├── DOM_XSS_Hilight.py
└── README.md


/DOM_XSS_Hilight.py:
--------------------------------------------------------------------------------
  1 | """
  2 | Name: DOM XSS Hilighter
  3 | Version: 1.0
  4 | Date: 28/08/2013
  5 | Author: Mesbahi Alaeddine
  6 | Contact: alaeddine.mesbahi@gmail.com
  7 | Description: A Burp plugin in Python. The plugin hilights requests with both sinks and sources and add a new button
  8 |   to hilight sinks and hosts in the Javascript code. The plugin is using DOM XSS Wiki regex http://code.google.com/p/domxsswiki/wiki/FindingDOMXSS.
  9 |   The plugin aids at detecting DOM XSS, hilight requests do not necessarily have DOM XSS vulnerabilties.
 10 | """
 11 | 
 12 | # setup Imports
 13 | from burp import IBurpExtender
 14 | from burp import IHttpListener
 15 | from burp import IHttpRequestResponse
 16 | from burp import IResponseInfo
 17 | from burp import IMenuItemHandler
 18 | 
 19 | from javax.swing import JFrame, JPanel, JTextArea, JTextPane, JScrollPane
 20 | from javax.swing.text import StyleConstants
 21 | from java.awt import Color
 22 | 
 23 | import re
 24 | 
 25 | # Class BurpExtender (Required) contaning all functions used to interact with Burp Suite API
 26 | class BurpExtender(IBurpExtender, IHttpListener, IMenuItemHandler):
 27 | 
 28 |     # define registerExtenderCallbacks: From IBurpExtender Interface
 29 |     def registerExtenderCallbacks(self, callbacks):
 30 |         self._callbacks = callbacks
 31 |         self._helpers = callbacks.getHelpers()
 32 |         self._callbacks.setExtensionName("DOM XSS Hilight")
 33 | 
 34 |         #add the button
 35 |         self._callbacks.registerMenuItem("Search DOM XSS Pattern", self)
 36 |         callbacks.registerHttpListener(self)
 37 | 
 38 |     def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
 39 |         if toolFlag == 4: #if tool is Proxy Tab
 40 |             if not messageIsRequest:#only handle responses
 41 |                 response = messageInfo.getResponse() #get Response from IHttpRequestResponse instance
 42 |                 analyzedResponse = self._helpers.analyzeResponse(response) # returns IResponseInfo
 43 |                 strResponse = ''.join([chr(c%256) for c in response])
 44 |                 if self.filter(strResponse):
 45 |                     self.action(messageInfo)
 46 | 
 47 |     #handle the click on the button
 48 |     def menuItemClicked(self, caption, messageInfo):
 49 |         response = messageInfo[0].getResponse()
 50 |         strResponse = ''.join([chr(c%256) for c in response])
 51 |         frame = JFrame('DOM XSS',size = (300,300))
 52 |         parentPanel = JPanel()
 53 | 
 54 | 
 55 |         #printedCode = JTextPane(text = strResponse)
 56 |         #'''
 57 |         #colored code
 58 |         printedCode = JTextPane()
 59 |         styledDoc = printedCode.getStyledDocument()
 60 |         style = printedCode.addStyle('ColoredCode',None)
 61 |         self.filter2(strResponse,styledDoc,style)
 62 |         #'''
 63 |         #Scroll Bar
 64 |         scrollPanel = JScrollPane(JScrollPane.VERTICAL_SCROLLBAR_AS_NEEDED, JScrollPane.HORIZONTAL_SCROLLBAR_AS_NEEDED)
 65 |         scrollPanel.preferredSize = 1500,800
 66 |         scrollPanel.viewport.view = printedCode
 67 | 
 68 |         #Final Inclusion of Panels
 69 |         parentPanel.add(scrollPanel)
 70 |         frame.add(parentPanel)
 71 |         frame.visible = True
 72 | 
 73 | 
 74 |     def filter2(self, messageContent,styledDoc,style):
 75 |         pattern = '((location\s*[\[.])|([.\[]\s*["\']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database))|(((src|href|data|location|code|value|action)\s*["\'\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*["\'\]]*\s*\())|(after\(|\.append\(|\.before\(|\.html\(|\.prepend\(|\.replaceWith\(|\.wrap\(|\.wrapAll\(|\$\(|\.globalEval\(|\.add\(|jQUery\(|\$\(|\.parseHTML\()'
 76 |         compiledPattern = re.compile(pattern)
 77 | 
 78 |         initPos = 0
 79 |         for find in compiledPattern.finditer(messageContent):
 80 |             StyleConstants.setForeground(style, Color.black)
 81 |             styledDoc.insertString(styledDoc.getLength(),messageContent[initPos:find.start()] , style)
 82 |             StyleConstants.setForeground(style, Color.red)
 83 |             styledDoc.insertString(styledDoc.getLength(),find.group(), style)
 84 |             initPos = find.start()+len(find.group())
 85 | 
 86 |         StyleConstants.setForeground(style, Color.black)
 87 |         styledDoc.insertString(styledDoc.getLength(),messageContent[initPos:] , style)
 88 |         return
 89 | 
 90 | 
 91 | 
 92 | 
 93 |     def filter(self, messageContent):
 94 |         pattern = '((location\s*[\[.])|([.\[]\s*["\']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database))'
 95 |         pattern2 = '(((src|href|data|location|code|value|action)\s*["\'\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*["\'\]]*\s*\())'
 96 |         compiledPattern = re.compile(pattern)
 97 |         compiledPattern2 = re.compile(pattern2)
 98 | 
 99 | 
100 |         patternJQuerySinks = '(after\(|\.append\(|\.before\(|\.html\(|\.prepend\(|\.replaceWith\(|\.wrap\(|\.wrapAll\(|\$\(|\.globalEval\(|\.add\(|jQUery\(|\$\(|\.parseHTML\()'
101 |         compiledPatternJQuerySinks = re.compile(patternJQuerySinks)
102 | 
103 |         result = False
104 | 
105 |         lstMessageContent = messageContent.split('\n')
106 |         for line in lstMessageContent:
107 |             results = compiledPattern.findall(line)
108 |             results2 = compiledPattern2.findall(line)
109 |             results3 = compiledPatternJQuerySinks.findall(line)
110 |             if results and (results2 or results3):
111 |                 print "[*] Line: '''%s'''" % line
112 |                 for result in results:
113 |                     print "[*] Sources:''' %s'''" % str(result[0])
114 | 
115 |                 for result2 in results2:
116 |                     print "[*] Sinks:''' %s'''" % str(result2[0])
117 | 
118 |                 for result3 in results3:
119 |                     print "[*] Sinks JQuery:''' %s'''" % str(result3[0])
120 | 
121 |                 result = True
122 |         return result
123 | 
124 | 
125 |     def action(self, args):
126 |         messageInfo = args
127 |         messageInfo.setHighlight("red")
128 | 
129 | 
130 | 
131 | 
132 | 
133 | 
134 | 
135 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | DOMXSSHilight
2 | =============
3 | 
4 | Burp Extension in Python hilighting DOM Sinks and Sources using DOM XSS Wiki regex.
5 | 


--------------------------------------------------------------------------------