webseclab: github.com/yahoo/webseclab Index | Files

package webseclab

import "github.com/yahoo/webseclab"

Package webseclab contains a sample set of tests for web security scanners and a tooolkit to create such tests.

To install webseclab: go get github.com/yahoo/webseclab/...

To run the webseclab, execute the binary:

$ webseclab

By default, it will start the web server on port 8080, add -http=:<port> parameter to change it.

Run 'webseclab -help' for the usage help.

The convention is that the "in" cgi parameter (as in: ?in=foo) is used to passed unsafe input (unless there are special functions that pickup the input form other places like POST or headers - see custom.go)

See sample.html for an example of a template that can be used.

To add a new test where input is echoed unfiltered, just drop an html template into somewhere under templates directory (for example templates/xss/newfile) with the template containing the "moustache" with: {{.In}}

To add a new "filter-based" case, add a template as above and add a mapping of the corresponding entrypoint (such as /xss/newfile ) to the map in the filterMap function.

To add a new fully custom testcase, add a template (if needed), add the mapping of entrypoint to the handling function to CustomMap and implement the custom function ( func(http.ResponseWriter, *http.Request) )

Index

Package Files

common.go ctx.go custom.go doc.go filters.go handler.go input.go ip.go process.go static.go templates.go transform.go utils.go version.go

Constants

const (
    Invalid         filter = iota
    BackslashEscape        // escape \ with a \
    BackslashEscapeDoubleQuotesAndBackslash
    DoubleQuotesBackslashEscape
    DoubleQuotesCook
    DoubleQuotesOff
    GreaterThanCook
    GreaterThanOff
    LessThanCook
    LessThanOff
    NoOp
    ParensOff
    QuotesCook
    QuotesOff
    SingleQuotesCook
    SingleQuotesOff
    SpacesCook
    SpacesOff
    ScriptOff
    TagCharsOff
    TagsCook
    TagsOff
    TagsOffExceptTextareaClose
    TagsOffUntilTextareaClose
    TextareaCloseOff
    TextareaSafe
)

constants for the most common filters

const WebseclabVersion = "0.9.0"

WebseclabVersion is used for command-line display, etc.

Variables

var Templates = map[string]string{
    "index.html": "" /* 9157 byte string literal not displayed */,

    "misc/escapeexample": "" /* 260 byte string literal not displayed */,

    "misc/escapeexample_nogt": "" /* 284 byte string literal not displayed */,

    "misc/escapeexample_nogt_noquotes": "" /* 284 byte string literal not displayed */,

    "sample.html": "" /* 431 byte string literal not displayed */,

    "xss/dom/domwrite": "" /* 485 byte string literal not displayed */,

    "xss/dom/domwrite_hash": "" /* 492 byte string literal not displayed */,

    "xss/dom/domwrite_hash_urlstyle": "" /* 519 byte string literal not displayed */,

    "xss/dom/jason1": `<script>
document.write("<li></li><li> " + location.href.substring(64) + " is not a valid tab selection.</li>");
</script>
`,
    "xss/dom/jason2": "" /* 415 byte string literal not displayed */,

    "xss/dom/yuinode": "" /* 778 byte string literal not displayed */,

    "xss/dom/yuinode_hash": "" /* 757 byte string literal not displayed */,

    "xss/dom/yuinode_hash_unencoded": "" /* 813 byte string literal not displayed */,

    "xss/dom/yuinode_hash_urlstyle": "" /* 774 byte string literal not displayed */,

    "xss/reflect/backslash1": "" /* 253 byte string literal not displayed */,

    "xss/reflect/basic": `{{.In}}
`,
    "xss/reflect/basic_in_tag": `<!-- same as basic but inside of an html tag -->
<B>{{.In}}</B>
`,
    "xss/reflect/doubq1": "" /* 295 byte string literal not displayed */,

    "xss/reflect/enc2": "" /* 405 byte string literal not displayed */,

    "xss/reflect/enc2_fp": "" /* 415 byte string literal not displayed */,

    "xss/reflect/full1": "" /* 226 byte string literal not displayed */,

    "xss/reflect/full_cookies1": "" /* 239 byte string literal not displayed */,

    "xss/reflect/full_headers1": "" /* 226 byte string literal not displayed */,

    "xss/reflect/inredirect1_fp": "" /* 358 byte string literal not displayed */,

    "xss/reflect/js3": "" /* 418 byte string literal not displayed */,

    "xss/reflect/js3_bug7208690": "" /* 49373 byte string literal not displayed */,

    "xss/reflect/js3_fp": "" /* 708 byte string literal not displayed */,

    "xss/reflect/js3_notags": "" /* 737 byte string literal not displayed */,

    "xss/reflect/js3_notags_fp": "" /* 740 byte string literal not displayed */,

    "xss/reflect/js3_search_fp": "" /* 32940 byte string literal not displayed */,

    "xss/reflect/js4_dq": "" /* 447 byte string literal not displayed */,

    "xss/reflect/js4_dq_fp": "" /* 514 byte string literal not displayed */,

    "xss/reflect/js6_bug7208690": "" /* 49373 byte string literal not displayed */,

    "xss/reflect/js6_sq": "" /* 452 byte string literal not displayed */,

    "xss/reflect/js6_sq_combo1": "" /* 658 byte string literal not displayed */,

    "xss/reflect/js6_sq_fp": "" /* 851 byte string literal not displayed */,

    "xss/reflect/js_script_close": "" /* 694 byte string literal not displayed */,

    "xss/reflect/oneclick1": "" /* 459 byte string literal not displayed */,

    "xss/reflect/onmouseover": "" /* 322 byte string literal not displayed */,

    "xss/reflect/onmouseover_div_unquoted": "" /* 314 byte string literal not displayed */,

    "xss/reflect/onmouseover_div_unquoted_fp": "" /* 314 byte string literal not displayed */,

    "xss/reflect/onmouseover_unquoted": "" /* 320 byte string literal not displayed */,

    "xss/reflect/onmouseover_unquoted_fp": "" /* 320 byte string literal not displayed */,

    "xss/reflect/post1": "" /* 363 byte string literal not displayed */,

    "xss/reflect/post1_splash": "" /* 398 byte string literal not displayed */,

    "xss/reflect/raw1": "" /* 225 byte string literal not displayed */,

    "xss/reflect/raw1_fp": "" /* 458 byte string literal not displayed */,

    "xss/reflect/refer1": "" /* 340 byte string literal not displayed */,

    "xss/reflect/textarea1": "" /* 559 byte string literal not displayed */,

    "xss/reflect/textarea1_fp": "" /* 638 byte string literal not displayed */,

    "xss/reflect/textarea2": "" /* 462 byte string literal not displayed */,

    "xss/reflect/textarea2_fp": "" /* 562 byte string literal not displayed */,
}

Templates contains all the webseclab Go templates as strings.

func AddHTMLTemplate Uses

func AddHTMLTemplate(name string, htmpl *ht.Template)

AddHTMLTemplate adds template record for the given string

func AddTextTemplate Uses

func AddTextTemplate(name string, ttmpl *tt.Template)

AddTextTemplate adds template record for the given string

func CustomMap Uses

func CustomMap() (mp map[string]func(http.ResponseWriter, *http.Request) *LabResp)

CustomMap returns a map of entrypoint to handling functions

func DoTemplate Uses

func DoTemplate(w http.ResponseWriter, path string, input *InData) (err error)

DoTemplate opens the template file and processes the template with the passed input if the URL Path ends with ".ok", it uses an HTML context-escaped template (html/template - safe version), otherwise - text/template (exploitable)

func GetIPURL Uses

func GetIPURL(host string, link *url.URL) (*url.URL, error)

GetIPURL returns a corresponding IP-quad URL if a FQDN is used if there are multiple results from LookupHost, the first one is returned

func IsIP Uses

func IsIP(s string) bool

IsIP checks if the argument is a IP quad pair such as 101.02.03.04 (with optional port ex. :8080)

func IsIPURL Uses

func IsIPURL(u *url.URL) bool

IsIPURL checks if the URL is a IP quad pair such as 101.02.03.04 (with optional port ex. :8080)

func IsSafeHost Uses

func IsSafeHost(s string) bool

IsSafeHost checks if the host is an IP quad pair or localhost.

func KillPredecessor Uses

func KillPredecessor(port string)

KillPredecessor check if there is a listener on the given port, and if so, sends it a command to exit. This allows to start a new copy (post-build etc.) with no errors and still have only one instance of webseclab running.

func LookupHTMLTemplate Uses

func LookupHTMLTemplate(name string) (htmpl *ht.Template, ok bool)

LookupHTMLTemplate returns a pointer to the parsed template and true if lookup successful, or nil and false if no template for the given name was found

func LookupTextTemplate Uses

func LookupTextTemplate(name string) (ttmpl *tt.Template, ok bool)

LookupTextTemplate returns a pointer to the parsed text template and true if lookup successful, or nil and false if no template for the given name was found

func MakeExitFunc Uses

func MakeExitFunc(ln net.Listener) func(http.ResponseWriter, *http.Request)

MakeExitFunc creates an /exit handler.

func MakeIndexFunc Uses

func MakeIndexFunc(page string) func(http.ResponseWriter, *http.Request)

MakeIndexFunc creates a function to display the index file (ToC)

func ParseRawQuery Uses

func ParseRawQuery(m map[string][]string, query string)

ParseRawQuery is copied from net/url parseQuery but without unescaping keys/values.

func RemoveTags Uses

func RemoveTags(src string) string

RemoveTags removes the tags: foo<xss x=1>bar => foobar

func RemoveTagsExceptTextareaClose Uses

func RemoveTagsExceptTextareaClose(src string) (out string)

RemoveTagsExceptTextareaClose removes all the tags except the closing textarea one

func RemoveTagsUntilTextareaClose Uses

func RemoveTagsUntilTextareaClose(src string) (out string)

RemoveTagsUntilTextareaClose removes all the tags before the closing textarea one

func ReplaceTextareaSafe Uses

func ReplaceTextareaSafe(src string) (out string)

ReplaceTextareaSafe removes all the tags after the closing textarea one

func Ruok Uses

func Ruok(w http.ResponseWriter, r *http.Request)

Ruok replies with an ack to a ping: "ruok" => "imok\n" (for /ruok monitoring entrypoint).

func Transform Uses

func Transform(s string, f ...filter) string

Transform tranforms the string based on the given filter options (one or several)

func UnescapeUnicode Uses

func UnescapeUnicode(s string) string

UnescapeUnicode takes a string with Unicode escape sequences \u22 and converts all of them to the unescaped characters: \u0022 => '"', \u3e => '>'

type InData Uses

type InData struct {
    In    string
    InRaw string
}

InData wraps the data used for filling the templates In is the data that may be processed according to the given filtering options InRaw is supposed to keep the original dataintact

func Input Uses

func Input(r *http.Request) *InData

Input extracts the escaped and "raw" values of in parameters

type LabHandler Uses

type LabHandler func(http.ResponseWriter, *http.Request) *LabResp

LabHandler is the main http handler type

func MakeMainHandler Uses

func MakeMainHandler(noindex bool) LabHandler

MakeMainHandler performs routing between 'standard' (template based with standard parameters) cases and those requiring custom processing. For standard processing, it unescapes input and prepars an instance of Indata which is then passed to the template execution. For URLs found in the map of custom processing, the corresponding function is called.

func MakeStaticFunc Uses

func MakeStaticFunc() LabHandler

MakeStaticFunc creates a "static function" processing a template with empty data input.

func (LabHandler) ServeHTTP Uses

func (fn LabHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP implements the interface required by http.Handle

type LabResp Uses

type LabResp struct {
    Err      error
    Code     int
    Redirect string
    Path     string
    Fixed    bool
    InData
}

LabResp wraps the data related to processing results

func DoLabTestStandard Uses

func DoLabTestStandard(w http.ResponseWriter, r *http.Request) *LabResp

DoLabTestStandard is a processor for the typical GET request with key-value pairs in the URL query string.

func HandleFilterBased Uses

func HandleFilterBased(w http.ResponseWriter, r *http.Request, filters []filter) *LabResp

HandleFilterBased factors out the common handling for the "typical" - filter-based tests (listed in the map in custom.go, filters are in filters.go)

func XSSBackslash Uses

func XSSBackslash(w http.ResponseWriter, r *http.Request) *LabResp

XSSBackslash is a special function that uses UnescapeUnicode to convert \u{dd} into the {dd} ASCII character.

func XSSDoubq Uses

func XSSDoubq(w http.ResponseWriter, r *http.Request) *LabResp

XSSDoubq double-unencodes the "in" cgi parameter.

func XSSEnc Uses

func XSSEnc(w http.ResponseWriter, r *http.Request) *LabResp

XSSEnc escapes quotes with backslash but does not escape backslash itself allowing injection of an unescaped double quote

func XSSEncFp Uses

func XSSEncFp(w http.ResponseWriter, r *http.Request) *LabResp

XSSEncFp escapes quotes and backslash with backslash preventing injection

func XSSFullCookies Uses

func XSSFullCookies(w http.ResponseWriter, r *http.Request) *LabResp

XSSFullCookies is a wrapper around standard handler (non-filtered output echo) but requires the presence of a cookie with value "awesome"

func XSSFullHeaders Uses

func XSSFullHeaders(w http.ResponseWriter, r *http.Request) *LabResp

XSSFullHeaders is a wrapper around standard handler (non-filtered output echo) but requires the presence of HTTP Header X-Letmein with the value 1.

func XSSFullUseragent Uses

func XSSFullUseragent(w http.ResponseWriter, r *http.Request) *LabResp

XSSFullUseragent is a wrapper around standard handler (non-filtered output echo) but requires the presence of a Header "User-Agent" with substring "Mobile" in the value

func XSSInRedirectFp Uses

func XSSInRedirectFp(w http.ResponseWriter, r *http.Request) *LabResp

XSSInRedirectFp issues a redirect to Yahoo homepage.

func XSSPost Uses

func XSSPost(w http.ResponseWriter, r *http.Request) *LabResp

XSSPost handles POST input.

func XSSReferer Uses

func XSSReferer(w http.ResponseWriter, r *http.Request) *LabResp

XSSReferer copies and echoes the Referer header.

func XSSRs Uses

func XSSRs(w http.ResponseWriter, r *http.Request) *LabResp

XSSRs filters output to produce request splitting (injection of HEAD/BODY separator).

func (*LabResp) String Uses

func (r *LabResp) String() string

Strings converts LabResp to a string

type RegexpMatchEraser Uses

type RegexpMatchEraser struct {
    // contains filtered or unexported fields
}

RegexpMatchEraser implements Tranformer using the given regexp(s).

func NewRegexpMatchEraser Uses

func NewRegexpMatchEraser(re ...string) *RegexpMatchEraser

NewRegexpMatchEraser accepts a regexp string parameter returns a Transformer that removes the matching strings.

func (*RegexpMatchEraser) Transform Uses

func (r *RegexpMatchEraser) Transform(s string) string

Transform erases matching strings based on embedded regexp(s).

type ReplaceFunction Uses

type ReplaceFunction func(string) string

ReplaceFunction is the type alias for the Transformer interface.

func (ReplaceFunction) Transform Uses

func (f ReplaceFunction) Transform(s string) string

Transform satisfies the Transformer interface by applying the functor on the string parameter.

type StringsReplacer Uses

type StringsReplacer struct {
    strings.Replacer
}

StringsReplacer implements Transformer using embedded strings.Replacer.

func NewStringsReplacer Uses

func NewStringsReplacer(oldnew ...string) *StringsReplacer

NewStringsReplacer creates a new StringsReplacer using the list of old/new strings (as in strings.NewReplacer).

func (*StringsReplacer) Transform Uses

func (r *StringsReplacer) Transform(s string) string

Transform implements the Transformer interface by calling string replacement function.

type TemplateData Uses

type TemplateData struct {
    InData
    // contains filtered or unexported fields
}

TemplateData wraps and embeds data related to the template processing

type Transformer Uses

type Transformer interface {
    Transform(s string) string
}

Transformer transforms a string by escaping, filtering or other modification.

Package webseclab imports 15 packages (graph). Updated 2018-11-26. Refresh now. Tools for package owners.