248 check for xss eg using httpsgithubcomhahwuldalfox

artemis/modules/dalfox.py

@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+import json
+import os
+import subprocess
+import tempfile
+import urllib
+from typing import Any, Dict, List, Tuple
+from urllib.parse import unquote
+
+from karton.core import Task
+
+from artemis.binds import Service, TaskStatus, TaskType
+from artemis.config import Config
+from artemis.module_base import ArtemisBase
+from artemis.task_utils import get_target_url
+
+
+class DalFox(ArtemisBase):
+    """
+    Running the Dalfox tool to scan for XSS vulnerabilities."""
+
+    identity = "dalfox"
+    filters = [
+        {"type": TaskType.SERVICE.value, "service": Service.HTTP.value},
+    ]
+    dalfox_vulnerability_types = {"V": "Verify", "R": "Reflected", "G": "Grep"}
+
+    def __init__(self, *args: Any, **kwargs: Any):
+        super().__init__(*args, **kwargs)
+
+    @staticmethod
+    def _strip_query_string(url: str) -> str:
+        url_parsed = urllib.parse.urlparse(url)
+        return urllib.parse.urlunparse(url_parsed._replace(query="", fragment=""))
+
+    def prepare_output(self, vulnerabilities: List[Dict[str, Any]]) -> Tuple[List[str], List[Dict[str, Any]]]:
+        message: List[Any] = []
+        result: List[Any] = []
+
+        for vulnerability in (vuln for vuln in vulnerabilities if vuln != {}):
+            # Vulnerability - data concerning a single XSS vulnerability from the list found by the Dalfox module.
+            # In the loop instruction, I remove duplicates and the empty result that Dalfox generates at the last
+            # position of the results.
+            flag = any(
+                (
+                    (vulnerability.get("param") in result_single_data.values())
+                    and (vulnerability.get("type") in result_single_data.values())
+                    and (vulnerability["data"].split("?")[0] == result_single_data["url"].split("?")[0])
+                )
+                for result_single_data in result
+            )
+
+            if not flag:
+                data = {
+                    "param": vulnerability.get("param"),
+                    "evidence": unquote(vulnerability["evidence"]),
+                    "type": vulnerability.get("type"),
+                    "url": unquote(vulnerability["data"]),
+                    "type_name": self.dalfox_vulnerability_types.get(vulnerability["type"]),
+                }
+                result.append(data)
+                message.append(
+                    f"On  {unquote(vulnerability['data'])} we identified an XSS vulnerability ("
+                    f"type: {self.dalfox_vulnerability_types.get(vulnerability['type'])}) in "
+                    f"the parameter: {vulnerability.get('param')}. "
+                )
+
+        result.sort(key=lambda x: x["param"])
+        return message, result
+
+    def scan(self, links_file_path: str, targets: List[str]) -> List[Dict[str, Any]]:
+        vulnerabilities = []
+
+        if Config.Miscellaneous.CUSTOM_USER_AGENT:
+            additional_configuration = ["--user-agent", Config.Miscellaneous.CUSTOM_USER_AGENT]
+        else:
+            additional_configuration = []
+
+        if Config.Limits.REQUESTS_PER_SECOND:
+            milliseconds_per_request = int((1 / Config.Limits.REQUESTS_PER_SECOND) * 1000.0)
+        else:
+            milliseconds_per_request = 0
+
+        try:
+            command = [
+                "dalfox",
+                "--debug",
+                "--delay",
+                f"{milliseconds_per_request}",
+                "file",
+                links_file_path,
+                "--method",
+                "GET",
+                "--worker",
+                "1",
+                "--format",
+                "json",
+            ] + additional_configuration
+            self.log.info(f"Running command: {' '.join(command)}")
+
+            result = subprocess.run(
+                command,
+                capture_output=True,
+                text=True,
+            )
+            vulnerabilities = json.loads(result.stdout)
+        except subprocess.CalledProcessError as e:
+            self.log.error(f"Error when running DalFox: {e}")
+
+        return vulnerabilities
+
+    def run(self, current_task: Task) -> None:
+        url = get_target_url(current_task)
+        self.log.info(url)
+
+        # TODO: until we don't increase the speed, let's keep only the homepage for dalfox check
+        links = [url]
+
+        _, path_to_file_with_links = tempfile.mkstemp()
+        with open(path_to_file_with_links, "w") as file:
+            file.write("\n".join(links))
+
+        vulnerabilities = self.scan(links_file_path=path_to_file_with_links, targets=links)
+        message, result = self.prepare_output(vulnerabilities)
+        os.unlink(path_to_file_with_links)
+
+        if message:
+            status = TaskStatus.INTERESTING
+            status_reason = ", ".join(message)
+        else:
+            status = TaskStatus.OK
+            status_reason = None
+
+        self.db.save_task_result(task=current_task, status=status, status_reason=status_reason, data={"result": result})
+
+
+if __name__ == "__main__":
+    DalFox().loop()

artemis/reporting/modules/dalfox/reporter.py

@@ -0,0 +1,57 @@
+import os
+from typing import Any, Dict, List
+
+from artemis.reporting.base.language import Language
+from artemis.reporting.base.report import Report
+from artemis.reporting.base.report_type import ReportType
+from artemis.reporting.base.reporter import Reporter
+from artemis.reporting.base.templating import ReportEmailTemplateFragment
+from artemis.reporting.utils import get_top_level_target
+
+
+class DalFoxReporter(Reporter):
+    """
+    Running a report with data generated using the Dalfox tool, which scans URLs for XSS vulnerabilities.
+    """
+
+    XSS = ReportType("xss")
+
+    @staticmethod
+    def get_alerts(all_reports: List[Report]) -> List[str]:
+        result = []
+
+        for report in all_reports:
+            if report.report_type == DalFoxReporter.XSS:
+                result.append(
+                    f"As Dalfox is a new module, verify whether the problem on {report.target} is indeed a true positive."
+                )
+        return result
+
+    @staticmethod
+    def create_reports(task_result: Dict[str, Any], language: Language) -> List[Report]:
+        if task_result["headers"]["receiver"] != "dalfox":
+            return []
+
+        if not task_result["status"] == "INTERESTING":
+            return []
+
+        if not isinstance(task_result["result"], dict):
+            return []
+
+        return [
+            Report(
+                top_level_target=get_top_level_target(task_result),
+                target=f"{task_result['payload']['host']}",
+                report_type=DalFoxReporter.XSS,
+                additional_data=task_result["result"],
+                timestamp=task_result["created_at"],
+            )
+        ]
+
+    @staticmethod
+    def get_email_template_fragments() -> List[ReportEmailTemplateFragment]:
+        return [
+            ReportEmailTemplateFragment.from_file(
+                os.path.join(os.path.dirname(__file__), "template_xss.jinja2"), priority=7
+            )
+        ]

artemis/reporting/modules/dalfox/template_xss.jinja2

@@ -0,0 +1,30 @@
+{% if "xss" in data.contains_type %}
+    <li>
+        {% trans trimmed %}We identified that the following URLs contain XSS vulnerabilities:{% endtrans %}
+
+        <ul>
+            {% for report in data.reports %}
+                {% if report.report_type == "xss" %}
+                    {% for message in report.additional_data.result %}
+                         <li>
+                            {{ message.url }}: {% trans trimmed %}we identified an XSS vulnerability in:{% endtrans %}
+                                <b>{{ message.param }}</b>
+                                ({% trans trimmed %}example:{% endtrans %} {{ message.evidence }}).
+                            </p>
+                            </li>
+                        {% endfor %}
+                    </ul>
+                {% endif %}
+            {% endfor %}
+        </ul>
+
+        {% trans trimmed %}
+            A Cross-Site Scripting vulnerability allows an attacker to craft a link that, when clicked by an administrator,
+            performs any action with their permissions (such as modifying content).
+        {% endtrans %}
+        {% trans trimmed %}
+            The above examples are automatically generated - contact us if they aren't sufficient for
+            you to reproduce the vulnerability.
+        {% endtrans %}
+    </li>
+{% endif %}

artemis/reporting/modules/dalfox/translations/en_US/LC_MESSAGES/messages.po

@@ -0,0 +1,24 @@
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:3
+msgid "We identified that the following URLs contain XSS vulnerabilities:"
+msgstr ""
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:10
+msgid "we identified an XSS vulnerability in:"
+msgstr ""
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:12
+msgid "example:"
+msgstr ""
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:21
+msgid ""
+"A Cross-Site Scripting vulnerability allows an attacker to craft a link "
+"that, when clicked by an administrator, performs any action with their "
+"permissions (such as modifying content)."
+msgstr ""
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:25
+msgid ""
+"The above examples are automatically generated - contact us if they "
+"aren't sufficient for you to reproduce the vulnerability."
+msgstr ""

artemis/reporting/modules/dalfox/translations/pl_PL/LC_MESSAGES/messages.po

@@ -0,0 +1,29 @@
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:3
+msgid "We identified that the following URLs contain XSS vulnerabilities:"
+msgstr "Wykryliśmy, że następujące adresy zawierają podatności XSS:"
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:10
+msgid "we identified an XSS vulnerability in:"
+msgstr "zidentyfikowaliśmy podatność w:"
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:12
+msgid "example:"
+msgstr "przykład:"
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:21
+msgid ""
+"A Cross-Site Scripting vulnerability allows an attacker to craft a link "
+"that, when clicked by an administrator, performs any action with their "
+"permissions (such as modifying content)."
+msgstr ""
+"Podatność Cross-Site Scripting umożliwia atakującemu spreparowanie linku,"
+" który po kliknięciu przez administratora wykona dowolną akcję z jego "
+"uprawnieniami (taką jak np. modyfikacja treści)."
+
+#: artemis/reporting/modules/dalfox/template_xss.jinja2:25
+msgid ""
+"The above examples are automatically generated - contact us if they "
+"aren't sufficient for you to reproduce the vulnerability."
+msgstr ""
+"Powyższe przykłady są generowane automatycznie - prosimy o kontakt, jeśli"
+" nie są wystarczające, aby odtworzyć podatność po Państwa stronie."

artemis/reporting/severity.py

@@ -37,6 +37,7 @@ class Severity(str, Enum):
     ReportType("misconfigured_email"): Severity.MEDIUM,
     ReportType("old_drupal"): Severity.MEDIUM,
     ReportType("old_joomla"): Severity.MEDIUM,
+    ReportType("xss"): Severity.HIGH,
     # This doesn't mean that a version is insecure, as WordPress maintains a separate list
     # of insecure versions. This just means "turn on the automatic updates"
     ReportType("old_wordpress"): Severity.LOW,

docker-compose.test.yaml

@@ -196,6 +196,14 @@ services:
     volumes:
       - ./test/reporting/data/bruteable_files/htpasswd/:/var/www/html/
 
+  test_apache-with-xss:
+    build:
+      dockerfile: test/images/php-xss/Dockerfile
+    command: systemctl start apache2.service
+    volumes:
+      - ./test/data/dalfox/:/var/www/html/
+
+
   test-apache-with-sql-injection-postgres:
     build:
       dockerfile: test/images/php-postgres/Dockerfile

docker-compose.yaml

@@ -94,6 +94,16 @@ services:
     restart: always
     volumes: ["./docker/karton.ini:/etc/karton/karton.ini", "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"]
 
+  karton-dalfox:
+    <<: *artemis-build-or-image
+    command: "python3 -m artemis.modules.dalfox"
+    depends_on: [karton-system, karton-logger]
+    env_file: .env
+    restart: always
+    volumes:
+      - "./docker/karton.ini:/etc/karton/karton.ini"
+      - "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"
+
   karton-dashboard:
     depends_on: [karton-system, karton-logger]
     env_file: .env
@@ -281,6 +291,14 @@ services:
     restart: always
     volumes: ["./docker/karton.ini:/etc/karton/karton.ini", "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"]
 
+  karton-sql_injection_detector:
+    <<: *artemis-build-or-image
+    command: "python3 -m artemis.modules.sql_injection_detector"
+    depends_on: [karton-system, karton-logger]
+    env_file: .env
+    restart: always
+    volumes: ["./docker/karton.ini:/etc/karton/karton.ini", "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"]
+
   karton-ssh_bruter:
     <<: *artemis-build-or-image
     command: "python3 -m artemis.modules.ssh_bruter"
@@ -341,13 +359,6 @@ services:
     restart: always
     volumes: ["./docker/karton.ini:/etc/karton/karton.ini", "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"]
 
-  karton-sql_injection_detector:
-    <<: *artemis-build-or-image
-    command: "python3 -m artemis.modules.sql_injection_detector"
-    depends_on: [karton-system, karton-logger]
-    env_file: .env
-    restart: always
-    volumes: ["./docker/karton.ini:/etc/karton/karton.ini", "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"]
 
 
 volumes:

docker/Dockerfile

@@ -1,5 +1,8 @@
 FROM python:3.12-alpine3.20
 
+COPY --from=golang:1.23-alpine /usr/local/go/ /usr/local/go/
+ENV PATH="/usr/local/go/bin:$PATH"
+
 COPY docker/wait-for-it.sh /wait-for-it.sh
 COPY requirements.txt requirements.txt
 COPY docker/go.sum docker/go.mod /go/
@@ -8,13 +11,14 @@ ARG ADDITIONAL_REQUIREMENTS
 # remove some apk packages.
 # Whois here is important - if we wouldn't install it, we would default to busybox whois,
 # having different output making https://pypi.org/project/whoisdomain/ regexes fail.
-RUN apk add --no-cache --virtual .build-deps go gcc git libc-dev make libffi-dev libpcap-dev postgresql-dev && \
+RUN apk add --no-cache --virtual .build-deps gcc git libc-dev make libffi-dev libpcap-dev postgresql-dev && \
     apk add --no-cache bash libpcap libpq git subversion whois && \
     cd /go && \
     GOBIN=/usr/local/bin/ go install -modfile go.mod github.com/projectdiscovery/naabu/v2/cmd/naabu && \
     GOBIN=/usr/local/bin/ go install -modfile go.mod github.com/praetorian-inc/fingerprintx/cmd/fingerprintx && \
     GOBIN=/usr/local/bin/ go install -modfile go.mod github.com/lc/gau/v2/cmd/gau && \
     GOBIN=/usr/local/bin/ go install -modfile go.mod github.com/projectdiscovery/subfinder/v2/cmd/subfinder && \
+    GOBIN=/usr/local/bin/ go install -modfile go.mod github.com/hahwul/dalfox/v2 && \
     GOBIN=/usr/local/bin/ go install -modfile go.mod github.com/projectdiscovery/nuclei/v3/cmd/nuclei && \
     cd / && \
     git clone https://github.com/rfc-st/humble.git --branch master /humble && \