Skip to content

Commit

Permalink
Store and display the payload url that fired
Browse files Browse the repository at this point in the history
  • Loading branch information
@rs-loves-bugs
rs-loves-bugs committed Mar 6, 2023
1 parent 00301e6 commit 5acab8b
Show file tree
Hide file tree
Showing 7 changed files with 58 additions and 12 deletions.
1 change: 1 addition & 0 deletions api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -524,6 +524,7 @@ async function set_up_api_server(app) {
"user_agent": payload.user_agent,
"cookies": payload.cookies,
"title": payload.title,
"payload_url": payload.payload_url,
"origin": payload.origin,
"screenshot_id": payload.screenshot_id,
"was_iframe": payload.was_iframe,
Expand Down
27 changes: 22 additions & 5 deletions app.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,10 @@ async function get_app_server() {
"path": {
"type": "string",
"default": ""
},
"payload_url": {
"type": "string",
"default": ""
}
}
};
Expand Down Expand Up @@ -219,7 +223,13 @@ async function get_app_server() {

try {

const secrets_response = await fetch('http://xsshunterexpress-trufflehog:8000/trufflehog', {
if ('TRUFFLEHOG_URL' in process.env) {
trufflehog_url = process.env.TRUFFLEHOG_URL
} else {
trufflehog_url = 'http://xsshunterexpress-trufflehog:8000/trufflehog'
}

const secrets_response = await fetch(trufflehog_url, {
method: 'POST',
headers: {
'Accept': 'application/json, text/plain, */*',
Expand Down Expand Up @@ -352,6 +362,7 @@ async function get_app_server() {
user_agent: req.body['user-agent'],
cookies: req.body.cookies,
title: req.body.title,
payload_url: req.body.payload_url,
secrets: JSON.parse(JSON.stringify(secret_data_result)),
origin: req.body.origin,
screenshot_id: payload_fire_image_id,
Expand All @@ -367,7 +378,6 @@ async function get_app_server() {
}
}


// Check for correlated request
const correlated_request_rec = await InjectionRequests.findOne({
where: {
Expand Down Expand Up @@ -410,7 +420,6 @@ async function get_app_server() {

});


// Set up /health handler so the user can
// do uptime checks and appropriate alerting.
app.get('/health', async (req, res) => {
Expand All @@ -436,11 +445,14 @@ async function get_app_server() {
res.set("Access-Control-Max-Age", "86400");

if(req.get('host') != process.env.XSS_HOSTNAME) {
//console.debug(req.get('host'));
return res.redirect("/app/");
}

const userPath = req.originalUrl.split("/")[1];
if(req.originalUrl.includes(".map")) {
return res.status(404);
}

const userPath = req.originalUrl.split("/").join("").split("?")[0];
const user = await Users.findOne({ where: { 'path': userPath } });

if (user === null){
Expand All @@ -466,6 +478,8 @@ async function get_app_server() {

xssURI = `https://${process.env.XSS_HOSTNAME}`
}

const payload_url = `https://${process.env.XSS_HOSTNAME}${req.originalUrl}`

res.send(XSS_PAYLOAD.replace(
/\[HOST_URL\]/g,
Expand All @@ -482,6 +496,9 @@ async function get_app_server() {
).replace(
'[CHAINLOAD_REPLACE_ME]',
JSON.stringify(chainload_uri)
).replace(
'[PAYLOAD_URL_REPLACE_ME]',
JSON.stringify(payload_url)
).replace(
'[PROBE_ID]',
JSON.stringify(req.params.probe_id)
Expand Down
17 changes: 12 additions & 5 deletions database.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,12 @@ PayloadFireResults.init({
allowNull: true,
unique: false
},
//payload url
payload_url: {
type: Sequelize.TEXT,
allowNull: true,
unique: false
},
}, {
sequelize,
modelName: 'payload_fire_results',
Expand Down Expand Up @@ -380,14 +386,15 @@ InjectionRequests.init({

async function database_init() {
const force = false;
const alter = {drop: false};

// Set up database schema
await Promise.all([
PayloadFireResults.sync({ force: force }),
Users.sync({ force: force }),
Secrets.sync({ force: force }),
CollectedPages.sync({ force: force }),
InjectionRequests.sync({ force: force }),
PayloadFireResults.sync({ force: force, alter: alter }),
Users.sync({ force: force, alter: alter }),
Secrets.sync({ force: force, alter: alter }),
CollectedPages.sync({ force: force, alter: alter }),
InjectionRequests.sync({ force: force, alter: alter }),
]);
}

Expand Down
1 change: 1 addition & 0 deletions env.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ POSTGRES_DB=xsshunterexpress
POSTGRES_PASSWORD=xsshunterexpress
POSTGRES_USER=xsshunterexpress
SCREENSHOTS_DIR=/app/payload-fire-images
TRUFFLEHOG_URL=http://xsshunterexpress-trufflehog:8000/trufflehog

SENTRY_DSN=
SENTRY_ENABLED=false
Expand Down
3 changes: 1 addition & 2 deletions front-end/src/pages/Settings.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
</card>
<card>
<h4 class="card-title">Custom Webhook</h4>
<h6 class="card-subtitle mb-2 text-muted">Custom webhook</h6>
<h6 class="card-subtitle mb-2 text-muted">When a payload fires XSSHunter will send a post request to this URL.</h6>
<p class="card-text">
<base-input v-model:value="custom_webhook" type="text" placeholder="..."></base-input>
</p>
Expand Down Expand Up @@ -317,4 +317,3 @@ textarea {
resize: none;
}
</style>

13 changes: 13 additions & 0 deletions front-end/src/pages/XSSPayloadFireReports.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,19 @@
</div>
<hr />
</div>
<div>
<div>
<p class="report-section-label mr-2">Payload URL</p>
<small slot="helperText" class="form-text text-muted report-section-description">
The src URL of the payload that fired.
</small>
</div>
<div class="m-2 mt-4">
<pre v-if="report.payload_url">{{report.payload_url}}</pre>
<pre v-else><i>None</i></pre>
</div>
<hr />
</div>
<div>
<div>
<p class="report-section-label mr-2">IP Address</p>
Expand Down
8 changes: 8 additions & 0 deletions probe.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 5acab8b

Please sign in to comment.