# frozen_string_literal: true
# frozen_string_literal: true
#
# ronin-vulns - A Ruby library for blind vulnerability testing.
#
# Copyright (c) 2022 Hal Brodigan (postmodern.mod3 at gmail.com)
#
# ronin-vulns is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ronin-vulns is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with ronin-vulns. If not, see .
#
require 'ronin/vulns/web_vuln'
module Ronin
module Vulns
class ReflectedXSS < WebVuln
#
# Represents information about the context which the XSS occurs within.
#
class Context
# Where in the HTML the XSS occurs.
#
# @return [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body]
# The context which the XSS occurs in.
# * `:tag_body` occurred within a tag's body (ex: `XSS...`)
# * `:double_quoted_attr_value` - occurred in a double quoted
# attribute value (ex: `...`)
# * `:single_quoted_attr_value` - occurred in a single quoted
# attribute value (ex: `...`)
# * `:unquoted_attr_value` - occurred in an unquoted attribute value
# (ex: `...`)
# * `:attr_name` - occurred in an attribute name
# (ex: ``)
# * `:attr_list` - occurred in the attribute list
# (ex: `...`)
# * `:tag_name` - occurred in the tag name (ex: `...`)
#
# @api public
attr_reader :location
# The name of the parent tag which the XSS occurs in.
#
# @return [String]
#
# @api public
attr_reader :tag
# The attribute name that the XSS occurs in.
#
# @return [String, nil]
#
# @api public
attr_reader :attr
#
# Initializes the context.
#
# @param [:double_quoted_attr_value, :single_quoted_attr_value, :unquoted_attr_value, :attr_name, :attr_list, :tag_name, :tag_body] location
#
# @param [String] tag
#
# @param [String, nil] attr
#
# @api private
#
def initialize(location, tag: nil, attr: nil)
@location = location
@tag = tag
@attr = attr
end
# HTML identifier regexp
#
# @api private
IDENTIFIER = /[A-Za-z0-9_-]+/
# HTML attribute name regexp.
#
# @api private
ATTR_NAME = IDENTIFIER
# HTML attribute regexp.
#
# @api private
ATTR = /#{ATTR_NAME}(?:\s*=\s*"[^"]+"|\s*=\s*'[^']+'|=[^"'\s]+)?/
# HTML attribute list regexp.
#
# @api private
ATTR_LIST = /(?:\s+#{ATTR})*/
# HTML tag name regexp.
#
# @api private
TAG_NAME = IDENTIFIER
# Regexp matching when an XSS occurs within a tag's inner HTML.
#
# @api private
IN_TAG_BODY = %r{<(#{TAG_NAME})#{ATTR_LIST}\s*(?:>|/>)[^<>]*\z}
# Regexp matching when an XSS occurs within a double-quoted attribute
# value.
#
# @api private
IN_DOUBLE_QUOTED_ATTR_VALUE = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\s*=\s*"[^"]+\z}
# Regexp matching when an XSS occurs within a single-quoted attribute
# value.
#
# @api private
IN_SINGLE_QUOTED_ATTR_VALUE = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\s*=\s*'[^']+\z}
# Regexp matching when an XSS occurs within an unquoted attribute value.
#
# @api private
IN_UNQUOTED_ATTR_VALUE = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})=[^"'\s]+\z}
# Regexp matching when an XSS occurs within an attribute's name.
#
# @api private
IN_ATTR_NAME = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+(#{ATTR_NAME})\z}
# Regexp matching when an XSS occurs within a tag's attribute list.
#
# @api private
IN_ATTR_LIST = %r{<(#{TAG_NAME})#{ATTR_LIST}\s+\z}
# Regexp matching when an XSS occurs within a tag's name.
#
# @api private
IN_TAG_NAME = %r{<(#{TAG_NAME})\z}
#
# Determine the context of the XSS by checking the characters that come
# before the given index.
#
# @param [String] body
# The HTML response body to inspect.
#
# @param [Integer] index
# The index which the XSS occurs at.
#
# @return [Context]
# The context which the XSS occurs in.
#
# @api private
#
def self.identify(body,index)
prefix = body[0,index]
if (match = prefix.match(IN_TAG_BODY))
new(:tag_body, tag: match[1])
elsif (match = prefix.match(IN_DOUBLE_QUOTED_ATTR_VALUE))
new(:double_quoted_attr_value, tag: match[1], attr: match[2])
elsif (match = prefix.match(IN_SINGLE_QUOTED_ATTR_VALUE))
new(:single_quoted_attr_value, tag: match[1], attr: match[2])
elsif (match = prefix.match(IN_UNQUOTED_ATTR_VALUE))
new(:unquoted_attr_value, tag: match[1], attr: match[2])
elsif (match = prefix.match(IN_ATTR_NAME))
new(:attr_name, tag: match[1], attr: match[2])
elsif (match = prefix.match(IN_ATTR_LIST))
new(:attr_list, tag: match[1])
elsif (match = prefix.match(IN_TAG_NAME))
new(:tag_name, tag: match[1])
end
end
# The minimum set of required characters needed for an XSS.
#
# @api private
MINIMAL_REQUIRED_CHARS = Set['>', ' ', '/', '<']
# The mapping of contexts and their required characters.
#
# @api private
REQUIRED_CHARS = {
double_quoted_attr_value: MINIMAL_REQUIRED_CHARS + ['"'],
single_quoted_attr_value: MINIMAL_REQUIRED_CHARS + ["'"],
unquoted_attr_value: MINIMAL_REQUIRED_CHARS,
attr_name: MINIMAL_REQUIRED_CHARS,
attr_list: MINIMAL_REQUIRED_CHARS,
tag_name: MINIMAL_REQUIRED_CHARS,
tag_body: MINIMAL_REQUIRED_CHARS
}
#
# Determines if the XSS is viable, given the context and the allowed
# characters.
#
# @param [Set] allowed_chars
# The allowed characters.
#
# @return [Boolean]
# Specifies whether enough characters are allowed to perform an XSS in
# the given context.
#
# @api private
#
def viable?(allowed_chars)
required_chars = REQUIRED_CHARS.fetch(@location) do
raise(NotImplementedError,"cannot determine viability for unknown XSS location type: #{@location.inspect}")
end
allowed_chars.superset?(required_chars)
end
end
end
end
end