Added browser validation for 0 false positives

s0md3v · May 1, 2019 · 0e8a75b · 0e8a75b
2 parents 5a6d773 + 8e00a32
commit 0e8a75b
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 19 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,9 +1,18 @@
 language: python
 cache: pip
+env:
+  - MOZ_HEADLESS=1
+addons:
+  firefox: latest
 os:
   - linux
 python:
   - 3.6
+before_install:
+  - wget https://github.com/mozilla/geckodriver/releases/download/v0.24.0/geckodriver-v0.24.0-linux64.tar.gz
+  - mkdir geckodriver
+  - tar -xzf geckodriver-v0.24.0-linux64.tar.gz -C geckodriver
+  - export PATH=$PATH:$PWD/geckodriver
 install:
   - pip install -r requirements.txt
   - pip install flake8

diff --git a/core/browserEngine.py b/core/browserEngine.py
@@ -0,0 +1,56 @@
+import re
+import os
+import sys
+
+from core.log import setup_logger
+from core.utils import writer
+from selenium import webdriver
+from selenium.webdriver.firefox.options import Options
+from selenium.common.exceptions import UnexpectedAlertPresentException
+from selenium.webdriver.support import expected_conditions as EC
+
+
+def init_browser():
+    global browser
+    options = Options()
+    options.add_argument('--headless')
+    browser = webdriver.Firefox(options=options)
+
+
+def kill_browser():
+    if browser is not None:
+        browser.quit()
+
+
+def browser_engine(response):
+    _write_response_to_file(response)
+    navigate_to('file://' + sys.path[0] + '/test.html')
+    os.remove('test.html')
+    popUp = False
+    actions = webdriver.ActionChains(browser)
+
+    try:
+        actions.move_by_offset(2, 2)
+        actions.perform()
+        if EC.alert_is_present():
+            popUp = True
+
+    except UnexpectedAlertPresentException:
+        popUp = True
+
+    return popUp
+
+
+def _write_response_to_file(response):
+    response = re.sub(r'<script.*?src=.*?>', '<script src=#>', response, re.I)
+    response = re.sub(r'href=.*?>', 'href=#>', response, re.I)
+    writer(response, 'test.html')
+
+
+def navigate_to(uri):
+    if browser is None:
+        init_browser()
+        browser.get(uri)
+
+
+
diff --git a/modes/scan.py b/modes/scan.py
@@ -3,6 +3,7 @@
 from urllib.parse import urlparse, quote, unquote
 
 from core.arjun import arjun
+from core.browserEngine import browser_engine, kill_browser, init_browser
 from core.checker import checker
 from core.colors import good, bad, end, info, green, red, que
 import core.config
@@ -32,6 +33,9 @@ def scan(target, paramData, encoding, headers, delay, timeout, skipDOM, find, sk
     logger.debug('Scan target: {}'.format(target))
     response = requester(target, {}, headers, GET, delay, timeout).text
 
+    # initialize browser
+    init_browser()
+
     if not skipDOM:
         logger.run('Checking for DOM vulnerabilities')
         highlighted = dom(response)
@@ -94,30 +98,18 @@ def scan(target, paramData, encoding, headers, delay, timeout, skipDOM, find, sk
             for vect in vects:
                 if core.config.globalVariables['path']:
                     vect = vect.replace('/', '%2F')
-                loggerVector = vect
                 progress += 1
                 logger.run('Progress: %i/%i\r' % (progress, total))
                 if not GET:
                     vect = unquote(vect)
-                efficiencies = checker(
-                    url, paramsCopy, headers, GET, delay, vect, positions, timeout, encoding)
-                if not efficiencies:
-                    for i in range(len(occurences)):
-                        efficiencies.append(0)
-                bestEfficiency = max(efficiencies)
-                if bestEfficiency == 100 or (vect[0] == '\\' and bestEfficiency >= 95):
-                    logger.red_line()
-                    logger.good('Payload: %s' % loggerVector)
-                    logger.info('Efficiency: %i' % bestEfficiency)
-                    logger.info('Confidence: %i' % confidence)
+                response = requester(url, paramsCopy, headers, GET, delay, timeout).text
+                success = browser_engine(response)
+                if success:
+                    logger.good('Payload: %s' % vect)
                     if not skip:
-                        choice = input(
-                            '%s Would you like to continue scanning? [y/N] ' % que).lower()
+                        choice = input('%s Would you like to continue scanning? [y/N] ' % que).lower()
                         if choice != 'y':
+                            kill_browser()
                             quit()
-                elif bestEfficiency > minEfficiency:
-                    logger.red_line()
-                    logger.good('Payload: %s' % loggerVector)
-                    logger.info('Efficiency: %i' % bestEfficiency)
-                    logger.info('Confidence: %i' % confidence)
         logger.no_format('')
+    kill_browser()
diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,4 @@
+selenium
 tld
 fuzzywuzzy
 requests