Mirrors/xsshunter
2
0
Fork 0
mirror of https://github.com/trufflesecurity/xsshunter synced 2024-11-10 06:44:13 +00:00
Code Issues Projects Releases Packages Wiki Activity

fixing .git scanning and CORS scanning, and tweaks to make localhost work

Browse source
This commit is contained in:
counter 2023-01-28 19:08:23 -08:00
parent 46a861ed9c
commit 6b5d116c71
4 changed files with 42 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
api.js
View file

@ -5,6 +5,7 @@ const cors = require('cors');
const path = require('path');
const uuid = require('uuid');
const asyncfs = require('fs').promises;
const fs = require('fs');
const sessions = require('@truffledustin/node-client-sessions');
const favicon = require('serve-favicon');
const database = require('./database.js');
@ -53,6 +54,15 @@ function session_wrapper_function(req, res, next) {
return sessions_middleware(req, res, next);
}
async function check_file_exists(file_path) {
return asyncfs.access(file_path, fs.constants.F_OK).then(() => {
return true;
}).catch(() => {
return false;
});
}
async function set_up_api_server(app) {
// Check for existing session secret value
const session_secret_setting = process.env.SESSION_SECRET_KEY;
@ -443,6 +453,8 @@ async function set_up_api_server(app) {
"screenshot_id": payload.screenshot_id,
"was_iframe": payload.was_iframe,
"browser_timestamp": payload.browser_timestamp,
"CORS": payload.CORS,
"gitExposed": payload.gitExposed,
"createdAt": payload.createdAt,
"updatedAt": payload.updatedAt,
"secrets": payload_secrets

11
app.js
View file

@ -300,7 +300,7 @@ async function get_app_server() {
console.log("saved record");
// Send out notification via configured notification channel
if(user.sendEmailAlerts) {
if(user.sendEmailAlerts && process.env.SMTP_EMAIL_NOTIFICATIONS_ENABLED=="true") {
payload_fire_data.screenshot_url = `https://${process.env.HOSTNAME}/screenshots/${payload_fire_data.screenshot_id}.png`;
await notification.send_email_notification(payload_fire_data, user.email);
}
@ -349,10 +349,17 @@ async function get_app_server() {
if (! chainload_uri){
chainload_uri = '';
}
let xssURI = ""
if(process.env.XSS_HOSTNAME.startsWith("localhost")){
xssURI = `http://${process.env.XSS_HOSTNAME}`
}else{
xssURI = `https://${process.env.XSS_HOSTNAME}`
}
res.send(XSS_PAYLOAD.replace(
/\[HOST_URL\]/g,
`https://${process.env.XSS_HOSTNAME}`
xssURI
).replace(
'[COLLECT_PAGE_LIST_REPLACE_ME]',
JSON.stringify([])

22
front-end/src/pages/XSSPayloadFireReports.vue
View file

@ -125,7 +125,7 @@
</div>
<div class="m-2 mt-4">
<code v-if="report.origin">{{report.origin}}</code>
<pre v-else><i>None</i></pre>
<pre v-else><code>None</code></pre>
</div>
<hr />
</div>
@ -137,12 +137,12 @@
</small>
</div>
<div v-if="report.secrets">
<li v-for="secret in report.secrets">
<pre v-for="secret in report.secrets">
Secret type: {{ secret.secret_type }}
Secret value: {{ secret.secret_value }}
</li>
</pre>
</div>
<pre v-else><i>No secrets detected</i></pre>
<pre v-else><code>No secrets detected</code></pre>
<hr />
</div>
<div>
@ -160,13 +160,13 @@
</div>
<div>
<div>
<p class="report-section-label mr-2">CORS</p>
<p class="report-section-label mr-2">Leaked Source Code</p>
<small slot="helperText" class="form-text text-muted report-section-description">
Was the source code exposed via /.git ? (Shows contents of /.git/config)
</small>
</div>
<div>
<code v-if="report.gitExposed">{{report.gitExposed}}</code>
<pre v-if="report.gitExposed">{{report.gitExposed}}</pre>
<pre v-else><i>No .git directory detected</i></pre>
</div>
<hr />
@ -413,6 +413,15 @@ export default {
color: #fff
}
pre {
background: #5BB381;
background-image: -webkit-gradient(linear, right top, left bottom, from(#5BB381), color-stop(#AE8C57), to(#38645A));
background-image: linear-gradient(to bottom left, #5BB381, #AE8C57, #38645A);
background-size: 210% 210%;
background-position: 100% 0;
color: #fff
}
.pagination .page-item.disabled>.page-link {
opacity: .5
}
@ -487,6 +496,7 @@ export default {
.report-section-label {
background: #ff8d72;
font-size: 18px;
display: inline;
}

8
probe.js
View file

@ -311,7 +311,7 @@ probe_return_data['title'] = document.title;
probe_return_data['was_iframe'] = !(window.top === window)
function hook_load_if_not_ready() {
async function hook_load_if_not_ready() {
try {
try {
probe_return_data['secrets'] = look_for_secrets(never_null( document.documentElement.outerHTML ));
@ -319,12 +319,14 @@ function hook_load_if_not_ready() {
probe_return_data['secrets'] = [];
}
try{
probe_return_data['CORS'] = check_cors();
const corsResults = await check_cors();
probe_return_data['CORS'] = corsResults;
} catch (e) {
probe_return_data['CORS'] = "false";
}
try{
probe_return_data['gitExposed'] = check_git();
const gitResults = await check_git();
probe_return_data['gitExposed'] = gitResults;
} catch (e) {
probe_return_data['gitExposed'] = "false";
}