Class: Cross::Engine

Inherits:
Object
  • Object
show all
Includes:
Singleton
Defined in:
lib/cross/engine.rb

Overview

Engine is the cross class using Mechanize to inject canary and check for output

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#agentObject (readonly)

Returns the value of attribute agent.



13
14
15
 
# File 'lib/cross/engine.rb', line 13

def agent
  @agent
end

#optionsObject

Returns the value of attribute options.



14
15
16
 
# File 'lib/cross/engine.rb', line 14

def options
  @options
end

Instance Method Details

#authenticate?Boolean

Returns:

  • (Boolean) 


28
29
30
 
# File 'lib/cross/engine.rb', line 28

def authenticate?
  ! @options[:auth].nil?  and ! @options[:auth].empty? 
end

#crawl(url) ⇒ Object 



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/cross/engine.rb', line 36

def crawl(url)
  start if @agent.nil?

  links = []
  @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?
  begin 
    page=@agent.get(url)
    page=@agent.get(url) if authenticate?
    page.links.each do |l|
      @agent.log.debug("Link found: #{l.href}") if debug?
      links << l.href
    end
  rescue Mechanize::UnauthorizedError
    return {:status=>'KO', :links=>[], :message=>'target website requires authentication'}
  rescue => e 
    return {:status=>'KO', :links=>links, :message=>e.to_s}
  end

  return {:status=>'OK', :links=>links, :message=>''}
end

#crawl?Boolean

Returns:

  • (Boolean) 


32
33
34
 
# File 'lib/cross/engine.rb', line 32

def crawl?
  @options[:crawl][:enabled]
end

#debug?Boolean

Returns:

  • (Boolean) 


16
17
18
 
# File 'lib/cross/engine.rb', line 16

def debug?
  @options[:debug]
end

#inject(url) ⇒ Object 



57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
 
# File 'lib/cross/engine.rb', line 57

def inject(url)
  start if @agent.nil?

  $logger.log "Authenticating to the app using #{@options[:auth][:username]}:#{@options[:auth][:password]}" if debug?

  @agent.add_auth(url, @options[:auth][:username], @options[:auth][:password]) if authenticate?

  found = false
  if @options[:exploit_url]
    # You ask to exploit the url, so I won't check for form values

    attack_url = Cross::Url.new(url)

    Cross::Attack::XSS.each do |pattern|
      attack_url.params.each do |par|

        page = @agent.get(attack_url.fuzz(par[:name],pattern))
        @agent.log.debug(page.body) if debug?

        scripts = page.search("//script")
        scripts.each do |sc|
          $logger.log(page.body) if @options[:debug] if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
          return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
        end

        return false if options[:oneshot]

        attack_url.reset
      end
    end

  else
    begin
      page = @agent.get(url)
    rescue Mechanize::UnauthorizedError
      $logger.err 'Authentication failed. Giving up.'
      return false
    rescue Mechanize::ResponseCodeError
      $logger.err 'Server gave back 404. Giving up.'
      return false
    rescue Net::HTTP::Persistent::Error => e
      $logger.err e.message
      return false
    end

    $logger.log "#{page.forms.size} form(s) found" if debug?

    Cross::Attack::XSS.each do |pattern|

      $logger.log "using attack vector: #{pattern}" if debug?


      page.forms.each do |f|
        f.fields.each do |ff|
          if  options[:sample_post].empty?
            ff.value = pattern if options[:parameter_to_tamper].empty?
            ff.value = pattern if ! options[:parameter_to_tamper].empty? && ff.name==options[:parameter_to_tamper]
          else
            ff.value = find_sample_value_for(options[:sample_post], ff.name) unless ff.name==options[:parameter_to_tamper]
            ff.value = pattern if ff.name==options[:parameter_to_tamper]

          end
        end

        pp = @agent.submit(f)
        $logger.log "header: #{pp.header}" if debug? && ! pp.header.empty?
        $logger.log "body: #{pp.body}" if debug? && ! pp.body.empty?
        $logger.err "Page is empty" if pp.body.empty?
        scripts = pp.search("//script")
        scripts.each do |sc|
          return true if sc.children.text.include?("alert(#{Cross::Attack::XSS::CANARY})")
        end

        # This is for input html field javascript event evasion
        inputs = pp.search("//input")
        inputs.each do |input|
          return true if ! input['onmouseover'].nil? && input['onmouseover'].include?("alert(#{Cross::Attack::XSS::CANARY})") 
        end
      end 
      return false if options[:oneshot]
    end
  end
  found
end

#start(options = {:exploit_url=>false, :debug=>false, :auth=>{}}) ⇒ Object

Starts the engine



21
22
23
24
25
26
 
# File 'lib/cross/engine.rb', line 21

def start(options={:exploit_url=>false, :debug=>false, :auth=>{}})
  @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")}
  @agent.user_agent_alias = 'Mac Safari'
  @agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
  @options = options
end