Beispiel #1
0
        public void DomXssTestFalsePositiveResult()
        {
            const string TestUrl = @"http://www.bing.com/search?q=seattle";

            var propertyBag = new ConcurrentDictionary <int, bool>();

            var browserMock = CreateMockBrowser();

            browserMock
            .Setup(m => m.NavigateTo(It.IsAny <string>()))
            .Callback <string>(s => propertyBag[Thread.CurrentThread.ManagedThreadId] = s.Contains("alert()"));

            // some pages pop their own dialog boxes, we should ignore these
            string alertText = "** Expected message from the page **";

            browserMock
            .Setup(m => m.DismissedIfAlertDisplayed(out alertText))
            .Returns(() => propertyBag.ContainsKey(Thread.CurrentThread.ManagedThreadId) && propertyBag[Thread.CurrentThread.ManagedThreadId]);

            browserMock
            .SetupGet(m => m.PageSource)
            .Returns("pagesource");

            browserMock
            .SetupGet(m => m.Url)
            .Returns("http://foo");

            var factoryMock = new Mock <IBrowserFactory>();

            factoryMock
            .Setup(m => m.Create(It.IsAny <BrowserType>()))
            .Returns(browserMock.Object);

            ObjectResolver.RegisterType <IProcessManager, ProcessManager>();

            var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });

            browserManagerMock
            .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
            .Returns(browserMock.Object);

            ObjectResolver.RegisterInstance(browserManagerMock.Object);

            var target   = Target.Create(TestUrl);
            var context  = new Context();
            var instance = new TestableDomXssTest();

            instance.Init(context, target);

            // introduce our known injection strings
            instance.InjectTestCaseStrings(new[] { "blah", "alert()", "foo" });

            // run the test
            instance.DoTests();

            // a vuln should be found
            instance.Vulnerabilities.ShouldNotBeNull();
            instance.Vulnerabilities.Count.ShouldEqual(0);
        }
Beispiel #2
0
        public void DomXssTestDoublePositiveResult()
        {
            ObjectResolver.RegisterType <IProcessManager, ProcessManager>();
            var browserInstances = new Dictionary <BrowserType, int> {
                { BrowserType.Chrome, 1 }
            };

            using (var browserManager = new BrowserManager(browserInstances))
            {
                ObjectResolver.RegisterInstance <IBrowserManager>(browserManager);

                var target = Target.Create($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=xyz");

                var context  = new Context();
                var instance = new TestableDomXssTest();
                instance.Init(context, target);

                // introduce our known injection strings
                instance.InjectTestCaseStrings(new[] { "blah" });

                // run the test
                instance.DoTests();

                // a vuln should be found
                instance.Vulnerabilities.ShouldNotBeNull();
                instance.Vulnerabilities.Count.ShouldEqual(1);

                // the vuln record should be well formed
                var vuln = instance.Vulnerabilities.First();
                vuln.Level.ShouldEqual(0);
                vuln.TestedParam.ShouldEqual("q");
                vuln.TestedVal.ShouldEqual("blah");
                vuln.Evidence.ShouldEqual("Found by Chrome");
                vuln.TestPlugin.ShouldEqual("TestableDomXssTest");
                vuln.Title.ShouldEqual("DOM XSS - Script injection");

                // the http details should be consistent for browser generated request
                vuln.HttpResponse.ShouldNotBeNull();
                vuln.HttpResponse.Headers.Count.ShouldEqual(0);
                vuln.HttpResponse.RequestHeaders.ShouldEqual(string.Empty);
                vuln.HttpResponse.RequestAbsolutUri.ShouldEqual($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=blah");
                vuln.HttpResponse.ResponseContent.ShouldNotBeNullOrEmpty();
                vuln.HttpResponse.ResponseUri.ShouldNotBeNull();
                vuln.HttpResponse.ResponseUri.ToString().ShouldEqual($"{Constants.VulnerabilitiesAddress}ShowAlert2.aspx?q=blah");
                vuln.HttpResponse.StatusCode.ShouldEqual(HttpStatusCode.OK);

                vuln.HttpResponse.HttpError.ShouldEqual(string.Empty);
            }
        }
Beispiel #3
0
        public void DomXssTestNegativeResult()
        {
            const string TestUrl = @"http://www.bing.com/search?q=seattle";

            var    browserMock = CreateMockBrowser();
            string alertText;

            browserMock
            .Setup(m => m.DismissedIfAlertDisplayed(out alertText))
            .Returns(false);

            var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });

            browserManagerMock
            .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
            .Returns(browserMock.Object);

            ObjectResolver.RegisterInstance(browserManagerMock.Object);

            var target  = Target.Create(TestUrl);
            var context = new Context();

            var instance = new TestableDomXssTest();

            instance.Init(context, target);

            // introduce our known injection strings
            instance.InjectTestCaseStrings(new[] { "alert()", "alert2()" });

            // run the test
            instance.DoTests();

            // no vulns found
            instance.Vulnerabilities.ShouldNotBeNull();
            instance.Vulnerabilities.Count.ShouldEqual(0);

            // a browser was borrowed from the pool for request
            browserManagerMock.Verify(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)), Times.Exactly(2));

            // the browser requested the expected url combinations
            browserMock.Verify(m => m.NavigateTo(It.IsAny <string>()), Times.Exactly(2));
            browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert()")), Times.Once());
            browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert2()")), Times.Once());

            // each browser was returned to the pool
            browserManagerMock.Verify(m => m.ReleaseBrowser(It.Is <BrowserAbstract>(b => b == browserMock.Object)), Times.Exactly(2));
        }
Beispiel #4
0
        /// <summary>
        /// The dom xss test_integration_test.
        /// </summary>
        /// <param name="browserType">
        /// The browser type.
        /// </param>
        private void DomXssTestIntegrationTest(BrowserType browserType)
        {
            ObjectResolver.RegisterType <IProcessManager, ProcessManager>();

            var browserInstances = new Dictionary <BrowserType, int> {
                { browserType, 2 }
            };

            ObjectResolver.RegisterInstance <IBrowserManager>(new BrowserManager(browserInstances));

            var target   = Target.Create($"{Constants.VulnerabilitiesAddress}vuln_domxss.html?a=1");
            var context  = new Context();
            var instance = new TestableDomXssTest();

            instance.Init(context, target);

            // introduce our known injection strings
            instance.InjectTestCaseStrings(new[] { "alert(" + TestBaseHelper.AttackSignature + ")", "%22+onload=%22javascript:alert(" + TestBaseHelper.AttackSignature + ")%22" });

            instance.DoTests();

            // cleanly shutdown the browser manager
            var disposable = ObjectResolver.Resolve <IBrowserManager>() as IDisposable;

            Assert.IsNotNull(disposable);
            disposable.Dispose();

            // a vuln should be found
            instance.Vulnerabilities.ShouldNotBeNull();
            instance.Vulnerabilities.Count.ShouldEqual(1);

            // the vuln record should be well formed
            var vuln = instance.Vulnerabilities.First();

            vuln.Level.ShouldEqual(0);
            vuln.TestedParam.ShouldEqual("a");
            vuln.TestedVal.ShouldEqual("alert(" + TestBaseHelper.AttackSignature + ")");
            vuln.Evidence.ShouldEqual("Found by " + browserType);
            vuln.TestPlugin.ShouldStartWith("TestableDomXssTest");
            vuln.Title.ShouldEqual("DOM XSS - Script injection");

            instance.Vulnerabilities.Count(v => v.TestPlugin == "TestableDomXssTest")
            .ShouldEqual(1);
        }
Beispiel #5
0
        public void DomXssTestPassesAndReceivesCookiesCorrectly()
        {
            const string TestUrl = @"http://www.bing.com/search?q=seattle";
            var          url     = new Uri(TestUrl);

            // create our own cookies
            var expectedCookie1 = this.CreateTestCookie(1);
            var expectedCookie2 = this.CreateTestCookie(2);
            var expectedCookie3 = this.CreateTestCookie(3);
            var expectedCookie4 = this.CreateTestCookie(4);
            var expectedCookie5 = this.CreateTestCookie(5);

            var requestCollection = new CookieCollection {
                expectedCookie1, expectedCookie2, expectedCookie3
            };
            var responseCollection = new CookieCollection {
                expectedCookie4, expectedCookie5
            };

            var    browserMock = CreateMockBrowser();
            string alertText;

            browserMock
            .Setup(m => m.DismissedIfAlertDisplayed(out alertText))
            .Returns(true);

            browserMock
            .SetupGet(m => m.AllCookies)
            .Returns(responseCollection);

            browserMock
            .SetupGet(m => m.PageSource)
            .Returns("pagesource");

            browserMock
            .SetupGet(m => m.AlertMessageDisplayed)
            .Returns(new HashSet <string> {
                TestBaseHelper.AttackSignature
            });

            var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });

            browserManagerMock
            .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
            .Returns(browserMock.Object);

            ObjectResolver.RegisterInstance(browserManagerMock.Object);

            var target = Target.Create(TestUrl);

            var context = new Context();

            context.CurrentCookies[url.Host] = requestCollection;

            var instance = new TestableDomXssTest();

            instance.Init(context, target);

            // introduce our known injection strings
            instance.InjectTestCaseStrings(new[] { "alert(" + TestBaseHelper.AttackSignature + ")" });

            // run the test
            instance.DoTests();
            var vuln = instance.Vulnerabilities.First();

            // the response cookies should be pulled back from the browser
            vuln.HttpResponse.Cookies.Count.ShouldEqual(responseCollection.Count);
            vuln.HttpResponse.Cookies[0].ShouldBeTheSameAs(expectedCookie4);
            vuln.HttpResponse.Cookies[1].ShouldBeTheSameAs(expectedCookie5);

            // The expected cookies were given to the browser
            this.CookieWasAddedToBrowser(browserMock, expectedCookie1);
            this.CookieWasAddedToBrowser(browserMock, expectedCookie2);
            this.CookieWasAddedToBrowser(browserMock, expectedCookie3);
        }
Beispiel #6
0
        public void DomXssTestPositiveResult()
        {
            const string TestUrl = @"http://www.bing.com/search?q=seattle";

            var propertyBag = new ConcurrentDictionary <int, bool>();

            var browserMock = CreateMockBrowser(browserType: BrowserType.Chrome);

            browserMock
            .Setup(m => m.NavigateTo(It.IsAny <string>()))
            .Callback <string>(s => propertyBag[Thread.CurrentThread.ManagedThreadId] = s.Contains("alert(456)"));

            string alertText;

            browserMock
            .Setup(m => m.DismissedIfAlertDisplayed(out alertText))
            .Returns(() => propertyBag.ContainsKey(Thread.CurrentThread.ManagedThreadId) && propertyBag[Thread.CurrentThread.ManagedThreadId]);

            browserMock
            .SetupGet(m => m.PageSource)
            .Returns("pagesource");

            browserMock
            .SetupGet(m => m.Url)
            .Returns("http://foo");

            browserMock
            .SetupGet(m => m.AlertMessageDisplayed)
            .Returns(new HashSet <string> {
                TestBaseHelper.AttackSignature
            });

            var factoryMock = new Mock <IBrowserFactory>();

            factoryMock
            .Setup(m => m.Create(It.IsAny <BrowserType>()))
            .Returns(browserMock.Object);

            ObjectResolver.RegisterType <IProcessManager, ProcessManager>();

            var browserManagerMock = this.CreateBrowserManager(new[] { BrowserType.Chrome });

            browserManagerMock
            .Setup(m => m.AcquireBrowser(It.Is <BrowserType>(b => b == BrowserType.Chrome)))
            .Returns(browserMock.Object);

            ObjectResolver.RegisterInstance(browserManagerMock.Object);

            var target = Target.Create(TestUrl);

            var context  = new Context();
            var instance = new TestableDomXssTest();

            instance.Init(context, target);

            // introduce our known injection strings
            instance.InjectTestCaseStrings(new[] { "blah", "alert(" + TestBaseHelper.AttackSignature + ")", "foo" });

            // run the test
            instance.DoTests();

            // the scan should have run on multiple threads.
            propertyBag.Count.ShouldBeGreaterThanOrEqualTo(1);

            // a vuln should be found
            instance.Vulnerabilities.ShouldNotBeNull();
            instance.Vulnerabilities.Count.ShouldEqual(3);

            // the vuln record should be well formed
            var vuln = instance.Vulnerabilities.First(t => t.TestedVal == "blah");

            vuln.Level.ShouldEqual(0);
            vuln.TestedParam.ShouldEqual("q");
            vuln.TestedVal.ShouldEqual("blah");
            vuln.Evidence.ShouldEqual("Found by Chrome");
            vuln.TestPlugin.ShouldEqual("TestableDomXssTest");
            vuln.Title.ShouldEqual("DOM XSS - Script injection");

            // the http details should be consistent for browser generated request
            vuln.HttpResponse.ShouldNotBeNull();
            vuln.HttpResponse.Headers.Count.ShouldEqual(0);
            vuln.HttpResponse.RequestHeaders.ShouldEqual(string.Empty);
            vuln.HttpResponse.RequestAbsolutUri.ShouldEqual("http://www.bing.com/search?q=blah");
            vuln.HttpResponse.RequestHost.ShouldEqual("www.bing.com");
            vuln.HttpResponse.ResponseContent.ShouldEqual(browserMock.Object.PageSource);
            vuln.HttpResponse.ResponseUri.ShouldNotBeNull();
            vuln.HttpResponse.ResponseUri.ToString().ShouldEqual("http://foo/");
            vuln.HttpResponse.StatusCode.ShouldEqual(HttpStatusCode.OK);

            vuln.HttpResponse.HttpError.ShouldEqual(string.Empty);

            // the browser requested all of the expected urls, even after a vuln was found
            browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=blah")), Times.Once());
            browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=alert(" + TestBaseHelper.AttackSignature + ")")), Times.Once());
            browserMock.Verify(m => m.NavigateTo(It.Is <string>(u => u == @"http://www.bing.com/search?q=foo")), Times.Once());
        }