From a5a81967923b865b92b26693e326826389d74e71 Mon Sep 17 00:00:00 2001 From: zinduolis Date: Wed, 23 Oct 2024 16:07:17 +1000 Subject: [PATCH 01/24] Fix origin / domain terminology (#1688) --- core/main/ar-migrations/015_create_http.rb | 6 +- .../ar-migrations/025_create_xssrays_scan.rb | 2 +- core/main/client/lib/evercookie.js | 4 +- core/main/client/mitb.js | 2 +- core/main/client/net.js | 48 +- core/main/client/net/requester.js | 2 +- core/main/client/net/xssrays.js | 4 +- core/main/configuration.rb | 2 +- core/main/handlers/browserdetails.rb | 2 +- core/main/router/router.rb | 6 +- docs/BeefJS.html | 2 +- docs/are.js.html | 2 +- docs/beef.are.html | 2 +- docs/beef.browser.cookie.html | 2 +- docs/beef.browser.html | 2 +- docs/beef.browser.popup.html | 2 +- docs/beef.dom.html | 2 +- docs/beef.encode.base64.html | 2 +- docs/beef.encode.json.html | 2 +- docs/beef.geolocation.html | 2 +- docs/beef.hardware.html | 2 +- docs/beef.init.html | 2 +- docs/beef.js.html | 2 +- docs/beef.logger.html | 2 +- docs/beef.mitb.html | 2 +- docs/beef.net.connection.html | 2 +- docs/beef.net.cors.html | 2 +- docs/beef.net.dns.html | 2 +- docs/beef.net.html | 4 +- docs/beef.net.local.html | 2 +- docs/beef.net.portscanner.html | 2 +- docs/beef.net.requester.html | 2 +- docs/beef.net.xssrays.html | 2 +- docs/beef.os.html | 2 +- docs/beef.session.html | 2 +- docs/beef.timeout.html | 2 +- docs/beef.updater.html | 2 +- docs/beef.webrtc.html | 2 +- docs/beef.websocket.html | 2 +- docs/browser.js.html | 2 +- docs/browser_cookie.js.html | 2 +- docs/browser_popup.js.html | 2 +- docs/dom.js.html | 2 +- docs/encode_base64.js.html | 2 +- docs/encode_json.js.html | 2 +- docs/geolocation.js.html | 2 +- docs/global.html | 2 +- docs/hardware.js.html | 2 +- docs/index.html | 2 +- docs/init.js.html | 2 +- docs/lib_platform.js.html | 2 +- docs/logger.js.html | 2 +- docs/mitb.js.html | 4 +- docs/net.js.html | 50 +- docs/net_connection.js.html | 2 +- docs/net_cors.js.html | 2 +- docs/net_dns.js.html | 2 +- docs/net_local.js.html | 2 +- docs/net_portscanner.js.html | 2 +- docs/net_requester.js.html | 4 +- docs/net_xssrays.js.html | 6 +- docs/os.js.html | 2 +- docs/session.js.html | 2 +- docs/timeout.js.html | 2 +- docs/updater.js.html | 2 +- docs/webrtc.js.html | 2 +- docs/websocket.js.html | 2 +- .../javascript/ui/panel/ZombieDataGrid.js | 4 +- .../ui/panel/tabs/ZombieTabXssRays.js | 8 +- .../javascript/ui/panel/zombiesTreeList.js | 4 +- extensions/proxy/extension.rb | 2 +- extensions/proxy/proxy.rb | 4 +- extensions/requester/api/hook.rb | 4 +- extensions/requester/rest/requester.rb | 2 +- extensions/xssrays/api/scan.rb | 12 +- extensions/xssrays/config.yaml | 2 +- extensions/xssrays/handler.rb | 2 +- extensions/xssrays/rest/xssrays.rb | 22 +- .../ajax_fingerprint/command.js | 0 .../ajax_fingerprint/config.yaml | 0 .../ajax_fingerprint/module.rb | 0 .../alert_dialog/command.js | 0 .../alert_dialog/config.yaml | 0 .../alert_dialog/module.rb | 0 .../command.js | 0 .../config.yaml | 0 .../module.rb | 0 .../cisco_asa_password_disclosure/command.js | 0 .../cisco_asa_password_disclosure/config.yaml | 2 +- .../cisco_asa_password_disclosure/module.rb | 0 .../clear_console/command.js | 0 .../clear_console/config.yaml | 0 .../clear_console/module.rb | 0 .../deface_web_page/command.js | 0 .../deface_web_page/config.yaml | 0 .../deface_web_page/module.rb | 0 .../deface_web_page_component/command.js | 0 .../deface_web_page_component/config.yaml | 0 .../deface_web_page_component/module.rb | 0 .../disable_developer_tools/command.js | 0 .../disable_developer_tools/config.yaml | 0 .../disable_developer_tools/module.rb | 0 .../get_autocomplete_creds/command.js | 0 .../get_autocomplete_creds/config.yaml | 2 +- .../get_autocomplete_creds/module.rb | 0 .../get_cookie/command.js | 0 .../get_cookie/config.yaml | 0 .../get_cookie/module.rb | 0 .../get_form_values/command.js | 0 .../get_form_values/config.yaml | 0 .../get_form_values/module.rb | 0 .../get_local_storage/command.js | 0 .../get_local_storage/config.yaml | 0 .../get_local_storage/module.rb | 0 .../get_page_html/command.js | 0 .../get_page_html/config.yaml | 0 .../get_page_html/module.rb | 0 .../get_page_html_iframe/command.js | 0 .../get_page_html_iframe/config.yaml | 0 .../get_page_html_iframe/module.rb | 0 .../get_page_links/command.js | 0 .../get_page_links/config.yaml | 0 .../get_page_links/module.rb | 0 .../get_session_storage/command.js | 0 .../get_session_storage/config.yaml | 0 .../get_session_storage/module.rb | 0 .../get_stored_credentials/command.js | 2 +- .../get_stored_credentials/config.yaml | 2 +- .../get_stored_credentials/module.rb | 0 .../link_rewrite/command.js | 0 .../link_rewrite/config.yaml | 0 .../link_rewrite/module.rb | 0 .../link_rewrite_click_events/command.js | 0 .../link_rewrite_click_events/config.yaml | 0 .../link_rewrite_click_events/module.rb | 0 .../link_rewrite_sslstrip/command.js | 0 .../link_rewrite_sslstrip/config.yaml | 0 .../link_rewrite_sslstrip/module.rb | 0 .../link_rewrite_tel/command.js | 0 .../link_rewrite_tel/config.yaml | 0 .../link_rewrite_tel/module.rb | 0 .../mobilesafari_address_spoofing/command.js | 0 .../mobilesafari_address_spoofing/config.yaml | 0 .../mobilesafari_address_spoofing/module.rb | 0 .../overflow_cookiejar/command.js | 0 .../overflow_cookiejar/config.yaml | 0 .../overflow_cookiejar/module.rb | 0 .../prompt_dialog/command.js | 0 .../prompt_dialog/config.yaml | 0 .../prompt_dialog/module.rb | 0 .../remove_stuck_iframes/command.js | 0 .../remove_stuck_iframes/config.yaml | 0 .../remove_stuck_iframes/module.rb | 0 .../replace_video/command.js | 0 .../replace_video/config.yaml | 0 .../replace_video/module.rb | 0 .../rickroll/command.js | 0 .../rickroll/config.yaml | 0 .../rickroll/module.rb | 0 .../site_redirect/command.js | 0 .../site_redirect/config.yaml | 0 .../site_redirect/module.rb | 0 .../site_redirect_iframe/command.js | 0 .../site_redirect_iframe/config.yaml | 0 .../site_redirect_iframe/module.rb | 0 .../jboss_jmx_upload_exploit/command.js | 2 +- .../config.yaml | 2 +- .../wordpress/upload_rce_plugin/config.yaml | 2 +- .../misc/wordpress_post_auth_rce/config.yaml | 2 +- package-lock.json | 806 ++++++++---------- spec/beef/core/main/command_spec.rb | 2 +- spec/beef/extensions/xssrays_spec.rb | 2 +- spec/support/assets/config_new.yaml | 2 +- 173 files changed, 536 insertions(+), 608 deletions(-) rename modules/browser/{hooked_domain => hooked_origin}/ajax_fingerprint/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/ajax_fingerprint/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/ajax_fingerprint/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/alert_dialog/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/alert_dialog/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/alert_dialog/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/apache_tomcat_examples_cookie_disclosure/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/apache_tomcat_examples_cookie_disclosure/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/apache_tomcat_examples_cookie_disclosure/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/cisco_asa_password_disclosure/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/cisco_asa_password_disclosure/config.yaml (91%) rename modules/browser/{hooked_domain => hooked_origin}/cisco_asa_password_disclosure/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/clear_console/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/clear_console/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/clear_console/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/deface_web_page/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/deface_web_page/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/deface_web_page/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/deface_web_page_component/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/deface_web_page_component/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/deface_web_page_component/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/disable_developer_tools/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/disable_developer_tools/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/disable_developer_tools/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_autocomplete_creds/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_autocomplete_creds/config.yaml (90%) rename modules/browser/{hooked_domain => hooked_origin}/get_autocomplete_creds/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_cookie/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_cookie/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_cookie/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_form_values/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_form_values/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_form_values/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_local_storage/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_local_storage/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_local_storage/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_html/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_html/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_html/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_html_iframe/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_html_iframe/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_html_iframe/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_links/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_links/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_page_links/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_session_storage/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_session_storage/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_session_storage/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/get_stored_credentials/command.js (97%) rename modules/browser/{hooked_domain => hooked_origin}/get_stored_credentials/config.yaml (81%) rename modules/browser/{hooked_domain => hooked_origin}/get_stored_credentials/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_click_events/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_click_events/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_click_events/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_sslstrip/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_sslstrip/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_sslstrip/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_tel/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_tel/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/link_rewrite_tel/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/mobilesafari_address_spoofing/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/mobilesafari_address_spoofing/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/mobilesafari_address_spoofing/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/overflow_cookiejar/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/overflow_cookiejar/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/overflow_cookiejar/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/prompt_dialog/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/prompt_dialog/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/prompt_dialog/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/remove_stuck_iframes/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/remove_stuck_iframes/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/remove_stuck_iframes/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/replace_video/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/replace_video/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/replace_video/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/rickroll/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/rickroll/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/rickroll/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/site_redirect/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/site_redirect/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/site_redirect/module.rb (100%) rename modules/browser/{hooked_domain => hooked_origin}/site_redirect_iframe/command.js (100%) rename modules/browser/{hooked_domain => hooked_origin}/site_redirect_iframe/config.yaml (100%) rename modules/browser/{hooked_domain => hooked_origin}/site_redirect_iframe/module.rb (100%) diff --git a/core/main/ar-migrations/015_create_http.rb b/core/main/ar-migrations/015_create_http.rb index aa3823f8b9..f178d49d41 100644 --- a/core/main/ar-migrations/015_create_http.rb +++ b/core/main/ar-migrations/015_create_http.rb @@ -4,8 +4,8 @@ def change t.text :hooked_browser_id # The http request to perform. In clear text. t.text :request - # Boolean value as string to say whether cross-domain requests are allowed - t.boolean :allow_cross_domain, default: true + # Boolean value as string to say whether cross-origin requests are allowed + t.boolean :allow_cross_origin, default: true # The http response body received. In clear text. t.text :response_data # The http response code. Useful to handle cases like 404, 500, 302, ... @@ -26,7 +26,7 @@ def change t.text :domain # The port on which perform the request. t.text :port - # Boolean value to say if the request was cross-domain + # Boolean value to say if the request was cross-origin t.text :has_ran, default: 'waiting' # The path of the request. # Example: /secret.html diff --git a/core/main/ar-migrations/025_create_xssrays_scan.rb b/core/main/ar-migrations/025_create_xssrays_scan.rb index 04bf642667..6f2bf4f814 100644 --- a/core/main/ar-migrations/025_create_xssrays_scan.rb +++ b/core/main/ar-migrations/025_create_xssrays_scan.rb @@ -5,7 +5,7 @@ def change t.datetime :scan_start t.datetime :scan_finish t.text :domain - t.text :cross_domain + t.text :cross_origin t.integer :clean_timeout t.boolean :is_started t.boolean :is_finished diff --git a/core/main/client/lib/evercookie.js b/core/main/client/lib/evercookie.js index b785b14e70..4cae82f09d 100644 --- a/core/main/client/lib/evercookie.js +++ b/core/main/client/lib/evercookie.js @@ -31,7 +31,7 @@ * for example, if someone deletes all but one type of cookie, once * that cookie is re-discovered, all of the other cookie types get reset * - * !!! SOME OF THESE ARE CROSS-DOMAIN COOKIES, THIS MEANS + * !!! SOME OF THESE ARE CROSS-ORIGIN COOKIES, THIS MEANS * OTHER SITES WILL BE ABLE TO READ SOME OF THESE COOKIES !!! * * USAGE: @@ -803,7 +803,7 @@ this.evercookie_cookie = function(name, value) else return this.getFromStr(name, document.cookie); }catch(e){ - // the hooked domain is using HttpOnly, so we must set the hook ID in a different way. + // the hooked origin is using HttpOnly, so we must set the hook ID in a different way. // evercookie_userdata and evercookie_window will be used in this case. } }; diff --git a/core/main/client/mitb.js b/core/main/client/mitb.js index efae5dbbc9..3e10a7ce00 100644 --- a/core/main/client/mitb.js +++ b/core/main/client/mitb.js @@ -38,7 +38,7 @@ beef.mitb = { if (method == "GET") { //GET request -> cross-origin if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) { - beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url); + beef.mitb.sniff("GET [Ajax CrossOrigin Request]: " + url); window.open(url); }else { //GET request -> same-origin beef.mitb.sniff("GET [Ajax Request]: " + url); diff --git a/core/main/client/net.js b/core/main/client/net.js index f9b8c239e6..6d627834fd 100644 --- a/core/main/client/net.js +++ b/core/main/client/net.js @@ -74,7 +74,7 @@ beef.net = { this.status_text = null; // success, timeout, error, ... this.response_body = null; // "…." if not a cross-origin request this.port_status = null; // tcp port is open, closed or not http - this.was_cross_domain = null; // true or false + this.was_cross_origin = null; // true or false this.was_timedout = null; // the user specified timeout was reached this.duration = null; // how long it took for the request to complete this.headers = null; // full response headers @@ -217,11 +217,11 @@ beef.net = { * @return {Object} this object contains the response details */ request: function (scheme, method, domain, port, path, anchor, data, timeout, dataType, callback) { - //check if same domain or cross domain - var cross_domain = true; + //check if same origin or cross origin + var cross_origin = true; if (document.domain == domain.replace(/(\r\n|\n|\r)/gm, "")) { //strip eventual line breaks if (document.location.port == "" || document.location.port == null) { - cross_domain = !(port == "80" || port == "443"); + cross_origin = !(port == "80" || port == "443"); } } @@ -238,12 +238,12 @@ beef.net = { //define response object var response = new this.response; - response.was_cross_domain = cross_domain; + response.was_cross_origin = cross_origin; var start_time = new Date().getTime(); /* * according to http://api.jquery.com/jQuery.ajax/, Note: having 'script': - * This will turn POSTs into GETs for remote-domain requests. + * This will turn POSTs into GETs for cross origin requests. */ if (method == "POST") { $j.ajaxSetup({ @@ -310,7 +310,7 @@ beef.net = { /** * Similar to beef.net.request, except from a few things that are needed when dealing with forged requests: * - requestid: needed on the callback - * - allowCrossDomain: set cross-domain requests as allowed or blocked + * - allowCrossOrigin: set cross-origin requests as allowed or blocked * * forge_request is used mainly by the Requester and Tunneling Proxy Extensions. * Example usage: @@ -318,20 +318,20 @@ beef.net = { * true, null, { foo: "bar" }, 5, 'html', false, null, function(response) { * alert(response.response_body)}) */ - forge_request: function (scheme, method, domain, port, path, anchor, headers, data, timeout, dataType, allowCrossDomain, requestid, callback) { + forge_request: function (scheme, method, domain, port, path, anchor, headers, data, timeout, dataType, allowCrossOrigin, requestid, callback) { if (domain == "undefined" || path == "undefined") { beef.debug("[beef.net.forge_request] Error: Malformed request. No host specified."); return; } - // check if same domain or cross domain - var cross_domain = true; + // check if same origin or cross origin + var cross_origin = true; if (document.domain == domain && document.location.protocol == scheme + ':') { if (document.location.port == "" || document.location.port == null) { - cross_domain = !(port == "80" || port == "443"); + cross_origin = !(port == "80" || port == "443"); } else { - if (document.location.port == port) cross_domain = false; + if (document.location.port == port) cross_origin = false; } } @@ -348,23 +348,23 @@ beef.net = { // define response object var response = new this.response; - response.was_cross_domain = cross_domain; + response.was_cross_origin = cross_origin; var start_time = new Date().getTime(); - // if cross-domain requests are not allowed and the request is cross-domain + // if cross-origin requests are not allowed and the request is cross-origin // don't proceed and return - if (allowCrossDomain == "false" && cross_domain) { + if (allowCrossOrigin == "false" && cross_origin) { beef.debug("[beef.net.forge_request] Error: Cross Domain Request. The request was not sent."); response.status_code = -1; - response.status_text = "crossdomain"; - response.port_status = "crossdomain"; + response.status_text = "crossorigin"; + response.port_status = "crossorigin"; response.response_body = "ERROR: Cross Domain Request. The request was not sent.\n"; response.headers = "ERROR: Cross Domain Request. The request was not sent.\n"; if (callback != null) callback(response, requestid); return response; } - // if the request was cross-domain from a HTTPS origin to HTTP + // if the request was cross-origin from a HTTPS origin to HTTP // don't proceed and return if (document.location.protocol == 'https:' && scheme == 'http') { beef.debug("[beef.net.forge_request] Error: Mixed Active Content. The request was not sent."); @@ -379,7 +379,7 @@ beef.net = { /* * according to http://api.jquery.com/jQuery.ajax/, Note: having 'script': - * This will turn POSTs into GETs for remote-domain requests. + * This will turn POSTs into GETs for cross origin requests. */ if (method == "POST") { $j.ajaxSetup({ @@ -432,10 +432,10 @@ beef.net = { }, complete: function (xhr, textStatus) { - // cross-domain request - if (cross_domain) { + // cross-origin request + if (cross_origin) { - response.port_status = "crossdomain"; + response.port_status = "crossorigin"; if (xhr.status != 0) { response.status_code = xhr.status; @@ -446,7 +446,7 @@ beef.net = { if (textStatus) { response.status_text = textStatus; } else { - response.status_text = "crossdomain"; + response.status_text = "crossorigin"; } if (xhr.getAllResponseHeaders()) { @@ -460,7 +460,7 @@ beef.net = { } } else { - // same-domain request + // same-origin request response.status_code = xhr.status; response.status_text = textStatus; response.headers = xhr.getAllResponseHeaders(); diff --git a/core/main/client/net/requester.js b/core/main/client/net/requester.js index 379d6da789..70ae5c0ce0 100644 --- a/core/main/client/net/requester.js +++ b/core/main/client/net/requester.js @@ -25,7 +25,7 @@ beef.net.requester = { request = requests_array[i]; if (request.proto == 'https') var scheme = 'https'; else var scheme = 'http'; beef.debug('[Requester] ' + request.method + ' ' + scheme + '://' + request.host + ':' + request.port + request.uri + ' - Data: ' + request.data); - beef.net.forge_request(scheme, request.method, request.host, request.port, request.uri, null, request.headers, request.data, 10, null, request.allowCrossDomain, request.id, + beef.net.forge_request(scheme, request.method, request.host, request.port, request.uri, null, request.headers, request.data, 10, null, request.allowCrossOrigin, request.id, function(res, requestid) { beef.net.send('/requester', requestid, { response_data: res.response_body, response_status_code: res.status_code, diff --git a/core/main/client/net/xssrays.js b/core/main/client/net/xssrays.js index 28d3a5775a..b93768d54a 100644 --- a/core/main/client/net/xssrays.js +++ b/core/main/client/net/xssrays.js @@ -171,7 +171,7 @@ beef.net.xssrays = { this.xss({href:url.href, pathname:url.pathname, hostname:url.hostname, port: url.port, protocol: location.protocol, search:url.search, type: 'url'});//scan each link & param } else { - beef.debug('Scan is not Cross-domain. URLS\nurl :' + url.hostname.toString()); + beef.debug('Scan is not Cross-origin. URLS\nurl :' + url.hostname.toString()); beef.debug('\nlocation :' + location.hostname.toString()); } } @@ -251,7 +251,7 @@ beef.net.xssrays = { continue; } if (!this.crossDomain && (this.host(action).toString() != this.host(location.toString()))) { - beef.debug('Scan is not Cross-domain. FormPost\naction :' + this.host(action).toString()); + beef.debug('Scan is not Cross-origin. FormPost\naction :' + this.host(action).toString()); beef.debug('location :' + this.host(location)); continue; } diff --git a/core/main/configuration.rb b/core/main/configuration.rb index 45a9f2d662..1b9c64e093 100644 --- a/core/main/configuration.rb +++ b/core/main/configuration.rb @@ -256,7 +256,7 @@ def load_extensions_config # def load_modules_config set('beef.module', {}) - # support nested sub-categories, like browser/hooked_domain/ajax_fingerprint + # support nested sub-categories, like browser/hooked_origin/ajax_fingerprint module_configs = File.join("#{$root_dir}/modules/**", 'config.yaml') Dir.glob(module_configs) do |cf| y = load(cf) diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb index c304647764..27b97e7c72 100644 --- a/core/main/handlers/browserdetails.rb +++ b/core/main/handlers/browserdetails.rb @@ -547,7 +547,7 @@ def setup end # log a few info of newly hooked zombie in the console - print_info "New Hooked Browser [id:#{zombie.id}, ip:#{zombie.ip}, browser:#{browser_name}-#{browser_version}, os:#{os_name}-#{os_version}], hooked domain [#{log_zombie_domain}:#{log_zombie_port}]" + print_info "New Hooked Browser [id:#{zombie.id}, ip:#{zombie.ip}, browser:#{browser_name}-#{browser_version}, os:#{os_name}-#{os_version}], hooked origin [#{log_zombie_domain}:#{log_zombie_port}]" # add localhost as network host if config.get('beef.extension.network.enable') diff --git a/core/main/router/router.rb b/core/main/router/router.rb index 27387ef9e2..6c06a5fa5d 100644 --- a/core/main/router/router.rb +++ b/core/main/router/router.rb @@ -27,9 +27,9 @@ class Router < Sinatra::Base # @note If CORS is enabled, expose the appropriate headers if config.get('beef.http.restful_api.allow_cors') - allowed_domains = config.get('beef.http.restful_api.cors_allowed_domains') - if allowed_domains - headers 'Access-Control-Allow-Origin' => allowed_domains + allowed_origins = config.get('beef.http.restful_api.cors_allowed_origins') + if allowed_origins + headers 'Access-Control-Allow-Origin' => allowed_origins end headers 'Access-Control-Allow-Methods' => 'POST, GET' diff --git a/docs/BeefJS.html b/docs/BeefJS.html index c6ed0ebea0..2cf8da4f1d 100644 --- a/docs/BeefJS.html +++ b/docs/BeefJS.html @@ -558,7 +558,7 @@

Home

Namespaces