(Fixes issue 467) rewrote from scratch the XssRays handler, refactored JS and Ruby code, improved the whole thing.

git-svn-id: https://beef.googlecode.com/svn/trunk@1361 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2011-10-12 14:56:50 +00:00
parent 974c23916d
commit e22332e1f8
6 changed files with 84 additions and 98 deletions
--- a/extensions/xssrays/handler.rb
+++ b/extensions/xssrays/handler.rb
@@ -14,51 +14,76 @@
 #   limitations under the License.
 #
 module BeEF
-module Extension
-module Xssrays
+  module Extension
+    module Xssrays

-  class Handler < WEBrick::HTTPServlet::AbstractServlet
-    attr_reader :guard
-    
-    XS = BeEF::Core::Models::Xssraysscan
-    XD = BeEF::Core::Models::Xssraysdetail
-    HB = BeEF::Core::Models::HookedBrowser
+      class Handler < WEBrick::HTTPServlet::AbstractServlet

-    #
-    # Class constructor
-    #
-    def initialize(data)
-      # we set up a mutex
-      @guard = Mutex.new
-      @data = data
-      setup()
-    end
-    
-    def setup()
+        XS = BeEF::Core::Models::Xssraysscan
+        XD = BeEF::Core::Models::Xssraysdetail
+        HB = BeEF::Core::Models::HookedBrowser

-      # validates the hook token
-      beef_hook = @data['beefhook'] || nil
-      raise WEBrick::HTTPStatus::BadRequest, "beefhook is null" if beef_hook.nil?
-      
-      # validates the scan id
-      scan_id = @data['cid'] || nil
-      raise WEBrick::HTTPStatus::BadRequest, "Scan id (cid) is null" if scan_id.nil?
+        def do_GET(request, response)
+          @request = request

-      # validates that a hooked browser with the beef_hook token exists in the db
-      hooked_browser = HB.first(:session => beef_hook) || nil
-      raise WEBrick::HTTPStatus::BadRequest, "Invalid beefhook id: the hooked browser cannot be found in the database" if hooked_browser.nil?
-      
-      # update the XssRays scan table, marking the scan as finished
-      xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => scan_id)
+          # verify if the request contains the hook token
+          # raise an exception if it's null or not found in the DB
+          beef_hook = get_param(@request.query, 'hbsess') || nil
+          raise WEBrick::HTTPStatus::BadRequest,
+                "[XSSRAYS] Invalid beefhook id: the hooked browser cannot be found in the database" if beef_hook.nil? || HB.first(:session => beef_hook) == nil

-      if(xssrays_scan != nil)
-         xssrays_scan.update(:is_finished => true, :scan_finish => Time.now)
-         print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]")
+          rays_scan_id = get_param(@request.query, 'raysid') || nil
+          raise WEBrick::HTTPStatus::BadRequest, "[XSSRAYS] Raysid is null" if rays_scan_id.nil?
+
+          if (get_param(@request.query, 'action') == 'ray')
+            # we received a ray
+            parse_rays(rays_scan_id)
+          else
+            if (get_param(@request.query, 'action') == 'finish')
+              # we received a notification for finishing the scan
+              finalize_scan(rays_scan_id)
+            else
+              #invalid action
+              raise WEBrick::HTTPStatus::BadRequest, "[XSSRAYS] Invalid action"
+            end
+          end
+        end
+
+        # parse incoming rays: rays are verified XSS, as the attack vector is calling back BeEF when executed.
+        def parse_rays(rays_scan_id)
+          xssrays_scan = XS.first(:id => rays_scan_id)
+          hooked_browser = HB.first(:session => get_param(@request.query, 'hbsess'))
+
+          if (xssrays_scan != nil)
+            xssrays_detail = XD.new(
+                :hooked_browser_id => hooked_browser.id,
+                :vector_name => get_param(@request.query, 'n'),
+                :vector_method => get_param(@request.query, 'm'),
+                :vector_poc => get_param(@request.query, 'p'),
+                :xssraysscan_id => xssrays_scan.id
+            )
+            xssrays_detail.save
+          end
+          print_info("[XSSRAYS] Received ray from HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
+          print_debug("[XSSRAYS] Ray info: \n #{@request.query}")
+        end
+
+        # finalize the XssRays scan marking the scan as finished in the db
+        def finalize_scan(rays_scan_id)
+          xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => rays_scan_id)
+
+          if (xssrays_scan != nil)
+            xssrays_scan.update(:is_finished => true, :scan_finish => Time.now)
+            print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]")
+          end
+        end
+
+        #assist function for getting parameter from hash
+        def get_param(query, key)
+          return nil if query[key].nil?
+          query[key]
+        end
      end
    end
-
  end
-  
-end
-end
 end