=begin
    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
=end

#
# XSS audit module
#
# It doesn't just look for the injected XSS string in the HTML code
# but actually parses the code and looks for the injected element proper.
#
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
#
# @version 0.3.2
#
# @see http://cwe.mitre.org/data/definitions/79.html
# @see http://ha.ckers.org/xss.html
# @see http://secunia.com/advisories/9716/
#
class Arachni::Modules::XSS < Arachni::Module::Base

    def self.tag
        @tag ||= 'some_dangerous_input_' + seed
    end

    def self.strings
        @strings ||= [
            # straight injection
            '<' + tag + '/>',
            # go for an error
            '\'-;<' + tag + '/>',
            # break out of HTML comments
            '--> <' + tag + '/> <!--',
        ]
    end

    def self.opts
        @opts ||= {
            format:     [Format::APPEND | Format::STRAIGHT],
            flip_param: true
        }
    end

    def run
        self.class.strings.each do |str|
            audit( str, self.class.opts ) { |res, opts| check_and_log( res, opts ) }
        end
    end

    def check_and_log( res, opts )
        # if the body doesn't include the tag name at all bail out early
        return if !res.body || !res.body.include?( self.class.tag )

        # see if we managed to successfully inject our element in the doc tree
        return if Nokogiri::HTML( res.body ).css( self.class.tag ).empty?

        # Nokogiri seems to think that an HTML node inside a textarea is a node
        # and not just text, however I disagree.
        #
        # *But*, there's the possibility of being able to break out of the
        # textarea hence I'll leave this commented and sleep on it.
        #our_nodes.each { |node| return if !node.ancestors( 'textarea' ).empty? }

        opts[:match] = opts[:injected]
        log( opts, res )
    end

    def self.info
        {
            name:        'XSS',
            description: %q{Cross-Site Scripting module.
                It doesn't just look for the injected XSS string in the HMTL code
                but actually parses the code and looks for the injected element proper.
            },
            elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
            version:     '0.3.2',
            references:  {
                'ha.ckers' => 'http://ha.ckers.org/xss.html',
                'Secunia'  => 'http://secunia.com/advisories/9716/'
            },
            targets:     %w(Generic),
            issue:       {
                name:            %q{Cross-Site Scripting (XSS)},
                description:     %q{Client-side code (like JavaScript) can
    be injected into the web application which is then returned to the user's browser.
    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.},
                tags:            %w(xss regexp injection script),
                cwe:             '79',
                severity:        Severity::HIGH,
                cvssv2:          '9.0',
                remedy_guidance: 'User inputs must be validated and filtered
    before being returned as part of the HTML code of a page.',
            }
        }
    end

end