Issue 384: First draft of XssRays (extension)

git-svn-id: https://beef.googlecode.com/svn/trunk@1110 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9

extensions/xssrays/api.rb

@@ -0,0 +1,49 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+module Extension
+module Xssrays
+  
+  module RegisterHttpHandler
+    
+    # use of the API
+    extend BeEF::API::Server::Handler
+    
+    # We register the http handler for the requester.
+    # This http handler will retrieve the http responses for all requests
+    def self.mount_handlers(beef_server)
+      beef_server.mount('/xssrays', false, BeEF::Extension::Xssrays::Handler)
+    end
+    
+  end
+
+  module RegisterPreHookCallback
+
+    extend BeEF::API::Server::Hook
+
+    # checks at every polling if there are new scans to be started
+    def self.pre_hook_send(hooked_browser, body, params, request, response)
+        if hooked_browser != nil
+          xssrays = BeEF::Extension::Xssrays::API::Scan.new
+          xssrays.start_scan(hooked_browser, body)
+        end
+    end
+
+  end
+  
+end
+end
+end

extensions/xssrays/api/scan.rb

@@ -0,0 +1,67 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Extension
+    module Xssrays
+      module API
+
+        class Scan
+
+          include BeEF::Core::Handlers::Modules::BeEFJS
+
+          #
+          # Add the xssrays mian JS file to the victim DOM if there is a not started scan entry in the db.
+          #
+          def start_scan(hb, body)
+            @body = body
+
+
+            hb = BeEF::Core::Models::HookedBrowser.first(:id => hb.id)
+            #TODO: we should get the xssrays_scan table with more accuracy, if for some reasons we requested
+            #TODO: 2 scans on the same hooked browsers, "first" could not get the right result we want
+            xs = BeEF::Core::Models::Xssraysscan.first(:hooked_browser_id => hb.id, :is_started => false)
+
+            # stop here if there are no XssRays scans to be started
+            return if xs == nil || xs.is_started == true
+
+            # set the scan as started
+            xs.update(:is_started => true)
+
+            # build the beefjs xssrays component
+            build_missing_beefjs_components 'beef.net.xssrays'
+
+            # the URI of the HTTP controller where rays should come back if the vulnerability is verified
+            beefurl = "#{BeEF::Core::Server.instance.url}/ui/xssrays/rays"
+
+            #TODO: this must be configurable is some ways, through the web UI
+            cross_domain = true
+            timeout = 5000
+
+
+            @body << %Q{
+              beef.execute(function() {
+                beef.net.xssrays.startScan('#{xs.id}', '#{hb.session}', '#{beefurl}', #{cross_domain}, #{timeout});
+              });
+            }
+
+            print_debug("[XSSRAYS] Adding XssRays to the DOM. Scan id [#{xs.id}], started at [#{xs.scan_start}]")
+
+          end
+        end
+      end
+    end
+  end
+end

extensions/xssrays/config.yaml

@@ -0,0 +1,20 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    extension:
+        xssrays:
+            enable: true
+            authors: ["antisnatchor"]

extensions/xssrays/extension.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+module Extension
+module Xssrays
+  
+end
+end
+end
+
+
+require 'extensions/xssrays/models/xssraysdetail'
+require 'extensions/xssrays/models/xssraysscan'
+require 'extensions/xssrays/api/scan'
+require 'extensions/xssrays/handler'
+require 'extensions/xssrays/api'

extensions/xssrays/handler.rb

@@ -0,0 +1,64 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+module Extension
+module Xssrays
+
+  class Handler < WEBrick::HTTPServlet::AbstractServlet
+    attr_reader :guard
+    
+    XS = BeEF::Core::Models::Xssraysscan
+    XD = BeEF::Core::Models::Xssraysdetail
+    HB = BeEF::Core::Models::HookedBrowser
+
+    #
+    # Class constructor
+    #
+    def initialize(data)
+      # we set up a mutex
+      @guard = Mutex.new
+      @data = data
+      setup()
+    end
+    
+    def setup()
+
+      # validates the hook token
+      beef_hook = @data['beefhook'] || nil
+      raise WEBrick::HTTPStatus::BadRequest, "beefhook is null" if beef_hook.nil?
+      
+      # validates the scan id
+      scan_id = @data['cid'] || nil
+      raise WEBrick::HTTPStatus::BadRequest, "Scan id (cid) is null" if request_id.nil?
+
+      # validates that a hooked browser with the beef_hook token exists in the db
+      hooked_browser = HB.first(:session => beef_hook) || nil
+      raise WEBrick::HTTPStatus::BadRequest, "Invalid beefhook id: the hooked browser cannot be found in the database" if hooked_browser.nil?
+      
+      # update the XssRays scan table, marking the scan as finished
+      xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => scan_id)
+
+      if(xssrays_scan != nil)
+         xssrays_scan.update(:is_finished => true, :scan_finish => Time.now)
+         print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]")
+      end
+    end
+
+  end
+  
+end
+end
+end

extensions/xssrays/models/xssraysdetail.rb

@@ -0,0 +1,48 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+module Core
+module Models
+  #
+  # Store the rays details, basically verified XSS vulnerabilities
+  #
+  class Xssraysdetail
+  
+    include DataMapper::Resource
+    
+    storage_names[:default] = 'extension_xssrays_details'
+    
+    property :id, Serial
+
+    # The hooked browser id
+    property :hooked_browser_id, Text, :lazy => false
+
+    # The XssRays vector name for the vulnerability
+    property :vector_name, Text, :lazy => true
+
+    # The XssRays vector method (GET or POST) for the vulnerability
+    property :vector_method, Text, :lazy => true
+
+    # The XssRays Proof of Concept for the vulnerability
+    property :vector_poc, Text, :lazy => true
+
+    property :scan_id, Text, :lazy => false
+
+  end
+  
+end
+end
+end