Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

github.com/yahoo/webseclab

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/yahoo/webseclab

  • v0.0.0-20201002194632-c418d54ced8f
  • Source
  • Go
  • Socket score

Version published
Created
Source

Webseclab

Build Status GoDoc

Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners, to replicate or reconstruct issues, or to help with investigations or discussions of particular types of web security bugs.

Install

If you don't have Go installed yet, grab the latest stable version from https://golang.org/dl/ and install following instructions on https://golang.org/doc/install.

Set GOPATH environment variable as described in http://golang.org/doc/code.html#GOPATH - for example export GOPATH=$HOME/go. (You may wish to add $GOPATH/go/bin to your PATH.) Then run:

$ go get github.com/yahoo/webseclab/...

Run

$GOPATH/bin/webseclab [-http=:8080]

or simply webseclab if $GOPATH/bin is in your PATH.

Run webseclab -help to view the options.

Webseclab Tests

In all tests, excepts where specially mentioned, the attack input is assumed to be placed in the "in" CGI variable: <url>?in=<attack_string>. See the index page for PoEs (proof of exploits).

Reflected XSS
  • xss/reflect/raw1 - echoes "raw" tags = literal '<' and '>' sent by the browser (IE-related). Can be tested with curl (Firefox/Chrome/Safari escape tag characters when sending to the server)

  • xss/reflect/basic - echo of unfiltered input in a "normal" HTML context (not between tags, etc.). The example shows the minimal Webseclab template consisting of just {{.In}} placeholder. PoE: /xss/reflect/basic?in=<script>alert(/HACKED/)</script> or /xss/reflect/basic?in=<img src=foo onerror=alert(12345)>

  • xss/reflect/basic_in_tag - echo of unfiltered input inside of a "regular" HTML tag (<B>) PoE: /xss/reflect/basic_in_tag?in=<script>alert(/HACKED/)</script> or /xss/reflect/basic_in_tag?in=<img src=foo onerror=alert(12345)>

  • xss/reflect/full1 - Javascript injection with closed quotes and a script tag echoed

  • xss/reflect/post1 - same as above with injection via POST "in" form field (only POST method is allowed). xss/reflect/post1_splash can be used as a starting page with the action URL of xss/reflect/post1.

  • xss/reflect/doubq1 - injection of double-escaped tags such as: xss/reflect/doubq1?in=%253Cscript%253Ealert%28%252FXSS%252F%29%253C%252Fscript%253E

  • xss/reflect/rs1 - Response-Splitting attack, injection of %0D%0A%0D%0A which echoed unescaped in the header turning it into the response body. PoE: /xss/reflect/rs1?in=xyz%0D%0A%0D%0A

  • xss/reflect/onmouseover* - XSS due to attribute injections in tags (such as onmouseover handler)

  • xss/reflect/oneclick1 - JS injection into JS executable context (unquoted input) - so-called "oneclick XSS".

  • xss/reflect/refer - the Referer header echoed. You can set up a page pointing to <WEBSECLAB_URL>/misc/webseclab_refer.html?%3Cscript%3Ealert%28789%29%3C/script%3E as a starting point to set the referer.

  • xss/reflect/js* - different cases of injection into Javascript blocks, see the index page for more details

  • xss/reflect/enc2 - double quotes escaped with a backslash but backslash itself is not. Exploitable injection into Javascript strings.

  • xss/reflect/backslash1?in=xyz - Unicode escape sequences like \u0022 unescaped by the server to became the corresponding (dangerous) character (double quotes).

DOM XSS
  • xss/dom/domwrite?in=foo - passing the unescaped document.location value to document.write(), PoE (Firefox): /xss/dom/domwrite?in=%3Cimg%20src=foo%20onerror=alert%28123%29%3E

  • xss/dom/domwrite_hash?#whatever - passing the unescaped document.hash value to document.write(). PoE (Firefox): /xss/dom/domwrite_hash?#in=%3Cimg%20src=foo%20onerror=alert%281246%29%3E

  • xss/dom/domwrite_hash_urlstyle#/foo/bar?in=whatever - passing the unescaped document.hash URL-style value to document.write(). PoE (Firefox): /xss/dom/domwrite_hash_urlstyle#/foo/bar?in=%3Cimg%20src=foo%20onerror=alert%281246%29%3E

  • xss/dom/yuinode_hash?#in=xyz - passing the hash value to YUI's setHTML function. PoE (Chrome/Firefox): /xss/dom/yuinode_hash?#in=xyz">/xss/dom/yuinode_hash?#in=xyz - DOM XSS using YUI (location.hash)

  • xss/dom/yuinode_hash_urlstyle/#/foo/bar?in=xyz - passing the URL-style hash value to YUI's setHTML function. PoE (Chrome/Firefox): /xss/dom/yuinode_hash_urlstyle/#/foo/bar?in=xyz">/xss/dom/yuinode_hash_urlstyle/#/foo/bar?in=xyz - DOM XSS using YUI (location.hash, URL-style value)

  • xss/dom/yuinode_hash_unencoded?#in=xyz - passing the unencoded hash value to YUI's setHTML function. PoE (Firefox / Chrome): /xss/dom/yuinode_hash?#in=xyz">/xss/dom/yuinode_hash?#in=xyz - DOM XSS using YUI (decoded location.hash)

Modifying Tests

When modifying, adding or deleting any tests, you need to rerun go generate.

For most of the tests, you need to add a template that contains the "moustache" with {{.In}}.

To add a new test where input is echoed unfiltered, just drop an html template under templates directory (for example templates/xss/newfile) with the template containing the {{.In}} placeholder.

To add a new "filter-based" case, add a template as above and add a mapping of the corresponding entrypoint (such as /xss/newfile ) to the map in the filterMap function in custom.go. For example:
mp["/xss/reflect/newtest"] = []filter{TagsOff, SingleQuotesOff, GreaterThanOff}
for a test with the corresponding input filtering. See filters.go for the list of the available filters.

To add a new fully custom testcase, add a template (if needed), add a mapping of the entrypoint to the handling function to CustomMap in custom.go and implement the custom function with the signature: func(http.ResponseWriter, *http.Request). For example, for a test case with XSS injection through the Morse code, you could add:
mp["/xss/reflect/morse"] = XssUnsafeMorse. See entrypoints and implementing functions in CustomMap in custom.go.

FAQs

Package last updated on 02 Oct 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc