private SentinelHttpMessage attack(AttackData data) throws ConnectionTimeoutException { if (attackWorkEntry.attackHttpParam.getTypeStr().equals("GET") || attackWorkEntry.attackHttpParam.getTypeStr().equals("PATH")) { data.urlEncode(); } SentinelHttpMessageAtk httpMessage = initAttackHttpMessage(data.getInput()); if (httpMessage == null) { return null; } lastHttpMessage = httpMessage; BurpCallbacks.getInstance().sendRessource(httpMessage, attackWorkEntry.followRedirect); if (!httpMessage.getRes().hasResponse()) { BurpCallbacks.getInstance().print("Response error"); return httpMessage; } analyzeResponse(data, httpMessage); // Highlight indicator anyway String indicator = XssIndicator.getInstance().getBaseIndicator(); if (!indicator.equals(data.getOutput())) { ResponseHighlight h = new ResponseHighlight(indicator, Color.green); httpMessage.getRes().addHighlight(h); } return httpMessage; }
public AttackXss(AttackWorkEntry work) { super(work); attackData = new LinkedList<AttackData>(); String indicator; indicator = XssIndicator.getInstance().getIndicator(); /* 1 <p>" 2 %3Cp%3E%22 3 <p "=> 4 %3Cp%20%22%3D%3E 5 ' = t 6 %27%20%3D t 7 " = t 8 %20%22%3D t 9 %5C%5C%27%5C%5C%22_\'\" 10 _\u0022a_æ_\u00e6 11 %253Ca%2527%2522%253E */ attackData.add(new AttackData(0, indicator, indicator, AttackData.AttackType.INFO)); attackData.add( new AttackData(1, indicator + "<p>\"", indicator + "<p>\"", AttackData.AttackType.VULN)); attackData.add( new AttackData( 2, indicator + "%3Cp%3E%22", indicator + "<p>\"", AttackData.AttackType.VULN)); attackData.add( new AttackData( 3, indicator + "<p \"=>", indicator + "<p \"=>", AttackData.AttackType.VULN)); attackData.add( new AttackData( 4, indicator + "%3Cp%20%22%3D%3E", indicator + "<p \"=>", AttackData.AttackType.VULN)); attackData.add( new AttackData(5, indicator + "' =", indicator + "' =", AttackData.AttackType.VULN)); attackData.add( new AttackData(6, indicator + "%27%20%3D", indicator + "' =", AttackData.AttackType.VULN)); attackData.add( new AttackData(7, indicator + "\" =", indicator + "\" =", AttackData.AttackType.VULN)); attackData.add( new AttackData(8, indicator + "%22%20%3D", indicator + "\" =", AttackData.AttackType.VULN)); attackData.add( new AttackData( 9, indicator + "%5C%27%5C%22_\\'\\\"", indicator + "", AttackData.AttackType.VULN)); attackData.add( new AttackData( 10, indicator + "_\\u0022_æ_\\u00E6_", indicator + "", AttackData.AttackType.VULN)); attackData.add( new AttackData( 11, indicator + "%253Cp%2527%2522%253E", indicator + "<p'\">", AttackData.AttackType.VULN)); }
@Override public boolean performNextAttack() { boolean doContinue = false; AttackData data = attackData.get(state); SentinelHttpMessage httpMessage; try { httpMessage = attack(data); if (httpMessage == null) { return false; } } catch (ConnectionTimeoutException ex) { state++; return false; } switch (state) { case 0: doContinue = true; if (checkTag( httpMessage.getRes().getResponseStr(), XssIndicator.getInstance().getBaseIndicator())) { inputReflectedInTag = true; } else { inputReflectedInTag = false; } break; case 11: doContinue = false; break; default: doContinue = true; break; } state++; return doContinue; }