Esempio n. 1
0
  private SentinelHttpMessage attack(AttackData data) throws ConnectionTimeoutException {
    if (attackWorkEntry.attackHttpParam.getTypeStr().equals("GET")
        || attackWorkEntry.attackHttpParam.getTypeStr().equals("PATH")) {
      data.urlEncode();
    }

    SentinelHttpMessageAtk httpMessage = initAttackHttpMessage(data.getInput());
    if (httpMessage == null) {
      return null;
    }
    lastHttpMessage = httpMessage;
    BurpCallbacks.getInstance().sendRessource(httpMessage, attackWorkEntry.followRedirect);

    if (!httpMessage.getRes().hasResponse()) {
      BurpCallbacks.getInstance().print("Response error");
      return httpMessage;
    }

    analyzeResponse(data, httpMessage);

    // Highlight indicator anyway
    String indicator = XssIndicator.getInstance().getBaseIndicator();
    if (!indicator.equals(data.getOutput())) {
      ResponseHighlight h = new ResponseHighlight(indicator, Color.green);
      httpMessage.getRes().addHighlight(h);
    }

    return httpMessage;
  }
Esempio n. 2
0
  public AttackXss(AttackWorkEntry work) {
    super(work);

    attackData = new LinkedList<AttackData>();
    String indicator;

    indicator = XssIndicator.getInstance().getIndicator();
    /*
     1  <p>"
     2  %3Cp%3E%22

     3  <p "=>
     4  %3Cp%20%22%3D%3E

     5  ' =                 t
     6  %27%20%3D           t

     7  " =                 t
     8  %20%22%3D           t

     9  %5C%5C%27%5C%5C%22_\'\"
    10  _\u0022a_æ_\u00e6
    11  %253Ca%2527%2522%253E
    */

    attackData.add(new AttackData(0, indicator, indicator, AttackData.AttackType.INFO));
    attackData.add(
        new AttackData(1, indicator + "<p>\"", indicator + "<p>\"", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(
            2, indicator + "%3Cp%3E%22", indicator + "<p>\"", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(
            3, indicator + "<p \"=>", indicator + "<p \"=>", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(
            4, indicator + "%3Cp%20%22%3D%3E", indicator + "<p \"=>", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(5, indicator + "' =", indicator + "' =", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(6, indicator + "%27%20%3D", indicator + "' =", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(7, indicator + "\" =", indicator + "\" =", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(8, indicator + "%22%20%3D", indicator + "\" =", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(
            9, indicator + "%5C%27%5C%22_\\'\\\"", indicator + "", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(
            10, indicator + "_\\u0022_æ_\\u00E6_", indicator + "", AttackData.AttackType.VULN));
    attackData.add(
        new AttackData(
            11,
            indicator + "%253Cp%2527%2522%253E",
            indicator + "<p'\">",
            AttackData.AttackType.VULN));
  }
Esempio n. 3
0
  @Override
  public boolean performNextAttack() {
    boolean doContinue = false;

    AttackData data = attackData.get(state);
    SentinelHttpMessage httpMessage;
    try {
      httpMessage = attack(data);
      if (httpMessage == null) {
        return false;
      }
    } catch (ConnectionTimeoutException ex) {
      state++;
      return false;
    }

    switch (state) {
      case 0:
        doContinue = true;

        if (checkTag(
            httpMessage.getRes().getResponseStr(), XssIndicator.getInstance().getBaseIndicator())) {
          inputReflectedInTag = true;
        } else {
          inputReflectedInTag = false;
        }
        break;
      case 11:
        doContinue = false;
        break;
      default:
        doContinue = true;
        break;
    }

    state++;
    return doContinue;
  }