-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.py
207 lines (197 loc) · 12.4 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
import os
from distutils.command.clean import clean
from itertools import count
import requests
import argparse
import re
from bs4 import BeautifulSoup
from bs4 import SoupStrainer
parser = argparse.ArgumentParser(description='Trying to help bug bounty processes')
parser.add_argument('-u', '--url', help='URL to scan', required=True)
parser.add_argument('-w', '--wordlist', help='Wordlist to scan', required=True)
argsx = parser.parse_args() #Parser for arguments
dangerous_functions_files = parser.parse_args() #Open the wordlist
content_of_page = requests.get(argsx.url).text #Get the content of the page
javascript_injection = ["eval",
"window.location",
"document.cookie",
"document.write",
"WebSocket",
"element.src",
"postMessage",
"setRequestHeader",
"FileReader.readAsText",
"ExecuteSql",
"sessionStorage.setItem",
"localStorage.setItem",
"document.evaluate",
"JSON.parse",
"JSON.stringify",
"parseJSON",
"element.evaluate",
"FileReader.readAsArrayBuffer",
"FileReader.readAsBinaryString",
"FileReader.readAsDataURL",
"FileReader.readAsFile",
"FileReader.root.getFile",
"element.setAttribute",
"element.setAttribute"
"element.search",
"element.text",
"element.textContent",
"element.innerText",
"element.outerText",
"element.value",
"element.name",
"element.target",
"element.method",
"element.type",
"element.backgroundImage",
"element.cssText",
"element.codebase",
"autofocus"
]
with open (argsx.wordlist, 'r') as f:
lines = f.readlines()
clean_list = []
for line in lines:
if line not in clean_list:
clean_list.append(line.strip())
else:
clean_list.append(line)
def checker (line,source_code): #Check if the function is dangerous or not
print("Possibly javascript injection on line",repr(source_code.sourceline),"in source code")
if line == 'eval':
print("Possible Javascript Injection")
print("Look at the eval() function parameters. If parameters has user input, it is vulnerable to javascript injection")
print("Possible payloads: eval(document.cookie), eval(document.domain), eval(document.location)")
print("More info at https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval")
if line == 'document.write':
print("Might cause DOM XSS")
print("Possible payloads: \"><svg onload=alert(1)>")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Document/write")
if line == 'window.location':
print("Possible payloads: window.location = 'https://www.attecker_website.com'")
print("Might cause Open redirection vulnerability")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Window/location")
if line == 'document.cookie':
print("The document.cookie sink can lead to DOM-based cookie-manipulation vulnerabilities.")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie and https://portswigger.net/web-security/dom-based/cookie-manipulation")
if line == 'WebSocket':
print("Possible payloads: new WebSocket('ws://attacker.com')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/WebSocket")
if line == 'element.src':
print("Might cause DOM-based link manipulation")
print("\"element.href, element.src, element.action main sinks\" can lead to DOM-based link-manipulation vulnerabilities.")
if line == 'postMessage':
print("Possible payloads: window.postMessage('hello', 'https://attacker.com')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage")
if line == 'setRequestHeader':
print("Possible payloads: xhr.setRequestHeader('X-Forwarded-For', ')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader")
if line == 'FileReader.readAsText' or line == 'FileReader.readAsDataURL' or line == 'FileReader.readAsBinaryString' or line == 'FileReader.readAsArrayBuffer':
print("Possible payloads: reader.readAsText(file)")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/FileReader/readAsText")
if line == 'ExecuteSql':
print("Client Side SQLi | Possible payloads: db.executeSql('SELECT * FROM users')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/SQLDatabase/executeSql")
if line == 'sessionStorage.setItem' or line == 'localStorage.setItem':
print("Possible payloads: sessionStorage.setItem('key', 'value')", "localStorage.setItem('key', 'value')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage")
if line == 'document.evaluate' or line == 'element.evaluate':
print("Client-side XPath injection | Possible payloads: document.evaluate('string', document, null, XPathResult.ANY_TYPE, null)")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Document/evaluate")
if line == 'JSON.parse' or line == 'JSON.stringify' or line == 'parseJSON':
print("Possible payloads: JSON.parse('string')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse")
if line == 'element.setAttribute' or line == 'element.search' or line == 'element.textContent' or line == 'element.innerText' or line == 'element.innerHTML' or line == 'element.outerText' or line == 'element.outerText' or line == 'element.value' or line == 'element.href' or line == 'element.src' or line == 'element.target':
print("Might cause DOM XSS")
print("Possible payloads: \"><svg onload=alert(1)>")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Element/setAttribute")
print("Might cause DOM-based link manipulation")
print("\"element.href, element.src, element.action main sinks\" can lead to DOM-based link-manipulation vulnerabilities.")
def checker_v2(line, js_path):
print("Might be dangerous function in javascript file", js_path)
if line == 'eval':
print("Possible Javascript Injection in javascript file", js_path)
print("Look at the eval() function parameters. If parameters has user input, it is vulnerable to javascript injection")
print("Possible payloads: eval(document.cookie), eval(document.domain), eval(document.location)")
print("More info at https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval")
if line == 'document.write':
print("Might cause DOM XSS in javascript file", js_path)
print("Might cause DOM XSS")
print("Possible payloads: \"><svg onload=alert(1)>")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Document/write")
if line == 'window.location':
print("Possible payloads: window.location = 'https://www.attecker_website.com'")
print("Might cause Open redirection vulnerability in javascript file", js_path)
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Window/location")
if line == 'document.cookie':
print("The document.cookie sink can lead to DOM-based cookie-manipulation vulnerabilities in javascript file", js_path)
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie and https://portswigger.net/web-security/dom-based/cookie-manipulation")
if line == 'WebSocket':
print("Websocket vuln in javascript file", js_path)
print("Possible payloads: new WebSocket('ws://attacker.com')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/WebSocket")
if line == 'element.src':
print("Might cause DOM-based link manipulation in javascript file", js_path)
print("\"element.href, element.src, element.action main sinks\" can lead to DOM-based link-manipulation vulnerabilities.")
if line == 'postMessage':
print ("PostMessage vuln in javascript file", js_path)
print("Possible payloads: window.postMessage('hello', 'https://attacker.com')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage")
if line == 'setRequestHeader':
print("setRequestHeader in javascript file", js_path)
print("Possible payloads: xhr.setRequestHeader('X-Forwarded-For', ')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader")
if line == 'FileReader.readAsText' or line == 'FileReader.readAsDataURL' or line == 'FileReader.readAsBinaryString' or line == 'FileReader.readAsArrayBuffer':
print("FileReader in javascript file", js_path)
print("Possible payloads: reader.readAsText(file)")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/FileReader/readAsText")
if line == 'ExecuteSql':
print("ExecuteSql in", js_path)
print("Client Side SQLi | Possible payloads: db.executeSql('SELECT * FROM users')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/SQLDatabase/executeSql")
if line == 'sessionStorage.setItem' or line == 'localStorage.setItem':
print("sessionStorange or localStorage in javascript file", js_path)
print("Possible payloads: sessionStorage.setItem('key', 'value')", "localStorage.setItem('key', 'value')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage")
if line == 'document.evaluate' or line == 'element.evaluate':
print("Possible Client-side XPath injection in javascript file", js_path)
print("Client-side XPath injection | Possible payloads: document.evaluate('string', document, null, XPathResult.ANY_TYPE, null)")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Document/evaluate")
if line == 'JSON.parse' or line == 'JSON.stringify' or line == 'parseJSON':
print("JSON.parse in javascript file", js_path)
print("Possible payloads: JSON.parse('string')")
print("More info at https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse")
if line == 'element.setAttribute' or line == 'element.search' or line == 'element.textContent' or line == 'element.innerText' or line == 'element.innerHTML' or line == 'element.outerText' or line == 'element.outerText' or line == 'element.value' or line == 'element.href' or line == 'element.src' or line == 'element.target':
print("Might cause DOM XSS in javascript file", js_path)
print("Possible payloads: \"><svg onload=alert(1)>")
print("More info at https://developer.mozilla.org/en-US/docs/Web/API/Element/setAttribute")
print("Might cause DOM-based link manipulation")
print("\"element.href, element.src, element.action main sinks\" can lead to DOM-based link-manipulation vulnerabilities.")
source_code = BeautifulSoup(content_of_page, 'html.parser',store_line_numbers=True) #parsing the source code of the page
for script in source_code.find_all('script'): #finding all the scripts in the source code
print("Javascript found on line",repr(script.sourceline),"in source code")
if "src" in script.attrs:
print(f"Found {script.attrs['src']}")
script.attrs['src'] = re.sub(r'^.','', script.attrs['src']) # Regex to remove the first character of the string
js_url_path = argsx.url + script.attrs['src']
print(js_url_path)
content_of_page_js = requests.get(js_url_path).text
for line in clean_list:
if line in content_of_page_js:
if line in javascript_injection:
checker_v2(line, js_url_path)
def investigate_js(content_of_page,wordlist): #function to compare the wordlist with the source code of the page
source_code = BeautifulSoup(content_of_page, 'html.parser',store_line_numbers=True)
for script_content in source_code.find_all('script'):
for lines_of_script_content in script_content:
if "src" not in source_code.attrs:
for line in wordlist:
if line in lines_of_script_content:
if line in javascript_injection:
checker(line, source_code)
print(f"Found {line} function in script page at line {script_content.sourceline}")
investigate_js(content_of_page,clean_list)
f.close()