p">,</span> <span class="s2">&quot;rel&quot;</span><span class="p">)</span> <span class="o">==</span> <span class="s2">&quot;stylesheet&quot;</span> <span class="ow">and</span> <span class="s2">&quot;href&quot;</span> <span class="ow">in</span> <span class="p">[</span><span class="n">name</span> <span class="k">for</span> <span class="n">name</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">attrs</span><span class="p">]:</span>
                <span class="bp">self</span><span class="o">.</span><span class="n">script_URLs</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">getValue</span><span class="p">(</span><span class="n">attrs</span><span class="p">,</span> <span class="s2">&quot;href&quot;</span><span class="p">))</span>

    <span class="n">parser</span> <span class="o">=</span> <span class="n">ScriptURLExtractor</span><span class="p">()</span>
    <span class="n">parser</span><span class="o">.</span><span class="n">feed</span><span class="p">(</span><span class="n">body</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">url</span> <span class="ow">in</span> <span class="n">parser</span><span class="o">.</span><span class="n">script_URLs</span><span class="p">:</span>
        <span class="n">url_parser</span> <span class="o">=</span> <span class="n">urlparse</span><span class="p">(</span><span class="n">url</span><span class="p">)</span>
        <span class="n">domain</span> <span class="o">=</span> <span class="n">url_parser</span><span class="o">.</span><span class="n">netloc</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">socket</span><span class="o">.</span><span class="n">gethostbyname</span><span class="p">(</span><span class="n">domain</span><span class="p">)</span>
        <span class="k">except</span> <span class="n">socket</span><span class="o">.</span><span class="n">gaierror</span><span class="p">:</span>
            <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;XSS found in </span><span class="si">%s</span><span class="s2"> due to unclaimed URL </span><span class="se">\&quot;</span><span class="si">%s</span><span class="se">\&quot;</span><span class="s2">.&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">requestUrl</span><span class="p">,</span> <span class="n">url</span><span class="p">))</span>


<span class="k">def</span> <span class="nf">test_end_of_URL_injection</span><span class="p">(</span><span class="n">original_body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">cookies</span><span class="p">:</span> <span class="n">Cookies</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">VulnData</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Test the given URL for XSS via injection onto the end of the URL and</span>
<span class="sd">        log the XSS if found &quot;&quot;&quot;</span>
    <span class="n">parsed_URL</span> <span class="o">=</span> <span class="n">urlparse</span><span class="p">(</span><span class="n">request_URL</span><span class="p">)</span>
    <span class="n">path</span> <span class="o">=</span> <span class="n">parsed_URL</span><span class="o">.</span><span class="n">path</span>
    <span class="k">if</span> <span class="n">path</span> <span class="o">!=</span> <span class="s2">&quot;&quot;</span> <span class="ow">and</span> <span class="n">path</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">!=</span> <span class="s2">&quot;/&quot;</span><span class="p">:</span>  <span class="c1"># ensure the path ends in a /</span>
        <span class="n">path</span> <span class="o">+=</span> <span class="s2">&quot;/&quot;</span>
    <span class="n">path</span> <span class="o">+=</span> <span class="n">FULL_PAYLOAD</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span>  <span class="c1"># the path must be a string while the payload is bytes</span>
    <span class="n">url</span> <span class="o">=</span> <span class="n">parsed_URL</span><span class="o">.</span><span class="n">_replace</span><span class="p">(</span><span class="n">path</span><span class="o">=</span><span class="n">path</span><span class="p">)</span><span class="o">.</span><span class="n">geturl</span><span class="p">()</span>
    <span class="n">body</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies</span><span class="o">=</span><span class="n">cookies</span><span class="p">)</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span>
    <span class="n">xss_info</span> <span class="o">=</span> <span class="n">get_XSS_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="s2">&quot;End of URL&quot;</span><span class="p">)</span>
    <span class="n">sqli_info</span> <span class="o">=</span> <span class="n">get_SQLi_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">original_body</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="s2">&quot;End of URL&quot;</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">xss_info</span><span class="p">,</span> <span class="n">sqli_info</span>


<span class="k">def</span> <span class="nf">test_referer_injection</span><span class="p">(</span><span class="n">original_body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">cookies</span><span class="p">:</span> <span class="n">Cookies</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">VulnData</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Test the given URL for XSS via injection into the referer and</span>
<span class="sd">        log the XSS if found &quot;&quot;&quot;</span>
    <span class="n">body</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="s1">&#39;referer&#39;</span><span class="p">:</span> <span class="n">FULL_PAYLOAD</span><span class="p">},</span> <span class="n">cookies</span><span class="o">=</span><span class="n">cookies</span><span class="p">)</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span>
    <span class="n">xss_info</span> <span class="o">=</span> <span class="n">get_XSS_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">,</span> <span class="s2">&quot;Referer&quot;</span><span class="p">)</span>
    <span class="n">sqli_info</span> <span class="o">=</span> <span class="n">get_SQLi_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">original_body</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">,</span> <span class="s2">&quot;Referer&quot;</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">xss_info</span><span class="p">,</span> <span class="n">sqli_info</span>


<span class="k">def</span> <span class="nf">test_user_agent_injection</span><span class="p">(</span><span class="n">original_body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">cookies</span><span class="p">:</span> <span class="n">Cookies</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">VulnData</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Test the given URL for XSS via injection into the user agent and</span>
<span class="sd">        log the XSS if found &quot;&quot;&quot;</span>
    <span class="n">body</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="s1">&#39;User-Agent&#39;</span><span class="p">:</span> <span class="n">FULL_PAYLOAD</span><span class="p">},</span> <span class="n">cookies</span><span class="o">=</span><span class="n">cookies</span><span class="p">)</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span>
    <span class="n">xss_info</span> <span class="o">=</span> <span class="n">get_XSS_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">,</span> <span class="s2">&quot;User Agent&quot;</span><span class="p">)</span>
    <span class="n">sqli_info</span> <span class="o">=</span> <span class="n">get_SQLi_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">original_body</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">,</span> <span class="s2">&quot;User Agent&quot;</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">xss_info</span><span class="p">,</span> <span class="n">sqli_info</span>


<span class="k">def</span> <span class="nf">test_query_injection</span><span class="p">(</span><span class="n">original_body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">cookies</span><span class="p">:</span> <span class="n">Cookies</span><span class="p">):</span>
    <span class="sd">&quot;&quot;&quot; Test the given URL for XSS via injection into URL queries and</span>
<span class="sd">        log the XSS if found &quot;&quot;&quot;</span>
    <span class="n">parsed_URL</span> <span class="o">=</span> <span class="n">urlparse</span><span class="p">(</span><span class="n">request_URL</span><span class="p">)</span>
    <span class="n">query_string</span> <span class="o">=</span> <span class="n">parsed_URL</span><span class="o">.</span><span class="n">query</span>
    <span class="c1"># queries is a list of parameters where each parameter is set to the payload</span>
    <span class="n">queries</span> <span class="o">=</span> <span class="p">[</span><span class="n">query</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">&quot;=&quot;</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s2">&quot;=&quot;</span> <span class="o">+</span> <span class="n">FULL_PAYLOAD</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span> <span class="k">for</span> <span class="n">query</span> <span class="ow">in</span> <span class="n">query_string</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">&quot;&amp;&quot;</span><span class="p">)]</span>
    <span class="n">new_query_string</span> <span class="o">=</span> <span class="s2">&quot;&amp;&quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">queries</span><span class="p">)</span>
    <span class="n">new_URL</span> <span class="o">=</span> <span class="n">parsed_URL</span><span class="o">.</span><span class="n">_replace</span><span class="p">(</span><span class="n">query</span><span class="o">=</span><span class="n">new_query_string</span><span class="p">)</span><span class="o">.</span><span class="n">geturl</span><span class="p">()</span>
    <span class="n">body</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">new_URL</span><span class="p">,</span> <span class="n">cookies</span><span class="o">=</span><span class="n">cookies</span><span class="p">)</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span>
    <span class="n">xss_info</span> <span class="o">=</span> <span class="n">get_XSS_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">new_URL</span><span class="p">,</span> <span class="s2">&quot;Query&quot;</span><span class="p">)</span>
    <span class="n">sqli_info</span> <span class="o">=</span> <span class="n">get_SQLi_data</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="n">original_body</span><span class="p">,</span> <span class="n">new_URL</span><span class="p">,</span> <span class="s2">&quot;Query&quot;</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">xss_info</span><span class="p">,</span> <span class="n">sqli_info</span>


<span class="k">def</span> <span class="nf">log_XSS_data</span><span class="p">(</span><span class="n">xss_info</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">XSSData</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="kc">None</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Log information about the given XSS to mitmproxy &quot;&quot;&quot;</span>
    <span class="c1"># If it is None, then there is no info to log</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">xss_info</span><span class="p">:</span>
        <span class="k">return</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;===== XSS Found ====&quot;</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;XSS URL: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">xss_info</span><span class="o">.</span><span class="n">url</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;Injection Point: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">xss_info</span><span class="o">.</span><span class="n">injection_point</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;Suggested Exploit: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">xss_info</span><span class="o">.</span><span class="n">exploit</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;Line: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">xss_info</span><span class="o">.</span><span class="n">line</span><span class="p">)</span>


<span class="k">def</span> <span class="nf">log_SQLi_data</span><span class="p">(</span><span class="n">sqli_info</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">SQLiData</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="kc">None</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Log information about the given SQLi to mitmproxy &quot;&quot;&quot;</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">sqli_info</span><span class="p">:</span>
        <span class="k">return</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;===== SQLi Found =====&quot;</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;SQLi URL: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">sqli_info</span><span class="o">.</span><span class="n">url</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;Injection Point: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">sqli_info</span><span class="o">.</span><span class="n">injection_point</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;Regex used: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">sqli_info</span><span class="o">.</span><span class="n">regex</span><span class="p">)</span>
    <span class="n">ctx</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&quot;Suspected DBMS: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">sqli_info</span><span class="o">.</span><span class="n">dbms</span><span class="p">)</span>
    <span class="k">return</span>


<span class="k">def</span> <span class="nf">get_SQLi_data</span><span class="p">(</span><span class="n">new_body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">original_body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request_URL</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">injection_point</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">SQLiData</span><span class="p">]:</span>
    <span class="sd">&quot;&quot;&quot; Return a SQLiDict if there is a SQLi otherwise return None</span>
<span class="sd">        String String URL String -&gt; (SQLiDict or None) &quot;&quot;&quot;</span>
    <span class="c1"># Regexes taken from Damn Small SQLi Scanner: https://github.com/stamparm/DSSS/blob/master/dsss.py#L17</span>
    <span class="n">DBMS_ERRORS</span> <span class="o">=</span> <span class="p">{</span>
        <span class="s2">&quot;MySQL&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;SQL syntax.*MySQL&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Warning.*mysql_.*&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;valid MySQL result&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;MySqlClient\.&quot;</span><span class="p">),</span>
        <span class="s2">&quot;PostgreSQL&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;PostgreSQL.*ERROR&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Warning.*\Wpg_.*&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;valid PostgreSQL result&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Npgsql\.&quot;</span><span class="p">),</span>
        <span class="s2">&quot;Microsoft SQL Server&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;Driver.* SQL[\-\_\ ]*Server&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;OLE DB.* SQL Server&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;(\W|\A)SQL Server.*Driver&quot;</span><span class="p">,</span>
                                 <span class="sa">r</span><span class="s2">&quot;Warning.*mssql_.*&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;(\W|\A)SQL Server.*[0-9a-fA-F]</span><span class="si">{8}</span><span class="s2">&quot;</span><span class="p">,</span>
                                 <span class="sa">r</span><span class="s2">&quot;(?s)Exception.*\WSystem\.Data\.SqlClient\.&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;(?s)Exception.*\WRoadhouse\.Cms\.&quot;</span><span class="p">),</span>
        <span class="s2">&quot;Microsoft Access&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;Microsoft Access Driver&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;JET Database Engine&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Access Database Engine&quot;</span><span class="p">),</span>
        <span class="s2">&quot;Oracle&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;\bORA-[0-9][0-9][0-9][0-9]&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Oracle error&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Oracle.*Driver&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Warning.*\Woci_.*&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Warning.*\Wora_.*&quot;</span><span class="p">),</span>
        <span class="s2">&quot;IBM DB2&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;CLI Driver.*DB2&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;DB2 SQL error&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;\bdb2_\w+\(&quot;</span><span class="p">),</span>
        <span class="s2">&quot;SQLite&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;SQLite/JDBCDriver&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;SQLite.Exception&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;System.Data.SQLite.SQLiteException&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Warning.*sqlite_.*&quot;</span><span class="p">,</span>
                   <span class="sa">r</span><span class="s2">&quot;Warning.*SQLite3::&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;\[SQLITE_ERROR\]&quot;</span><span class="p">),</span>
        <span class="s2">&quot;Sybase&quot;</span><span class="p">:</span> <span class="p">(</span><span class="sa">r</span><span class="s2">&quot;(?i)Warning.*sybase.*&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Sybase message&quot;</span><span class="p">,</span> <span class="sa">r</span><span class="s2">&quot;Sybase.*Server message.*&quot;</span><span class="p">),</span>
    <span class="p">}</span>
    <span class="k">for</span> <span class="n">dbms</span><span class="p">,</span> <span class="n">regexes</span> <span class="ow">in</span> <span class="n">DBMS_ERRORS</span><span class="o">.</span><span class="n">items</span><span class="p">():</span>
        <span class="k">for</span> <span class="n">regex</span> <span class="ow">in</span> <span class="n">regexes</span><span class="p">:</span>  <span class="c1"># type: ignore</span>
            <span class="k">if</span> <span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="n">regex</span><span class="p">,</span> <span class="n">new_body</span><span class="p">,</span> <span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">)</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">re</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="n">regex</span><span class="p">,</span> <span class="n">original_body</span><span class="p">,</span> <span class="n">re</span><span class="o">.</span><span class="n">IGNORECASE</span><span class="p">):</span>
                <span class="k">return</span> <span class="n">SQLiData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                                <span class="n">injection_point</span><span class="p">,</span>
                                <span class="n">regex</span><span class="p">,</span>
                                <span class="n">dbms</span><span class="p">)</span>
    <span class="k">return</span> <span class="kc">None</span>


<span class="c1"># A qc is either &#39; or &quot;</span>
<span class="k">def</span> <span class="nf">inside_quote</span><span class="p">(</span><span class="n">qc</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">substring_bytes</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">text_index</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">body_bytes</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span>
    <span class="sd">&quot;&quot;&quot; Whether the Numberth occurrence of the first string in the second</span>
<span class="sd">        string is inside quotes as defined by the supplied QuoteChar &quot;&quot;&quot;</span>
    <span class="n">substring</span> <span class="o">=</span> <span class="n">substring_bytes</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span>
    <span class="n">body</span> <span class="o">=</span> <span class="n">body_bytes</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span>
    <span class="n">num_substrings_found</span> <span class="o">=</span> <span class="mi">0</span>
    <span class="n">in_quote</span> <span class="o">=</span> <span class="kc">False</span>
    <span class="k">for</span> <span class="n">index</span><span class="p">,</span> <span class="n">char</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">body</span><span class="p">):</span>
        <span class="c1"># Whether the next chunk of len(substring) chars is the substring</span>
        <span class="n">next_part_is_substring</span> <span class="o">=</span> <span class="p">(</span>
            <span class="p">(</span><span class="ow">not</span> <span class="p">(</span><span class="n">index</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">substring</span><span class="p">)</span> <span class="o">&gt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">body</span><span class="p">)))</span> <span class="ow">and</span>
            <span class="p">(</span><span class="n">body</span><span class="p">[</span><span class="n">index</span><span class="p">:</span><span class="n">index</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">substring</span><span class="p">)]</span> <span class="o">==</span> <span class="n">substring</span><span class="p">)</span>
        <span class="p">)</span>
        <span class="c1"># Whether this char is escaped with a \</span>
        <span class="n">is_not_escaped</span> <span class="o">=</span> <span class="p">(</span>
            <span class="p">(</span><span class="n">index</span> <span class="o">-</span> <span class="mi">1</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">index</span> <span class="o">-</span> <span class="mi">1</span> <span class="o">&gt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="ow">or</span>
            <span class="p">(</span><span class="n">body</span><span class="p">[</span><span class="n">index</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]</span> <span class="o">!=</span> <span class="s2">&quot;</span><span class="se">\\</span><span class="s2">&quot;</span><span class="p">)</span>
        <span class="p">)</span>
        <span class="k">if</span> <span class="n">char</span> <span class="o">==</span> <span class="n">qc</span> <span class="ow">and</span> <span class="n">is_not_escaped</span><span class="p">:</span>
            <span class="n">in_quote</span> <span class="o">=</span> <span class="ow">not</span> <span class="n">in_quote</span>
        <span class="k">if</span> <span class="n">next_part_is_substring</span><span class="p">:</span>
            <span class="k">if</span> <span class="n">num_substrings_found</span> <span class="o">==</span> <span class="n">text_index</span><span class="p">:</span>
                <span class="k">return</span> <span class="n">in_quote</span>
            <span class="n">num_substrings_found</span> <span class="o">+=</span> <span class="mi">1</span>
    <span class="k">return</span> <span class="kc">False</span>


<span class="k">def</span> <span class="nf">paths_to_text</span><span class="p">(</span><span class="n">html</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">string</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span>
    <span class="sd">&quot;&quot;&quot; Return list of Paths to a given str in the given HTML tree</span>
<span class="sd">          - Note that it does a BFS &quot;&quot;&quot;</span>

    <span class="k">def</span> <span class="nf">remove_last_occurence_of_sub_string</span><span class="p">(</span><span class="n">string</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">substr</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span>
        <span class="sd">&quot;&quot;&quot; Delete the last occurrence of substr from str</span>
<span class="sd">        String String -&gt; String</span>
<span class="sd">        &quot;&quot;&quot;</span>
        <span class="n">index</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">rfind</span><span class="p">(</span><span class="n">substr</span><span class="p">)</span>
        <span class="k">return</span> <span class="n">string</span><span class="p">[:</span><span class="n">index</span><span class="p">]</span> <span class="o">+</span> <span class="n">string</span><span class="p">[</span><span class="n">index</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">substr</span><span class="p">):]</span>

    <span class="k">class</span> <span class="nc">PathHTMLParser</span><span class="p">(</span><span class="n">HTMLParser</span><span class="p">):</span>
        <span class="n">currentPath</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span>
        <span class="n">paths</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="p">[]</span>

        <span class="k">def</span> <span class="nf">handle_starttag</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">tag</span><span class="p">,</span> <span class="n">attrs</span><span class="p">):</span>
            <span class="bp">self</span><span class="o">.</span><span class="n">currentPath</span> <span class="o">+=</span> <span class="p">(</span><span class="s2">&quot;/&quot;</span> <span class="o">+</span> <span class="n">tag</span><span class="p">)</span>

        <span class="k">def</span> <span class="nf">handle_endtag</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">tag</span><span class="p">):</span>
            <span class="bp">self</span><span class="o">.</span><span class="n">currentPath</span> <span class="o">=</span> <span class="n">remove_last_occurence_of_sub_string</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">currentPath</span><span class="p">,</span> <span class="s2">&quot;/&quot;</span> <span class="o">+</span> <span class="n">tag</span><span class="p">)</span>

        <span class="k">def</span> <span class="nf">handle_data</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span>
            <span class="k">if</span> <span class="n">string</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span>
                <span class="bp">self</span><span class="o">.</span><span class="n">paths</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">currentPath</span><span class="p">)</span>

    <span class="n">parser</span> <span class="o">=</span> <span class="n">PathHTMLParser</span><span class="p">()</span>
    <span class="n">parser</span><span class="o">.</span><span class="n">feed</span><span class="p">(</span><span class="n">html</span><span class="p">)</span>
    <span class="k">return</span> <span class="n">parser</span><span class="o">.</span><span class="n">paths</span>


<span class="k">def</span> <span class="nf">get_XSS_data</span><span class="p">(</span><span class="n">body</span><span class="p">:</span> <span class="n">Union</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">bytes</span><span class="p">],</span> <span class="n">request_URL</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">injection_point</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="n">XSSData</span><span class="p">]:</span>
    <span class="sd">&quot;&quot;&quot; Return a XSSDict if there is a XSS otherwise return None &quot;&quot;&quot;</span>
    <span class="k">def</span> <span class="nf">in_script</span><span class="p">(</span><span class="n">text</span><span class="p">,</span> <span class="n">index</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span>
        <span class="sd">&quot;&quot;&quot; Whether the Numberth occurrence of the first string in the second</span>
<span class="sd">            string is inside a script tag &quot;&quot;&quot;</span>
        <span class="n">paths</span> <span class="o">=</span> <span class="n">paths_to_text</span><span class="p">(</span><span class="n">body</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">),</span> <span class="n">text</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&quot;utf-8&quot;</span><span class="p">))</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">path</span> <span class="o">=</span> <span class="n">paths</span><span class="p">[</span><span class="n">index</span><span class="p">]</span>
            <span class="k">return</span> <span class="s2">&quot;script&quot;</span> <span class="ow">in</span> <span class="n">path</span>
        <span class="k">except</span> <span class="ne">IndexError</span><span class="p">:</span>
            <span class="k">return</span> <span class="kc">False</span>

    <span class="k">def</span> <span class="nf">in_HTML</span><span class="p">(</span><span class="n">text</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">index</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span>
        <span class="sd">&quot;&quot;&quot; Whether the Numberth occurrence of the first string in the second</span>
<span class="sd">            string is inside the HTML but not inside a script tag or part of</span>
<span class="sd">            a HTML attribute&quot;&quot;&quot;</span>
        <span class="c1"># if there is a &lt; then lxml will interpret that as a tag, so only search for the stuff before it</span>
        <span class="n">text</span> <span class="o">=</span> <span class="n">text</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="sa">b</span><span class="s2">&quot;&lt;&quot;</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span>
        <span class="n">paths</span> <span class="o">=</span> <span class="n">paths_to_text</span><span class="p">(</span><span class="n">body</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">),</span> <span class="n">text</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&quot;utf-8&quot;</span><span class="p">))</span>
        <span class="k">try</span><span class="p">:</span>
            <span class="n">path</span> <span class="o">=</span> <span class="n">paths</span><span class="p">[</span><span class="n">index</span><span class="p">]</span>
            <span class="k">return</span> <span class="s2">&quot;script&quot;</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">path</span>
        <span class="k">except</span> <span class="ne">IndexError</span><span class="p">:</span>
            <span class="k">return</span> <span class="kc">False</span>

    <span class="k">def</span> <span class="nf">inject_javascript_handler</span><span class="p">(</span><span class="n">html</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span>
        <span class="sd">&quot;&quot;&quot; Whether you can inject a Javascript:alert(0) as a link &quot;&quot;&quot;</span>
        <span class="k">class</span> <span class="nc">injectJSHandlerHTMLParser</span><span class="p">(</span><span class="n">HTMLParser</span><span class="p">):</span>
            <span class="n">injectJSHandler</span> <span class="o">=</span> <span class="kc">False</span>

            <span class="k">def</span> <span class="nf">handle_starttag</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">tag</span><span class="p">,</span> <span class="n">attrs</span><span class="p">):</span>
                <span class="k">for</span> <span class="n">name</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">attrs</span><span class="p">:</span>
                    <span class="k">if</span> <span class="n">name</span> <span class="o">==</span> <span class="s2">&quot;href&quot;</span> <span class="ow">and</span> <span class="n">value</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="n">FRONT_WALL</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)):</span>
                        <span class="bp">self</span><span class="o">.</span><span class="n">injectJSHandler</span> <span class="o">=</span> <span class="kc">True</span>

        <span class="n">parser</span> <span class="o">=</span> <span class="n">injectJSHandlerHTMLParser</span><span class="p">()</span>
        <span class="n">parser</span><span class="o">.</span><span class="n">feed</span><span class="p">(</span><span class="n">html</span><span class="p">)</span>
        <span class="k">return</span> <span class="n">parser</span><span class="o">.</span><span class="n">injectJSHandler</span>
    <span class="c1"># Only convert the body to bytes if needed</span>
    <span class="k">if</span> <span class="nb">isinstance</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="nb">str</span><span class="p">):</span>
        <span class="n">body</span> <span class="o">=</span> <span class="nb">bytes</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="s1">&#39;utf-8&#39;</span><span class="p">)</span>
    <span class="c1"># Regex for between 24 and 72 (aka 24*3) characters encapsulated by the walls</span>
    <span class="n">regex</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">compile</span><span class="p">(</span><span class="sa">b</span><span class="s2">&quot;&quot;&quot;</span><span class="si">%s</span><span class="s2">.{24,72}?</span><span class="si">%s</span><span class="s2">&quot;&quot;&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">FRONT_WALL</span><span class="p">,</span> <span class="n">BACK_WALL</span><span class="p">))</span>
    <span class="n">matches</span> <span class="o">=</span> <span class="n">regex</span><span class="o">.</span><span class="n">findall</span><span class="p">(</span><span class="n">body</span><span class="p">)</span>
    <span class="k">for</span> <span class="n">index</span><span class="p">,</span> <span class="n">match</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">matches</span><span class="p">):</span>
        <span class="c1"># Where the string is injected into the HTML</span>
        <span class="n">in_script_val</span> <span class="o">=</span> <span class="n">in_script</span><span class="p">(</span><span class="n">match</span><span class="p">,</span> <span class="n">index</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span>
        <span class="n">in_HTML_val</span> <span class="o">=</span> <span class="n">in_HTML</span><span class="p">(</span><span class="n">match</span><span class="p">,</span> <span class="n">index</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span>
        <span class="n">in_tag</span> <span class="o">=</span> <span class="ow">not</span> <span class="n">in_script_val</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">in_HTML_val</span>
        <span class="n">in_single_quotes</span> <span class="o">=</span> <span class="n">inside_quote</span><span class="p">(</span><span class="s2">&quot;&#39;&quot;</span><span class="p">,</span> <span class="n">match</span><span class="p">,</span> <span class="n">index</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span>
        <span class="n">in_double_quotes</span> <span class="o">=</span> <span class="n">inside_quote</span><span class="p">(</span><span class="s1">&#39;&quot;&#39;</span><span class="p">,</span> <span class="n">match</span><span class="p">,</span> <span class="n">index</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span>
        <span class="c1"># Whether you can inject:</span>
        <span class="n">inject_open_angle</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;ao&lt;ac&quot;</span> <span class="ow">in</span> <span class="n">match</span>  <span class="c1"># open angle brackets</span>
        <span class="n">inject_close_angle</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;ac&gt;so&quot;</span> <span class="ow">in</span> <span class="n">match</span>  <span class="c1"># close angle brackets</span>
        <span class="n">inject_single_quotes</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;s&#39;d&quot;</span> <span class="ow">in</span> <span class="n">match</span>  <span class="c1"># single quotes</span>
        <span class="n">inject_double_quotes</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;d&quot;ao&#39;</span> <span class="ow">in</span> <span class="n">match</span>  <span class="c1"># double quotes</span>
        <span class="n">inject_slash</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;sl/bsl&quot;</span> <span class="ow">in</span> <span class="n">match</span>  <span class="c1"># forward slashes</span>
        <span class="n">inject_semi</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;se;sl&quot;</span> <span class="ow">in</span> <span class="n">match</span>  <span class="c1"># semicolons</span>
        <span class="n">inject_equals</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&quot;eq=&quot;</span> <span class="ow">in</span> <span class="n">match</span>  <span class="c1"># equals sign</span>
        <span class="k">if</span> <span class="n">in_script_val</span> <span class="ow">and</span> <span class="n">inject_slash</span> <span class="ow">and</span> <span class="n">inject_open_angle</span> <span class="ow">and</span> <span class="n">inject_close_angle</span><span class="p">:</span>  <span class="c1"># e.g. &lt;script&gt;PAYLOAD&lt;/script&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s1">&#39;&lt;/script&gt;&lt;script&gt;alert(0)&lt;/script&gt;&lt;script&gt;&#39;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_script_val</span> <span class="ow">and</span> <span class="n">in_single_quotes</span> <span class="ow">and</span> <span class="n">inject_single_quotes</span> <span class="ow">and</span> <span class="n">inject_semi</span><span class="p">:</span>  <span class="c1"># e.g. &lt;script&gt;t=&#39;PAYLOAD&#39;;&lt;/script&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s2">&quot;&#39;;alert(0);g=&#39;&quot;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_script_val</span> <span class="ow">and</span> <span class="n">in_double_quotes</span> <span class="ow">and</span> <span class="n">inject_double_quotes</span> <span class="ow">and</span> <span class="n">inject_semi</span><span class="p">:</span>  <span class="c1"># e.g. &lt;script&gt;t=&quot;PAYLOAD&quot;;&lt;/script&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s1">&#39;&quot;;alert(0);g=&quot;&#39;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_tag</span> <span class="ow">and</span> <span class="n">in_single_quotes</span> <span class="ow">and</span> <span class="n">inject_single_quotes</span> <span class="ow">and</span> <span class="n">inject_open_angle</span> <span class="ow">and</span> <span class="n">inject_close_angle</span> <span class="ow">and</span> <span class="n">inject_slash</span><span class="p">:</span>
            <span class="c1"># e.g. &lt;a href=&#39;PAYLOAD&#39;&gt;Test&lt;/a&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s2">&quot;&#39;&gt;&lt;script&gt;alert(0)&lt;/script&gt;&quot;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_tag</span> <span class="ow">and</span> <span class="n">in_double_quotes</span> <span class="ow">and</span> <span class="n">inject_double_quotes</span> <span class="ow">and</span> <span class="n">inject_open_angle</span> <span class="ow">and</span> <span class="n">inject_close_angle</span> <span class="ow">and</span> <span class="n">inject_slash</span><span class="p">:</span>
            <span class="c1"># e.g. &lt;a href=&quot;PAYLOAD&quot;&gt;Test&lt;/a&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s1">&#39;&quot;&gt;&lt;script&gt;alert(0)&lt;/script&gt;&#39;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_tag</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">in_double_quotes</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">in_single_quotes</span> <span class="ow">and</span> <span class="n">inject_open_angle</span> <span class="ow">and</span> <span class="n">inject_close_angle</span> <span class="ow">and</span> <span class="n">inject_slash</span><span class="p">:</span>
            <span class="c1"># e.g. &lt;a href=PAYLOAD&gt;Test&lt;/a&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s1">&#39;&gt;&lt;script&gt;alert(0)&lt;/script&gt;&#39;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">inject_javascript_handler</span><span class="p">(</span><span class="n">body</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)):</span>  <span class="c1"># e.g. &lt;html&gt;&lt;a href=PAYLOAD&gt;Test&lt;/a&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s1">&#39;Javascript:alert(0)&#39;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_tag</span> <span class="ow">and</span> <span class="n">in_double_quotes</span> <span class="ow">and</span> <span class="n">inject_double_quotes</span> <span class="ow">and</span> <span class="n">inject_equals</span><span class="p">:</span>  <span class="c1"># e.g. &lt;a href=&quot;PAYLOAD&quot;&gt;Test&lt;/a&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s1">&#39;&quot; onmouseover=&quot;alert(0)&quot; t=&quot;&#39;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_tag</span> <span class="ow">and</span> <span class="n">in_single_quotes</span> <span class="ow">and</span> <span class="n">inject_single_quotes</span> <span class="ow">and</span> <span class="n">inject_equals</span><span class="p">:</span>  <span class="c1"># e.g. &lt;a href=&#39;PAYLOAD&#39;&gt;Test&lt;/a&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s2">&quot;&#39; onmouseover=&#39;alert(0)&#39; t=&#39;&quot;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_tag</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">in_single_quotes</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">in_double_quotes</span> <span class="ow">and</span> <span class="n">inject_equals</span><span class="p">:</span>  <span class="c1"># e.g. &lt;a href=PAYLOAD&gt;Test&lt;/a&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s2">&quot; onmouseover=alert(0) t=&quot;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">elif</span> <span class="n">in_HTML_val</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">in_script_val</span> <span class="ow">and</span> <span class="n">inject_open_angle</span> <span class="ow">and</span> <span class="n">inject_close_angle</span> <span class="ow">and</span> <span class="n">inject_slash</span><span class="p">:</span>  <span class="c1"># e.g. &lt;html&gt;PAYLOAD&lt;/html&gt;</span>
            <span class="k">return</span> <span class="n">XSSData</span><span class="p">(</span><span class="n">request_URL</span><span class="p">,</span>
                           <span class="n">injection_point</span><span class="p">,</span>
                           <span class="s1">&#39;&lt;script&gt;alert(0)&lt;/script&gt;&#39;</span><span class="p">,</span>
                           <span class="n">match</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">))</span>
        <span class="k">else</span><span class="p">:</span>
            <span class="k">return</span> <span class="kc">None</span>
    <span class="k">return</span> <span class="kc">None</span>


<span class="c1"># response is mitmproxy&#39;s entry point</span>
<span class="k">def</span> <span class="nf">response</span><span class="p">(</span><span class="n">flow</span><span class="p">:</span> <span class="n">http</span><span class="o">.</span><span class="n">HTTPFlow</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="kc">None</span><span class="p">:</span>
    <span class="n">cookies_dict</span> <span class="o">=</span> <span class="n">get_cookies</span><span class="p">(</span><span class="n">flow</span><span class="p">)</span>
    <span class="n">resp</span> <span class="o">=</span> <span class="n">flow</span><span class="o">.</span><span class="n">response</span><span class="o">.</span><span class="n">get_text</span><span class="p">(</span><span class="n">strict</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span>
    <span class="c1"># Example: http://xss.guru/unclaimedScriptTag.html</span>
    <span class="n">find_unclaimed_URLs</span><span class="p">(</span><span class="n">resp</span><span class="p">,</span> <span class="n">flow</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">url</span><span class="p">)</span>
    <span class="n">results</span> <span class="o">=</span> <span class="n">test_end_of_URL_injection</span><span class="p">(</span><span class="n">resp</span><span class="p">,</span> <span class="n">flow</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies_dict</span><span class="p">)</span>
    <span class="n">log_XSS_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
    <span class="n">log_SQLi_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
    <span class="c1"># Example: https://daviddworken.com/vulnerableReferer.php</span>
    <span class="n">results</span> <span class="o">=</span> <span class="n">test_referer_injection</span><span class="p">(</span><span class="n">resp</span><span class="p">,</span> <span class="n">flow</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies_dict</span><span class="p">)</span>
    <span class="n">log_XSS_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
    <span class="n">log_SQLi_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
    <span class="c1"># Example: https://daviddworken.com/vulnerableUA.php</span>
    <span class="n">results</span> <span class="o">=</span> <span class="n">test_user_agent_injection</span><span class="p">(</span><span class="n">resp</span><span class="p">,</span> <span class="n">flow</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies_dict</span><span class="p">)</span>
    <span class="n">log_XSS_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
    <span class="n">log_SQLi_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
    <span class="k">if</span> <span class="s2">&quot;?&quot;</span> <span class="ow">in</span> <span class="n">flow</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">url</span><span class="p">:</span>
        <span class="c1"># Example: https://daviddworken.com/vulnerable.php?name=</span>
        <span class="n">results</span> <span class="o">=</span> <span class="n">test_query_injection</span><span class="p">(</span><span class="n">resp</span><span class="p">,</span> <span class="n">flow</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies_dict</span><span class="p">)</span>
        <span class="n">log_XSS_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span>
        <span class="n">log_SQLi_data</span><span class="p">(</span><span class="n">results</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
</pre></div>
</code></pre></td></tr></table>
</div> <!-- class=content -->
<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit v1.2.3</a> (<a href='https://git-scm.com/'>git 2.25.1</a>) at 2025-06-01 04:26:21 +0000</div>
</div> <!-- id=cgit -->
</body>
</html>