From 70ec0de175bf927997cdf2fd9bc747aa89cbbb9f Mon Sep 17 00:00:00 2001 From: zinduolis Date: Thu, 26 Feb 2026 11:20:30 +1000 Subject: [PATCH] Fix Stored XSS in Browser Details and Core Filters --- core/filters/base.rb | 2 +- core/filters/browser.rb | 10 +++---- core/main/handlers/browserdetails.rb | 45 +++++++++++++++++++++++----- 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/core/filters/base.rb b/core/filters/base.rb index c8da8ff9a..1c152aca9 100644 --- a/core/filters/base.rb +++ b/core/filters/base.rb @@ -187,7 +187,7 @@ module BeEF def self.has_valid_browser_details_chars?(str) return false unless is_non_empty_string?(str) - !(str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil? + (str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil? end # Check for valid base details characters diff --git a/core/filters/browser.rb b/core/filters/browser.rb index c7c4cb1fa..d441e91ec 100644 --- a/core/filters/browser.rb +++ b/core/filters/browser.rb @@ -11,7 +11,7 @@ module BeEF def self.is_valid_browsername?(str) # rubocop:disable Naming/PredicatePrefix return false unless is_non_empty_string?(str) return false if str.length > 2 - return false if has_non_printable_char?(str) + return false unless has_valid_browser_details_chars?(str) true end @@ -21,7 +21,7 @@ module BeEF # @return [Boolean] If the string has valid Operating System name characters def self.is_valid_osname?(str) # rubocop:disable Naming/PredicatePrefix return false unless is_non_empty_string?(str) - return false if has_non_printable_char?(str) + return false unless has_valid_browser_details_chars?(str) return false if str.length < 2 true @@ -32,7 +32,7 @@ module BeEF # @return [Boolean] If the string has valid Hardware name characters def self.is_valid_hwname?(str) # rubocop:disable Naming/PredicatePrefix return false unless is_non_empty_string?(str) - return false if has_non_printable_char?(str) + return false unless has_valid_browser_details_chars?(str) return false if str.length < 2 true @@ -71,7 +71,7 @@ module BeEF # @return [Boolean] If the string has valid browser / ua string characters def self.is_valid_browserstring?(str) # rubocop:disable Naming/PredicatePrefix return false unless is_non_empty_string?(str) - return false if has_non_printable_char?(str) + return false unless has_valid_browser_details_chars?(str) return false if str.length > 300 true @@ -93,7 +93,7 @@ module BeEF # @return [Boolean] If the string has valid system platform characters def self.is_valid_system_platform?(str) # rubocop:disable Naming/PredicatePrefix return false unless is_non_empty_string?(str) - return false if has_non_printable_char?(str) + return false unless has_valid_browser_details_chars?(str) return false if str.length > 200 true diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb index 3d02f2225..54c9ab83a 100644 --- a/core/main/handlers/browserdetails.rb +++ b/core/main/handlers/browserdetails.rb @@ -44,7 +44,7 @@ module BeEF # hooked window host name log_zombie_port = 0 - if !@data['results']['browser.window.hostname'].nil? + if !@data['results']['browser.window.hostname'].nil? && BeEF::Filters.is_valid_hostname?(@data['results']['browser.window.hostname']) log_zombie_domain = @data['results']['browser.window.hostname'] elsif !@data['request'].referer.nil? and !@data['request'].referer.empty? referer = @data['request'].referer @@ -59,7 +59,7 @@ module BeEF end # hooked window host port - if @data['results']['browser.window.hostport'].nil? + if @data['results']['browser.window.hostport'].nil? || !BeEF::Filters.is_valid_port?(@data['results']['browser.window.hostport'].to_s) log_zombie_domain_parts = log_zombie_domain.split(':') log_zombie_port = log_zombie_domain_parts[1].to_i if log_zombie_domain_parts.length > 1 else @@ -92,6 +92,7 @@ module BeEF BD.set(session_id, 'browser.name.friendly', browser_friendly_name) else err_msg "Invalid browser name returned from the hook browser's initial connection." + browser_name = 'Unknown' end if BeEF::Filters.is_valid_ip?(zombie.ip) @@ -242,11 +243,17 @@ module BeEF X_FORWARDED X_FORWARDED_FOR ].each do |header| - proxy_clients << (JSON.parse(zombie.httpheaders)[header]).to_s unless JSON.parse(zombie.httpheaders)[header].nil? + val = JSON.parse(zombie.httpheaders)[header] + unless val.nil? + val.to_s.split(',').each do |ip| + proxy_clients << ip.strip if BeEF::Filters.is_valid_ip?(ip.strip) + end + end end # retrieve proxy server proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil? + proxy_server = nil unless proxy_server.nil? || BeEF::Filters.has_valid_browser_details_chars?(proxy_server) # store and log proxy details if using_proxy == true @@ -273,6 +280,7 @@ module BeEF BD.set(session_id, 'browser.version', browser_version) else err_msg "Invalid browser version returned from the hook browser's initial connection." + browser_version = 'Unknown' end # get and store browser string @@ -293,7 +301,12 @@ module BeEF # get and store browser language browser_lang = get_param(@data['results'], 'browser.language') - BD.set(session_id, 'browser.language', browser_lang) + if BeEF::Filters.has_valid_browser_details_chars?(browser_lang) + BD.set(session_id, 'browser.language', browser_lang) + else + err_msg "Invalid browser language returned from the hook browser's initial connection." + browser_lang = 'Unknown' + end # get and store the cookies cookies = get_param(@data['results'], 'browser.window.cookies') @@ -309,6 +322,7 @@ module BeEF BD.set(session_id, 'host.os.name', os_name) else err_msg "Invalid operating system name returned from the hook browser's initial connection." + os_name = 'Unknown' end # get and store the OS family @@ -322,15 +336,30 @@ module BeEF # get and store the OS version # - without checks as it can be very different, for instance on linux/bsd) os_version = get_param(@data['results'], 'host.os.version') - BD.set(session_id, 'host.os.version', os_version) + if BeEF::Filters.has_valid_browser_details_chars?(os_version) + BD.set(session_id, 'host.os.version', os_version) + else + err_msg "Invalid operating system version returned from the hook browser's initial connection." + os_version = 'Unknown' + end - # get and store the OS arch - without checks + # get and store the OS arch os_arch = get_param(@data['results'], 'host.os.arch') - BD.set(session_id, 'host.os.arch', os_arch) + if BeEF::Filters.has_valid_browser_details_chars?(os_arch) + BD.set(session_id, 'host.os.arch', os_arch) + else + err_msg "Invalid operating system architecture returned from the hook browser's initial connection." + os_arch = 'Unknown' + end # get and store default browser default_browser = get_param(@data['results'], 'host.software.defaultbrowser') - BD.set(session_id, 'host.software.defaultbrowser', default_browser) + if BeEF::Filters.has_valid_browser_details_chars?(default_browser) + BD.set(session_id, 'host.software.defaultbrowser', default_browser) + else + err_msg "Invalid default browser returned from the hook browser's initial connection." + default_browser = 'Unknown' + end # get and store the hardware type hw_type = get_param(@data['results'], 'hardware.type')