Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sanitise inputs for hooked browsers

Browse Source
This commit is contained in:
zinduolis
2026-01-19 17:16:05 +10:00
parent 15095d2037
commit 503e584d97
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
View File

@@ -467,24 +467,26 @@ try{
} }
// set zombie hover balloon text for tree node // set zombie hover balloon text for tree node
// Use Ext.util.Format.htmlEncode() to prevent XSS via malicious browser properties
var encode = Ext.util.Format.htmlEncode;
var balloon_text = ""; var balloon_text = "";
balloon_text += hooked_browser.ip; balloon_text += encode(hooked_browser.ip);
balloon_text += "<hr/>" balloon_text += "<hr/>"
balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/favicon.png' /> "; balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/favicon.png' /> ";
balloon_text += "Origin: " + hooked_browser.domain + ":" + hooked_browser.port; balloon_text += "Origin: " + encode(hooked_browser.domain) + ":" + encode(hooked_browser.port);
balloon_text += "<br/>"; balloon_text += "<br/>";
balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(browser_icon) + "' /> "; balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(browser_icon) + "' /> ";
balloon_text += "Browser: " + hooked_browser.browser_name + " " + hooked_browser.browser_version; balloon_text += "Browser: " + encode(hooked_browser.browser_name) + " " + encode(hooked_browser.browser_version);
balloon_text += "<br/>"; balloon_text += "<br/>";
balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(os_icon) + "' /> "; balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(os_icon) + "' /> ";
if (hooked_browser.os_version == 'Unknown') { if (hooked_browser.os_version == 'Unknown') {
balloon_text += "OS: " + hooked_browser.os_name; balloon_text += "OS: " + encode(hooked_browser.os_name);
} else { } else {
balloon_text += "OS: " + hooked_browser.os_name + ' ' + hooked_browser.os_version; balloon_text += "OS: " + encode(hooked_browser.os_name) + ' ' + encode(hooked_browser.os_version);
} }
balloon_text += "<br/>"; balloon_text += "<br/>";
balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(hw_icon) + "' /> "; balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(hw_icon) + "' /> ";
balloon_text += "Hardware: " + hooked_browser.hw_name; balloon_text += "Hardware: " + encode(hooked_browser.hw_name);
balloon_text += "<br/>"; balloon_text += "<br/>";
if ( !hooked_browser.country || !hooked_browser.country_code || hooked_browser.country == 'Unknown' ) { if ( !hooked_browser.country || !hooked_browser.country_code || hooked_browser.country == 'Unknown' ) {
@@ -492,11 +494,11 @@ try{
balloon_text += "Location: Unknown"; balloon_text += "Location: Unknown";
} else { } else {
balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> "; balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> ";
balloon_text += "Location: " + hooked_browser.city + ", " + hooked_browser.country; balloon_text += "Location: " + encode(hooked_browser.city) + ", " + encode(hooked_browser.country);
} }
balloon_text += "<hr/>"; balloon_text += "<hr/>";
balloon_text += "Local Date: " + hooked_browser.date; balloon_text += "Local Date: " + encode(hooked_browser.date);
hooked_browser.qtip = balloon_text; hooked_browser.qtip = balloon_text;
// set zombie text label for tree node // set zombie text label for tree node
@@ -511,7 +513,7 @@ try{
text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> "; text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> ";
} }
text += hooked_browser.ip; text += encode(hooked_browser.ip);
hooked_browser.text = text; hooked_browser.text = text;
//save a new online HB //save a new online HB