diff --git a/extensions/xssrays/api.rb b/extensions/xssrays/api.rb new file mode 100644 index 000000000..68213493c --- /dev/null +++ b/extensions/xssrays/api.rb @@ -0,0 +1,49 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Extension +module Xssrays + + module RegisterHttpHandler + + # use of the API + extend BeEF::API::Server::Handler + + # We register the http handler for the requester. + # This http handler will retrieve the http responses for all requests + def self.mount_handlers(beef_server) + beef_server.mount('/xssrays', false, BeEF::Extension::Xssrays::Handler) + end + + end + + module RegisterPreHookCallback + + extend BeEF::API::Server::Hook + + # checks at every polling if there are new scans to be started + def self.pre_hook_send(hooked_browser, body, params, request, response) + if hooked_browser != nil + xssrays = BeEF::Extension::Xssrays::API::Scan.new + xssrays.start_scan(hooked_browser, body) + end + end + + end + +end +end +end diff --git a/extensions/xssrays/api/scan.rb b/extensions/xssrays/api/scan.rb new file mode 100644 index 000000000..881da01a2 --- /dev/null +++ b/extensions/xssrays/api/scan.rb @@ -0,0 +1,67 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF + module Extension + module Xssrays + module API + + class Scan + + include BeEF::Core::Handlers::Modules::BeEFJS + + # + # Add the xssrays mian JS file to the victim DOM if there is a not started scan entry in the db. + # + def start_scan(hb, body) + @body = body + + + hb = BeEF::Core::Models::HookedBrowser.first(:id => hb.id) + #TODO: we should get the xssrays_scan table with more accuracy, if for some reasons we requested + #TODO: 2 scans on the same hooked browsers, "first" could not get the right result we want + xs = BeEF::Core::Models::Xssraysscan.first(:hooked_browser_id => hb.id, :is_started => false) + + # stop here if there are no XssRays scans to be started + return if xs == nil || xs.is_started == true + + # set the scan as started + xs.update(:is_started => true) + + # build the beefjs xssrays component + build_missing_beefjs_components 'beef.net.xssrays' + + # the URI of the HTTP controller where rays should come back if the vulnerability is verified + beefurl = "#{BeEF::Core::Server.instance.url}/ui/xssrays/rays" + + #TODO: this must be configurable is some ways, through the web UI + cross_domain = true + timeout = 5000 + + + @body << %Q{ + beef.execute(function() { + beef.net.xssrays.startScan('#{xs.id}', '#{hb.session}', '#{beefurl}', #{cross_domain}, #{timeout}); + }); + } + + print_debug("[XSSRAYS] Adding XssRays to the DOM. Scan id [#{xs.id}], started at [#{xs.scan_start}]") + + end + end + end + end + end +end diff --git a/extensions/xssrays/config.yaml b/extensions/xssrays/config.yaml new file mode 100644 index 000000000..f53f9cc20 --- /dev/null +++ b/extensions/xssrays/config.yaml @@ -0,0 +1,20 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + extension: + xssrays: + enable: true + authors: ["antisnatchor"] diff --git a/extensions/xssrays/extension.rb b/extensions/xssrays/extension.rb new file mode 100644 index 000000000..47effa363 --- /dev/null +++ b/extensions/xssrays/extension.rb @@ -0,0 +1,29 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Extension +module Xssrays + +end +end +end + + +require 'extensions/xssrays/models/xssraysdetail' +require 'extensions/xssrays/models/xssraysscan' +require 'extensions/xssrays/api/scan' +require 'extensions/xssrays/handler' +require 'extensions/xssrays/api' diff --git a/extensions/xssrays/handler.rb b/extensions/xssrays/handler.rb new file mode 100644 index 000000000..7984ccda4 --- /dev/null +++ b/extensions/xssrays/handler.rb @@ -0,0 +1,64 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Extension +module Xssrays + + class Handler < WEBrick::HTTPServlet::AbstractServlet + attr_reader :guard + + XS = BeEF::Core::Models::Xssraysscan + XD = BeEF::Core::Models::Xssraysdetail + HB = BeEF::Core::Models::HookedBrowser + + # + # Class constructor + # + def initialize(data) + # we set up a mutex + @guard = Mutex.new + @data = data + setup() + end + + def setup() + + # validates the hook token + beef_hook = @data['beefhook'] || nil + raise WEBrick::HTTPStatus::BadRequest, "beefhook is null" if beef_hook.nil? + + # validates the scan id + scan_id = @data['cid'] || nil + raise WEBrick::HTTPStatus::BadRequest, "Scan id (cid) is null" if request_id.nil? + + # validates that a hooked browser with the beef_hook token exists in the db + hooked_browser = HB.first(:session => beef_hook) || nil + raise WEBrick::HTTPStatus::BadRequest, "Invalid beefhook id: the hooked browser cannot be found in the database" if hooked_browser.nil? + + # update the XssRays scan table, marking the scan as finished + xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => scan_id) + + if(xssrays_scan != nil) + xssrays_scan.update(:is_finished => true, :scan_finish => Time.now) + print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]") + end + end + + end + +end +end +end diff --git a/extensions/xssrays/models/xssraysdetail.rb b/extensions/xssrays/models/xssraysdetail.rb new file mode 100644 index 000000000..edd463b5a --- /dev/null +++ b/extensions/xssrays/models/xssraysdetail.rb @@ -0,0 +1,48 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Core +module Models + # + # Store the rays details, basically verified XSS vulnerabilities + # + class Xssraysdetail + + include DataMapper::Resource + + storage_names[:default] = 'extension_xssrays_details' + + property :id, Serial + + # The hooked browser id + property :hooked_browser_id, Text, :lazy => false + + # The XssRays vector name for the vulnerability + property :vector_name, Text, :lazy => true + + # The XssRays vector method (GET or POST) for the vulnerability + property :vector_method, Text, :lazy => true + + # The XssRays Proof of Concept for the vulnerability + property :vector_poc, Text, :lazy => true + + property :scan_id, Text, :lazy => false + + end + +end +end +end