diff --git a/core/filters/base.rb b/core/filters/base.rb
index c8da8ff9a..1c152aca9 100644
--- a/core/filters/base.rb
+++ b/core/filters/base.rb
@@ -187,7 +187,7 @@ module BeEF
def self.has_valid_browser_details_chars?(str)
return false unless is_non_empty_string?(str)
- !(str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil?
+ (str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil?
end
# Check for valid base details characters
diff --git a/core/filters/browser.rb b/core/filters/browser.rb
index c7c4cb1fa..d441e91ec 100644
--- a/core/filters/browser.rb
+++ b/core/filters/browser.rb
@@ -11,7 +11,7 @@ module BeEF
def self.is_valid_browsername?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str)
return false if str.length > 2
- return false if has_non_printable_char?(str)
+ return false unless has_valid_browser_details_chars?(str)
true
end
@@ -21,7 +21,7 @@ module BeEF
# @return [Boolean] If the string has valid Operating System name characters
def self.is_valid_osname?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str)
- return false if has_non_printable_char?(str)
+ return false unless has_valid_browser_details_chars?(str)
return false if str.length < 2
true
@@ -32,7 +32,7 @@ module BeEF
# @return [Boolean] If the string has valid Hardware name characters
def self.is_valid_hwname?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str)
- return false if has_non_printable_char?(str)
+ return false unless has_valid_browser_details_chars?(str)
return false if str.length < 2
true
@@ -71,7 +71,7 @@ module BeEF
# @return [Boolean] If the string has valid browser / ua string characters
def self.is_valid_browserstring?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str)
- return false if has_non_printable_char?(str)
+ return false unless has_valid_browser_details_chars?(str)
return false if str.length > 300
true
@@ -93,7 +93,7 @@ module BeEF
# @return [Boolean] If the string has valid system platform characters
def self.is_valid_system_platform?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str)
- return false if has_non_printable_char?(str)
+ return false unless has_valid_browser_details_chars?(str)
return false if str.length > 200
true
diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb
index 3d02f2225..51d83afcf 100644
--- a/core/main/handlers/browserdetails.rb
+++ b/core/main/handlers/browserdetails.rb
@@ -44,7 +44,7 @@ module BeEF
# hooked window host name
log_zombie_port = 0
- if !@data['results']['browser.window.hostname'].nil?
+ if !@data['results']['browser.window.hostname'].nil? && BeEF::Filters.is_valid_hostname?(@data['results']['browser.window.hostname'])
log_zombie_domain = @data['results']['browser.window.hostname']
elsif !@data['request'].referer.nil? and !@data['request'].referer.empty?
referer = @data['request'].referer
@@ -59,7 +59,7 @@ module BeEF
end
# hooked window host port
- if @data['results']['browser.window.hostport'].nil?
+ if @data['results']['browser.window.hostport'].nil? || !BeEF::Filters.is_valid_port?(@data['results']['browser.window.hostport'].to_s)
log_zombie_domain_parts = log_zombie_domain.split(':')
log_zombie_port = log_zombie_domain_parts[1].to_i if log_zombie_domain_parts.length > 1
else
@@ -92,6 +92,7 @@ module BeEF
BD.set(session_id, 'browser.name.friendly', browser_friendly_name)
else
err_msg "Invalid browser name returned from the hook browser's initial connection."
+ browser_name = 'Unknown'
end
if BeEF::Filters.is_valid_ip?(zombie.ip)
@@ -242,11 +243,17 @@ module BeEF
X_FORWARDED
X_FORWARDED_FOR
].each do |header|
- proxy_clients << (JSON.parse(zombie.httpheaders)[header]).to_s unless JSON.parse(zombie.httpheaders)[header].nil?
+ val = JSON.parse(zombie.httpheaders)[header]
+ unless val.nil?
+ val.to_s.split(',').each do |ip|
+ proxy_clients << ip.strip if BeEF::Filters.is_valid_ip?(ip.strip)
+ end
+ end
end
# retrieve proxy server
proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil?
+ proxy_server = nil unless proxy_server.nil? || BeEF::Filters.has_valid_browser_details_chars?(proxy_server)
# store and log proxy details
if using_proxy == true
@@ -273,6 +280,7 @@ module BeEF
BD.set(session_id, 'browser.version', browser_version)
else
err_msg "Invalid browser version returned from the hook browser's initial connection."
+ browser_version = 'Unknown'
end
# get and store browser string
@@ -293,7 +301,11 @@ module BeEF
# get and store browser language
browser_lang = get_param(@data['results'], 'browser.language')
- BD.set(session_id, 'browser.language', browser_lang)
+ if BeEF::Filters.has_valid_browser_details_chars?(browser_lang)
+ BD.set(session_id, 'browser.language', browser_lang)
+ else
+ err_msg "Invalid browser language returned from the hook browser's initial connection."
+ end
# get and store the cookies
cookies = get_param(@data['results'], 'browser.window.cookies')
@@ -309,6 +321,7 @@ module BeEF
BD.set(session_id, 'host.os.name', os_name)
else
err_msg "Invalid operating system name returned from the hook browser's initial connection."
+ os_name = 'Unknown'
end
# get and store the OS family
@@ -322,15 +335,28 @@ module BeEF
# get and store the OS version
# - without checks as it can be very different, for instance on linux/bsd)
os_version = get_param(@data['results'], 'host.os.version')
- BD.set(session_id, 'host.os.version', os_version)
+ if BeEF::Filters.has_valid_browser_details_chars?(os_version)
+ BD.set(session_id, 'host.os.version', os_version)
+ else
+ err_msg "Invalid operating system version returned from the hook browser's initial connection."
+ os_version = 'Unknown'
+ end
- # get and store the OS arch - without checks
+ # get and store the OS arch
os_arch = get_param(@data['results'], 'host.os.arch')
- BD.set(session_id, 'host.os.arch', os_arch)
+ if BeEF::Filters.has_valid_browser_details_chars?(os_arch)
+ BD.set(session_id, 'host.os.arch', os_arch)
+ else
+ err_msg "Invalid operating system architecture returned from the hook browser's initial connection."
+ end
# get and store default browser
default_browser = get_param(@data['results'], 'host.software.defaultbrowser')
- BD.set(session_id, 'host.software.defaultbrowser', default_browser)
+ if BeEF::Filters.has_valid_browser_details_chars?(default_browser)
+ BD.set(session_id, 'host.software.defaultbrowser', default_browser)
+ else
+ err_msg "Invalid default browser returned from the hook browser's initial connection."
+ end
# get and store the hardware type
hw_type = get_param(@data['results'], 'hardware.type')
diff --git a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
index e9c1c2ace..3d81e42e4 100644
--- a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
+++ b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
@@ -467,24 +467,26 @@ try{
}
// set zombie hover balloon text for tree node
+ // Use Ext.util.Format.htmlEncode() to prevent XSS via malicious browser properties
+ var encode = Ext.util.Format.htmlEncode;
var balloon_text = "";
- balloon_text += hooked_browser.ip;
+ balloon_text += encode(hooked_browser.ip);
balloon_text += "
"
balloon_text += "
";
- balloon_text += "Origin: " + hooked_browser.domain + ":" + hooked_browser.port;
+ balloon_text += "Origin: " + encode(hooked_browser.domain) + ":" + encode(hooked_browser.port);
balloon_text += "
";
balloon_text += "![](<%= @base_path %>/media/images/icons/" + escape(browser_icon) + ")
";
- balloon_text += "Browser: " + hooked_browser.browser_name + " " + hooked_browser.browser_version;
+ balloon_text += "Browser: " + encode(hooked_browser.browser_name) + " " + encode(hooked_browser.browser_version);
balloon_text += "
";
balloon_text += " ![](<%= @base_path %>/media/images/icons/" + escape(os_icon) + ")
";
if (hooked_browser.os_version == 'Unknown') {
- balloon_text += "OS: " + hooked_browser.os_name;
+ balloon_text += "OS: " + encode(hooked_browser.os_name);
} else {
- balloon_text += "OS: " + hooked_browser.os_name + ' ' + hooked_browser.os_version;
+ balloon_text += "OS: " + encode(hooked_browser.os_name) + ' ' + encode(hooked_browser.os_version);
}
balloon_text += "
";
balloon_text += " ![](<%= @base_path %>/media/images/icons/" + escape(hw_icon) + ")
";
- balloon_text += "Hardware: " + hooked_browser.hw_name;
+ balloon_text += "Hardware: " + encode(hooked_browser.hw_name);
balloon_text += "
";
if ( !hooked_browser.country || !hooked_browser.country_code || hooked_browser.country == 'Unknown' ) {
@@ -492,11 +494,11 @@ try{
balloon_text += "Location: Unknown";
} else {
balloon_text += " ![](<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg)
";
- balloon_text += "Location: " + hooked_browser.city + ", " + hooked_browser.country;
+ balloon_text += "Location: " + encode(hooked_browser.city) + ", " + encode(hooked_browser.country);
}
balloon_text += "
";
- balloon_text += "Local Date: " + hooked_browser.date;
+ balloon_text += "Local Date: " + encode(hooked_browser.date);
hooked_browser.qtip = balloon_text;
// set zombie text label for tree node
@@ -511,7 +513,7 @@ try{
text += " ";
}
- text += hooked_browser.ip;
+ text += encode(hooked_browser.ip);
hooked_browser.text = text;
//save a new online HB