search

epsylon / xsser

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net
1.17k stars 238 forks source link

Issue #65 Reverse Check Cookie Bug #66

Closed wbowditch closed 4 years ago

wbowditch commented 4 years ago

Pull request for issue #65

epsylon commented 4 years ago

First of all, thank you very much for your contribution and for the report. Many people forget to fill out the template and do not realize how complex it is to understand what is happening, the way they tell it.

I have noticed that there is a "strange" behavior with the subject of Cookies. Effectively. I even think it has to do with a bug in the Python3 lib for SImpleCookie.

I explain to you. Take the patch you have made and run it twice in a row. The first time, you will see that in the second request, the reverse is done correctly, as you have shown and therefore it will work. But, and in the second execution ?. Don't worry, I'm going to do a re-patch for that.

On the other hand: Have you tried, in another example of the application, the same mechanism, but using POST ?. It works with the current code, without your patch. Curious...

To finish, I think that you have returned in the pull request to revert the DEBUG to True ... Heheh, Don't worry, I will upload a patch with your idea soon.

Thank you very much again and in a little while I explain a little more that I have discovered.

A greeting.

epsylon commented 4 years ago

Hi, @wbowditch

Well, after having investigated, I have realized that it has nothing to do with cookies.

In fact, if you look using a transparent proxy and stop the requests, you will see that the cookies in the second request made by --reverse-check are the same as in the first. So it was too weird for it to work in POST and not GET.

I have noticed that there were several factors that caused this failure.

First, that the socket was "caught", a certain time, after having used it. So immediately releasing the tool did not work the reverse. On the other hand, I have made the cookies more complete, since before I did not fill some like 'httpOnly' and others... And finally, I have updated the hub that carries the tokens, and I have given to it more time to receive them, so now there are no problems if you launch the tool many times in a row.

Please check that the changes have been correct and that they also work in your environment. I have tested GET and POST, in GTK and in the shell, successfully.

Here is the code block you modified:

https://github.com/epsylon/xsser/blob/master/core/main.py#L1630

If you look, it stays the same as before, since as I was saying before, the problem was related to the socket, and not cookies, although the result was similar.

Note also that we now send a different address, be it GET or POST, to obtain the cookies of the previous request:

https://github.com/epsylon/xsser/blob/master/core/main.py#L1648

Finally, although an important detail, in case the driver (firefox/gecko) is not closed by close (), we try it by quit ().

https://github.com/epsylon/xsser/blob/master/core/main.py#L2937