vulnerability-scanner/scanner.py at main · ilolm/vulnerability-scanner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/usr/bin/env python3

import re
import requests
from bs4 import BeautifulSoup
import urllib.parse as urlparse

class bColors:
    reset = "\033[1;37;40m"
    orange = "\033[1;33;40m"
    red = "\033[1;31;40m"
    green = "\033[92m"
    yellow = "\033[93m"
    blue = "\033[94m"
    purple = "\033[95m"

class Scanner:
    def __init__(self, url, ignore_links):
        self.session = requests.Session()
        self.target_url = url
        self.target_links = []
        self.links_to_ignore = ignore_links

    def extract_links_form(self, url):
        response = self.session.get(url)
        return re.findall('(?:href=")(.*?)"', response.content.decode(errors="ignore"))

    def crawl(self, url=None):
        if url == None:
            url = self.target_url

        href_links = self.extract_links_form(url)

        for link in href_links:
            link = urlparse.urljoin(url, link)

            if "#" in link:
                link = link.split('#')[0]

            if self.target_url in link and link not in self.target_links and link not in self.links_to_ignore:
                self.target_links.append(link)
                print(bColors.green + link)
                self.crawl(link)

    def extract_forms(self, url):
        response = self.session.get(url)
        parsed_html = BeautifulSoup(response.content, features="lxml")

        return parsed_html.findAll("form")

    def submit_form(self, form, value, url):
        action = form.get("action")

        post_url = urlparse.urljoin(url, action)
        method = form.get("method")

        inputs_list = form.findAll("input")
        post_data = {}

        for input in inputs_list:
            input_name = input.get("name")
            input_type = input.get("type")
            input_value = input.get("value")

            if input_type == "text":
                input_value = value

            post_data[input_name] = input_value

        if method == "post":
            return self.session.post(post_url, data=post_data)
        return self.session.get(post_url, params=post_data)

    def run_scanner(self):
        for link in self.target_links:
            forms = self.extract_forms(link)

            # testing form vulnerabilities
            for form in forms:
                print(bColors.blue + "[+] Testing form in " + bColors.orange + link)
                is_vulnerable_to_xss = self.test_xss_in_forms(form, link)

                if is_vulnerable_to_xss:
                    print(bColors.red + "\n\n[***] XSS discovered in " + bColors.green + link + bColors.red + " in the following form")
                    print(bColors.purple + form.decode() + "\n\n")

            # testing url vulnerabilities
            if "=" in link:
                print(bColors.blue + "[+] Testing " + bColors.orange + link)
                is_vulnerable_to_xss = self.test_xss_in_link(link)

                if is_vulnerable_to_xss:
                    print(bColors.red + "\n\n[***] XSS discovered in " + bColors.green + link + "\n\n")

    def test_xss_in_forms(self, form, url):
        xss_test_script = "<scRiPt>alert('test')</SCriPt>"
        response = self.submit_form(form, xss_test_script, url)

        return xss_test_script in response.content.decode(errors="ignore")

    def test_xss_in_link(self, url):
        xss_test_script = "<scRiPt>alert('test')</SCriPt>"
        url = url.replace("=", "=" + xss_test_script)
        response = self.session.get(url, params=xss_test_script)

        return xss_test_script in response.content.decode(errors="ignore")