private SentinelHttpMessage attack(AttackData data) throws ConnectionTimeoutException {
if (attackWorkEntry.attackHttpParam.getTypeStr().equals("GET")
|| attackWorkEntry.attackHttpParam.getTypeStr().equals("PATH")) {
data.urlEncode();
}
SentinelHttpMessageAtk httpMessage = initAttackHttpMessage(data.getInput());
if (httpMessage == null) {
return null;
}
lastHttpMessage = httpMessage;
BurpCallbacks.getInstance().sendRessource(httpMessage, attackWorkEntry.followRedirect);
if (!httpMessage.getRes().hasResponse()) {
BurpCallbacks.getInstance().print("Response error");
return httpMessage;
}
analyzeResponse(data, httpMessage);
// Highlight indicator anyway
String indicator = XssIndicator.getInstance().getBaseIndicator();
if (!indicator.equals(data.getOutput())) {
ResponseHighlight h = new ResponseHighlight(indicator, Color.green);
httpMessage.getRes().addHighlight(h);
}
return httpMessage;
}
public AttackXss(AttackWorkEntry work) {
super(work);
attackData = new LinkedList<AttackData>();
String indicator;
indicator = XssIndicator.getInstance().getIndicator();
/*
1 <p>"
2 %3Cp%3E%22
3 <p "=>
4 %3Cp%20%22%3D%3E
5 ' = t
6 %27%20%3D t
7 " = t
8 %20%22%3D t
9 %5C%5C%27%5C%5C%22_\'\"
10 _\u0022a_æ_\u00e6
11 %253Ca%2527%2522%253E
*/
attackData.add(new AttackData(0, indicator, indicator, AttackData.AttackType.INFO));
attackData.add(
new AttackData(1, indicator + "<p>\"", indicator + "<p>\"", AttackData.AttackType.VULN));
attackData.add(
new AttackData(
2, indicator + "%3Cp%3E%22", indicator + "<p>\"", AttackData.AttackType.VULN));
attackData.add(
new AttackData(
3, indicator + "<p \"=>", indicator + "<p \"=>", AttackData.AttackType.VULN));
attackData.add(
new AttackData(
4, indicator + "%3Cp%20%22%3D%3E", indicator + "<p \"=>", AttackData.AttackType.VULN));
attackData.add(
new AttackData(5, indicator + "' =", indicator + "' =", AttackData.AttackType.VULN));
attackData.add(
new AttackData(6, indicator + "%27%20%3D", indicator + "' =", AttackData.AttackType.VULN));
attackData.add(
new AttackData(7, indicator + "\" =", indicator + "\" =", AttackData.AttackType.VULN));
attackData.add(
new AttackData(8, indicator + "%22%20%3D", indicator + "\" =", AttackData.AttackType.VULN));
attackData.add(
new AttackData(
9, indicator + "%5C%27%5C%22_\\'\\\"", indicator + "", AttackData.AttackType.VULN));
attackData.add(
new AttackData(
10, indicator + "_\\u0022_æ_\\u00E6_", indicator + "", AttackData.AttackType.VULN));
attackData.add(
new AttackData(
11,
indicator + "%253Cp%2527%2522%253E",
indicator + "<p'\">",
AttackData.AttackType.VULN));
}
@Override
public boolean performNextAttack() {
boolean doContinue = false;
AttackData data = attackData.get(state);
SentinelHttpMessage httpMessage;
try {
httpMessage = attack(data);
if (httpMessage == null) {
return false;
}
} catch (ConnectionTimeoutException ex) {
state++;
return false;
}
switch (state) {
case 0:
doContinue = true;
if (checkTag(
httpMessage.getRes().getResponseStr(), XssIndicator.getInstance().getBaseIndicator())) {
inputReflectedInTag = true;
} else {
inputReflectedInTag = false;
}
break;
case 11:
doContinue = false;
break;
default:
doContinue = true;
break;
}
state++;
return doContinue;
}
