private XAttackParam[] ComputeAttackParams(Form form)
{
List<XAttackParam> lstParams=new List<XAttackParam>();
for (int i = 0; i < form.FormElements.Count; i++)
{
FormElement element=form.FormElements.ElementAt(i);
if(element.Type=="hidden")
{
lstParams.Add(new XAttackParam() { Value=element.Value,FormElementId=element.Id});
}
else if (element.Type == "text"
|| element.Type == "password"
|| element.Type == "email")
{
lstParams.Add(new XAttackParam() { Value = GetInjectionValue(), FormElementId = element.Id });
}
else
{
lstParams.Add(new XAttackParam() { Value = "", FormElementId = element.Id });
}
}
return lstParams.ToArray();
}
private string CreateAttackVector(XAttackParam[] attackParams, Form form)
{
string postData = "";
for (int i = 0; i < form.FormElements.Count; i++)
{
FormElement element = form.FormElements.ElementAt(i);
if(!(form.Method=="get" && element.Type=="submit"))
postData+=string.Format("{0}={1}&",element.Name,HttpUtility.UrlEncode(attackParams[i].Value));
}
postData = postData.Substring(0, postData.Length - 1);
if (form.Method == "get")
postData = "?" + postData;
if (form.Method=="get" && !form.Action.EndsWith("/"))
postData = "/" + postData;
return postData;
}
private bool HasReflectedResults(Form form)
{
return true;
}
private string DoAttack(Form form, string attackContent)
{
try
{
SimpleXssAttackAnnounceItem announceItem = new SimpleXssAttackAnnounceItem(_xAttack, SimpleXssAttackStatus.AttackStarted, _sharedResource, "", DateTime.Now);
OnAgentAttackAnnounced(announceItem);
HttpWebRequest request = null;
if (form.Method == "get")
request = WebRequest.Create(form.Action + attackContent) as HttpWebRequest;
else
request = WebRequest.Create(form.Action) as HttpWebRequest;
request.Timeout = 100000;
request.UserAgent = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)";
request.AllowAutoRedirect = true;
request.KeepAlive = false;
if(form.Method=="post")
{
request.ContentType = "";
byte[] data = Encoding.UTF8.GetBytes(attackContent);
request.ContentLength = data.Length;
using(Stream stream=request.GetRequestStream())
{
stream.Write(data,0,data.Length);
}
}
using (HttpWebResponse response = request.GetResponse() as HttpWebResponse)
{
if (
(response.StatusCode != HttpStatusCode.NotFound
|| response.StatusCode != HttpStatusCode.BadGateway
|| response.StatusCode != HttpStatusCode.BadRequest
|| response.StatusCode != HttpStatusCode.Forbidden
|| response.StatusCode != HttpStatusCode.GatewayTimeout
|| response.StatusCode != HttpStatusCode.Gone
|| response.StatusCode != HttpStatusCode.InternalServerError
|| response.StatusCode != HttpStatusCode.NotAcceptable)
&& (response.ContentType.Contains("text/html"))
)
{
using (StreamReader sr = new StreamReader(response.GetResponseStream()))
{
string resp=sr.ReadToEnd();
_sharedResource.IncrementAttacks();
announceItem = new SimpleXssAttackAnnounceItem(_xAttack, SimpleXssAttackStatus.AttackFinished, _sharedResource, "", DateTime.Now);
OnAgentAttackAnnounced(announceItem);
return resp;
}
}
else
{
announceItem = new SimpleXssAttackAnnounceItem(_xAttack, SimpleXssAttackStatus.AttackHalted, _sharedResource, "", DateTime.Now);
OnAgentAttackAnnounced(announceItem);
return null;
}
}
}
catch (WebException ex)
{
SimpleXssAttackAnnounceItem announceItem = new SimpleXssAttackAnnounceItem(_xAttack, SimpleXssAttackStatus.AttackHalted, _sharedResource, "", DateTime.Now);
OnAgentAttackAnnounced(announceItem);
return null;
}
}
/// <summary>
/// Create a new Form object.
/// </summary>
/// <param name="id">Initial value of the Id property.</param>
/// <param name="webpageId">Initial value of the WebpageId property.</param>
/// <param name="action">Initial value of the Action property.</param>
/// <param name="method">Initial value of the Method property.</param>
public static Form CreateForm(global::System.Int32 id, global::System.Int32 webpageId, global::System.String action, global::System.String method)
{
Form form = new Form();
form.Id = id;
form.WebpageId = webpageId;
form.Action = action;
form.Method = method;
return form;
}
/// <summary>
/// Deprecated Method for adding a new object to the Forms EntitySet. Consider using the .Add method of the associated ObjectSet<T> property instead.
/// </summary>
public void AddToForms(Form form)
{
base.AddObject("Forms", form);
}
private Form[] ExtractForms(Webpage page)
{
CrawlAnnounceItem item = new CrawlAnnounceItem(page, CrawlStatus.ExtractingFormsStarted, null, DateTime.Now, _sharedResource);
OnCrawlAnnounced(item);
List<Form> _formLst = new List<Form>();
HtmlNode.ElementsFlags.Remove("form");
HtmlDocument htmlDocument = new HtmlDocument();
htmlDocument.LoadHtml(page.Html);
HtmlNode root = htmlDocument.DocumentNode;
foreach (HtmlNode formNode in root.Descendants("form"))
{
Form form = new Form();
HtmlAttribute att = formNode.Attributes["action"];
string uri = (att == null || att.Value == "" || att.Value.StartsWith("#") ? page.Url : att.Value);
if (Uri.IsWellFormedUriString(uri, UriKind.Absolute))
form.Action = uri;
else if (Uri.IsWellFormedUriString(uri, UriKind.Relative))
form.Action = UnifyUri(page, uri);
form.Method = formNode.Attributes["method"].Value;
if (form.Action != null)
{
foreach (HtmlNode inputNode in formNode.Descendants("input"))
{
FormElement element = new FormElement();
if (inputNode.Attributes.Any(a => a.Name == "name"))
element.Name = inputNode.Attributes["name"].Value;
else
element.Name = "";
if (inputNode.Attributes.Any(a => a.Name == "value"))
element.Value = inputNode.Attributes["value"].Value;
else
element.Value = "";
element.Type = inputNode.Attributes["type"].Value;
form.FormElements.Add(element);
}
_formLst.Add(form);
}
}
_sharedResource.AddTotalFormsFound(_formLst.Count);
item = new CrawlAnnounceItem(page, CrawlStatus.ExtractingFormsFinished, string.Format("این صفحه دارای {0} فرم می باشد.", _formLst.Count), DateTime.Now, _sharedResource);
OnCrawlAnnounced(item);
return _formLst.ToArray();
}
private void AddFormsToPage(Webpage page, Form[] forms)
{
lock (_sharedResource.SharedLock)
{
for (int i = 0; i < forms.Length; i++)
{
string id=forms[i].Action + ":" + forms[i].Method;
for (int j = 0; j < forms[i].FormElements.Count; j++)
{
id+=":"+forms[i].FormElements.ElementAt(j).Name+":"+forms[i].FormElements.ElementAt(j).Value;
}
byte[] hashData = Encoding.UTF8.GetBytes(id);
if (!_sharedResource.SharedFormHash.Contains(id))
{
page.Forms.Add(forms[i]);
_sharedResource.SharedFormHash.Add(id);
}
else
Console.WriteLine("Duplicated Form");
}
}
}