DetectCrossOriginMessaging/DetectCrossOriginMessaging.py at master · physics-sec/DetectCrossOriginMessaging · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# -*- coding: utf-8 -*-

# Burp DetectCrossOriginMessaging Extension
# This extension is supposed to help find usages of postMessage and recvMessage
# which can lead to XSS and information leak

from burp import IBurpExtender
from burp import IExtensionStateListener
from burp import IHttpRequestResponse
from burp import IScannerCheck
from burp import IScanIssue
from array import array

GREP_STRINGS = [
    ".postMessage(",
    ".postMessage (",
    ".addEventListener(\"message\"",
    ".addEventListener( \"message\"",
    ".addEventListener('message'",
    ".addEventListener( 'message'",
    "add(window,\"message\"",
    "add(window, \"message\"",
    "add(window,'message'",
    "add(window, 'message'",
    "addListener(window,\"message\"",
    "addListener(window, \"message\"",
    "addListener(window,'message'",
    "addListener(window, 'message'",
    ".attachEvent(\"onmessage\"",
    ".attachEvent( \"onmessage\"",
    ".attachEvent('onmessage'",
    ".attachEvent( 'onmessage'"
    ]

GREP_STRINGS_BYTES = []
for g_str in GREP_STRINGS:
    GREP_STRINGS_BYTES.append( bytearray( g_str ) )

class BurpExtender(IBurpExtender, IScannerCheck, IExtensionStateListener, IHttpRequestResponse):

    def registerExtenderCallbacks(self, callbacks):

        print "Loading..."

        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        callbacks.setExtensionName("Detect cross origin messaging")
        callbacks.registerExtensionStateListener(self)
        callbacks.registerScannerCheck(self)

        print "Loaded detect cross origin messaging!"
        return

    def extensionUnloaded(self):
        print "Unloaded"
        return

    def _get_matches(self, response, matches):
        results = []
        reslen = len(response)
        for match in matches:
            start = 0
            matchlen = len(match)
            while start < reslen:
                start = self._helpers.indexOf(response, match, True, start, reslen)
                if start == -1:
                    break
                results.append(array('i', [start, start + matchlen]))
                start += matchlen

        return results

    def doActiveScan(self, baseRequestResponse, insertionPoint):
        return []

    def doPassiveScan(self, baseRequestResponse):
        matches = self._get_matches(baseRequestResponse.getResponse(), GREP_STRINGS_BYTES)
        if (len(matches) == 0):
            return None

        return [CustomScanIssue(
            baseRequestResponse.getHttpService(),
            self._helpers.analyzeRequest(baseRequestResponse).getUrl(),
            [self._callbacks.applyMarkers(baseRequestResponse, None, matches)],
            "Cross origin mesagging detected",
            "Receiving messages from untrusted domains can lead to DOM XSS and sending messages to untrusted domains can lead to information disclosure. It should be further investigated to check if it is implemented in a secure manner.\nFor more information check: https://www.sec-1.com/blog/wp-content/uploads/2016/08/Hunting-postMessage-Vulnerabilities.pdf",
            "Information")]

    def consolidateDuplicateIssues(self, existingIssue, newIssue):
        if existingIssue.getIssueName() == newIssue.getIssueName():
            return -1

        return 0

class CustomScanIssue (IScanIssue):
    def __init__(self, httpService, url, httpMessages, name, detail, severity):
        self._httpService = httpService
        self._url = url
        self._httpMessages = httpMessages
        self._name = name
        self._detail = detail
        self._severity = severity

    def getUrl(self):
        return self._url

    def getIssueName(self):
        return self._name

    def getIssueType(self):
        return 0

    def getSeverity(self):
        return self._severity

    def getConfidence(self):
        return "Firm"

    def getIssueBackground(self):
        pass

    def getRemediationBackground(self):
        pass

    def getIssueDetail(self):
        return self._detail

    def getRemediationDetail(self):
        pass

    def getHttpMessages(self):
        return self._httpMessages

    def getHttpService(self):
        return self._httpService