pwn 0.5.199 → 0.5.200

data/lib/pwn/plugins/hunter.rb

@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'json'
+
+module PWN
+  module Plugins
+    # This plugin is used for interacting w/ Hunter's REST API using
+    # the 'rest' browser type of PWN::Plugins::TransparentBrowser.
+    #  This is based on the following Hunter API Specification:
+    # https://hunter.how/search-api
+    module Hunter
+      @@logger = PWN::Plugins::PWNLogger.create
+
+      # Supported Method Parameters::
+      # hunter_rest_call(
+      #   http_method: 'optional HTTP method (defaults to GET)
+      #   rest_call: 'required rest call to make per the schema',
+      #   params: 'optional params passed in the URI or HTTP Headers',
+      #   http_body: 'optional HTTP body sent in HTTP methods that support it e.g. POST'
+      # )
+
+      private_class_method def self.hunter_rest_call(opts = {})
+        hunter_obj = opts[:hunter_obj]
+        http_method = if opts[:http_method].nil?
+                        :get
+                      else
+                        opts[:http_method].to_s.scrub.to_sym
+                      end
+        rest_call = opts[:rest_call].to_s.scrub
+        params = opts[:params]
+        http_body = opts[:http_body].to_s.scrub
+        base_hunter_api_uri = 'https://api.hunter.how'
+
+        browser_obj = PWN::Plugins::TransparentBrowser.open(browser_type: :rest)
+        rest_client = browser_obj[:browser]::Request
+
+        case http_method
+        when :get
+          response = rest_client.execute(
+            method: :get,
+            url: "#{base_hunter_api_uri}/#{rest_call}",
+            headers: {
+              content_type: 'application/json; charset=UTF-8',
+              params: params
+            },
+            verify_ssl: false
+          )
+
+        when :post
+          response = rest_client.execute(
+            method: :post,
+            url: "#{base_hunter_api_uri}/#{rest_call}",
+            headers: {
+              content_type: 'application/json; charset=UTF-8',
+              params: params
+            },
+            payload: http_body,
+            verify_ssl: false
+          )
+
+        else
+          raise @@logger.error("Unsupported HTTP Method #{http_method} for #{self} Plugin")
+        end
+        JSON.parse(response.scrub, symbolize_names: true)
+      rescue JSON::ParserError => e
+        {
+          total: 0,
+          matches: [],
+          error: "JSON::ParserError #{e.message}",
+          rest_call: rest_call,
+          params: params
+        }
+      rescue RestClient::TooManyRequests
+        print 'Too many requests.  Sleeping 10s...'
+        sleep 10
+        retry
+      rescue StandardError => e
+        case e.message
+        when '400 Bad Request', '404 Resource Not Found'
+          "#{e.message}: #{e.response}"
+        else
+          raise e
+        end
+      end
+
+      # Supported Method Parameters::
+      # search_results = PWN::Plugins::Hunter.search(
+      #   api_key: 'required hunter api key',
+      #   query: 'required - hunter search query',
+      #   start_time: 'required - start date for the search (format is yyyy-mm-dd)',
+      #   end_time: 'required - end date for the search (format is yyyy-mm-dd)',
+      #   start_page: 'optional - starting page number for pagination (default is 1)',
+      #   page_size: 'optional - number of results per page (default is 10)',
+      #   fields: 'optional - comma-separated list of fields 'product,transport_protocol,protocol,banner,country,province,city,asn,org,web,updated_at' (default is nil)'
+      # )
+
+      public_class_method def self.search(opts = {})
+        api_key = opts[:api_key].to_s.scrub
+        raise "ERROR: #{self} requires a valid Hunter API Key" if api_key.empty?
+
+        query = opts[:query].to_s.scrub
+        raise "ERROR: #{self} requires a valid query" if query.empty?
+
+        start_time = opts[:start_time]
+        raise "ERROR: #{self} requires a valid start time" if start_time.nil?
+
+        end_time = opts[:end_time]
+        raise "ERROR: #{self} requires a valid end time" if end_time.nil?
+
+        start_page = opts[:start_page] ||= 1
+        page_size = opts[:page_size] ||= 10
+        fields = opts[:fields]
+
+        params = {}
+        params[:'api-key'] = api_key
+        base64_query = Base64.urlsafe_encode64(query)
+        params[:query] = base64_query
+        params[:page] = start_page
+        params[:page_size] = page_size
+        params[:start_time] = start_time
+        params[:end_time] = end_time
+        params[:fields] = fields
+
+        hunter_rest_call(
+          rest_call: 'search',
+          params: params
+        )
+      rescue StandardError => e
+        raise e
+      end
+
+      # Author(s):: 0day Inc. <support@0dayinc.com>
+
+      public_class_method def self.authors
+        "AUTHOR(S):
+          0day Inc. <support@0dayinc.com>
+        "
+      end
+
+      # Display Usage for this Module
+
+      public_class_method def self.help
+        puts "USAGE:
+          search_results = #{self}.query(
+            api_key: 'required hunter api key',
+            query: 'required - hunter search query',
+            start_time: 'required - start date for the search (format is yyyy-mm-dd)',
+            end_time: 'required - end date for the search (format is yyyy-mm-dd)',
+            start_page: 'optional - starting page number for pagination (default is 1)',
+            page_size: 'optional - number of results per page (default is 10)',
+            fields: 'optional - comma-separated list of fields 'product,transport_protocol,protocol,banner,country,province,city,asn,org,web,updated_at' (default is nil)'
+          )
+
+          #{self}.authors
+        "
+      end
+    end
+  end
+end

data/lib/pwn/plugins/repl.rb

@@ -542,6 +542,9 @@ module PWN
             pi.config.pwn_irc = pi.config.p[:irc]
             Pry.config.pwn_irc = pi.config.pwn_irc
 
+            pi.config.pwn_hunter = pi.config.p[:hunter][:api_key]
+            Pry.config.pwn_hunter = pi.config.pwn_hunter
+
             pi.config.pwn_shodan = pi.config.p[:shodan][:api_key]
             Pry.config.pwn_shodan = pi.config.pwn_shodan
 

data/lib/pwn/plugins/transparent_browser.rb

@@ -110,7 +110,7 @@ module PWN
           # DevTools ToolBox Settings in Firefox about:config
           this_profile['devtools.f12.enabled'] = true
           this_profile['devtools.toolbox.host'] = 'right'
-          this_profile['devtools.toolbox.sidebar.width'] = 1400
+          this_profile['devtools.toolbox.sidebar.width'] = 1700
           this_profile['devtools.toolbox.splitconsoleHeight'] = 200
 
           # DevTools Debugger Settings in Firefox about:config
@@ -118,8 +118,7 @@ module PWN
           this_profile['devtools.debugger.start-panel-size'] = 200
           this_profile['devtools.debugger.end-panel-size'] = 200
           this_profile['devtools.debugger.auto-pretty-print'] = true
-          # Re-enable once syntax highlighting is fixed
-          # this_profile['devtools.debugger.ui.editor-wrapping'] = true
+          this_profile['devtools.debugger.ui.editor-wrapping'] = true
           this_profile['devtools.debugger.features.javascript-tracing'] = true
           this_profile['devtools.debugger.xhr-breakpoints-visible'] = true
           this_profile['devtools.debugger.expressions-visible'] = true
@@ -333,6 +332,14 @@ module PWN
               browser_obj[:devtools].send_cmd('DOMSnapshot.enable')
             end
 
+            firefox_browser_types = %i[firefox headless_firefox]
+            if firefox_browser_types.include?(browser_type)
+              # browser_obj[:devtools].send_cmd(
+              #   'EventBreakpoints.setInstrumentationBreakpoint',
+              #   eventName: 'script'
+              # )
+            end
+
             # Future BiDi API that's more universally supported across browsers
             # browser_obj[:bidi] = driver.bidi
 
@@ -450,16 +457,22 @@ module PWN
 
         browser = browser_obj[:browser]
         case js
-        when 'debugger', 'debugger;', 'debugger()', 'debugger();'
-          Timeout.timeout(1) { console_resp = browser.execute_script('debugger') }
         when 'clear', 'clear;', 'clear()', 'clear();'
-          console_resp = browser.execute_script('console.clear()')
+          script = 'console.clear()'
         else
-          console_resp = browser.execute_script("console.log(#{js})")
+          script = "console.log(#{js})"
+        end
+
+        console_resp = nil
+        begin
+          Timeout.timeout(1) { console_resp = browser.execute_script(script) }
+        rescue Timeout::Error, Timeout::ExitException
+          console_resp
+        rescue Selenium::WebDriver::Error::JavascriptError
+          script = js
+          retry
         end
 
-        console_resp
-      rescue Timeout::Error, Timeout::ExitException
         console_resp
       rescue StandardError => e
         raise e
@@ -637,8 +650,10 @@ module PWN
 
         case action.to_s.downcase.to_sym
         when :pause
-          console(browser_obj: browser_obj, js: 'debugger')
-
+          devtools.send_cmd(
+            'EventBreakpoints.setInstrumentationBreakpoint',
+            eventName: 'scriptFirstStatement'
+          )
           # devtools.send_cmd('Debugger.enable')
           # devtools.send_cmd(
           #   'Debugger.setInstrumentationBreakpoint',
@@ -664,6 +679,10 @@ module PWN
             url
           end
         when :resume
+          devtools.send_cmd(
+            'EventBreakpoints.removeInstrumentationBreakpoint',
+            eventName: 'scriptFirstStatement'
+          )
           devtools.send_cmd('Debugger.resume')
         else
           raise 'ERROR: action parameter must be :pause or :resume'
@@ -673,24 +692,69 @@ module PWN
       end
 
       # Supported Method Parameters::
-      # PWN::Plugins::TransparentBrowser.step_into(
+      # current_dom = PWN::Plugins::TransparentBrowser.dom(
       #   browser_obj: 'required - browser_obj returned from #open method)'
       # )
 
+      public_class_method def self.dom(opts = {})
+        browser_obj = opts[:browser_obj]
+        supported = %i[chrome headless_chrome]
+        verify_devtools_browser(browser_obj: browser_obj, supported: supported)
+
+        devtools = browser_obj[:devtools]
+        computed_styles = %i[display color font-size font-family]
+        devtools.send_cmd(
+          'DOMSnapshot.captureSnapshot',
+          computedStyles: computed_styles
+        ).transform_keys(&:to_sym)
+      rescue StandardError => e
+        raise e
+      end
+
+      # Supported Method Parameters::
+      # PWN::Plugins::TransparentBrowser.step_into(
+      #   browser_obj: 'required - browser_obj returned from #open method)',
+      #   steps: 'optional - number of steps taken (Defaults to 1)'
+      # )
+
       public_class_method def self.step_into(opts = {})
         browser_obj = opts[:browser_obj]
         supported = %i[chrome headless_chrome]
         verify_devtools_browser(browser_obj: browser_obj, supported: supported)
 
+        steps = opts[:steps].to_i
+        steps = 1 if steps.zero? || steps.negative?
+
+        diff_arr = []
         devtools = browser_obj[:devtools]
-        devtools.send_cmd('Debugger.stepInto')
+        steps.times do |s|
+          diff_hash = {}
+          step = s + 1
+          diff_hash[:step] = step
+
+          dom_before = dom(browser_obj: browser_obj)
+          diff_hash[:dom_before_step] = dom_before
+
+          devtools.send_cmd('Debugger.stepInto')
+
+          dom_after = dom(browser_obj: browser_obj)
+          diff_hash[:dom_after_step] = dom_after
+
+          da = dom_before.to_a - dom_after.to_a
+          diff_hash[:diff_dom] = da.to_h.transform_keys(&:to_sym)
+
+          diff_arr.push(diff_hash)
+        end
+
+        diff_arr
       rescue StandardError => e
         raise e
       end
 
       # Supported Method Parameters::
       # PWN::Plugins::TransparentBrowser.step_out(
-      #   browser_obj: 'required - browser_obj returned from #open method)'
+      #   browser_obj: 'required - browser_obj returned from #open method)',
+      #   steps: 'optional - number of steps taken (Defaults to 1)'
       # )
 
       public_class_method def self.step_out(opts = {})
@@ -698,15 +762,39 @@ module PWN
         supported = %i[chrome headless_chrome]
         verify_devtools_browser(browser_obj: browser_obj, supported: supported)
 
+        steps = opts[:steps].to_i
+        steps = 1 if steps.zero? || steps.negative?
+
+        diff_arr = []
         devtools = browser_obj[:devtools]
-        devtools.send_cmd('Debugger.stepOut')
+        steps.times do |s|
+          diff_hash = {}
+          step = s + 1
+          diff_hash[:step] = step
+
+          dom_before = dom(browser_obj: browser_obj)
+          diff_hash[:pre_step] = dom_before
+
+          devtools.send_cmd('Debugger.stepOut')
+
+          dom_after = dom(browser_obj: browser_obj, step_sum: step_sum)
+          diff_hash[:post_step] = dom_after
+
+          da = dom_before.to_a - dom_after.to_a
+          diff_hash[:diff] = da.to_h.transform_keys(&:to_sym)
+
+          diff_arr.push(diff_hash)
+        end
+
+        diff_arr
       rescue StandardError => e
         raise e
       end
 
       # Supported Method Parameters::
       # PWN::Plugins::TransparentBrowser.step_over(
-      #   browser_obj: 'required - browser_obj returned from #open method)'
+      #   browser_obj: 'required - browser_obj returned from #open method)',
+      #   steps: 'optional - number of steps taken (Defaults to 1)'
       # )
 
       public_class_method def self.step_over(opts = {})
@@ -714,8 +802,31 @@ module PWN
         supported = %i[chrome headless_chrome]
         verify_devtools_browser(browser_obj: browser_obj, supported: supported)
 
+        steps = opts[:steps].to_i
+        steps = 1 if steps.zero? || steps.negative?
+
+        diff_arr = []
         devtools = browser_obj[:devtools]
-        devtools.send_cmd('Debugger.stepOver')
+        steps.times do |s|
+          diff_hash = {}
+          step = s + 1
+          diff_hash[:step] = step
+
+          dom_before = dom(browser_obj: browser_obj)
+          diff_hash[:dom_before_step] = dom_before
+
+          devtools.send_cmd('Debugger.stepOver')
+
+          dom_after = dom(browser_obj: browser_obj, step_sum: step_sum)
+          diff_hash[:dom_after_step] = dom_after
+
+          da = dom_before.to_a - dom_after.to_a
+          diff_hash[:diff_dom] = da.to_h.transform_keys(&:to_sym)
+
+          diff_arr.push(diff_hash)
+        end
+
+        diff_arr
       rescue StandardError => e
         raise e
       end
@@ -986,16 +1097,23 @@ module PWN
             url: 'optional - URL to navigate to after pausing debugger (Defaults to nil)'
           )
 
-          #{self}.step_into(
+          current_dom = #{self}.dom(
             browser_obj: 'required - browser_obj returned from #open method)'
           )
 
+          #{self}.step_into(
+            browser_obj: 'required - browser_obj returned from #open method)',
+            steps: 'optional - number of steps taken (Defaults to 1)'
+          )
+
           #{self}.step_out(
-            browser_obj: 'required - browser_obj returned from #open method)'
+            browser_obj: 'required - browser_obj returned from #open method)',
+            steps: 'optional - number of steps taken (Defaults to 1)'
           )
 
           #{self}.step_over(
-            browser_obj: 'required - browser_obj returned from #open method)'
+            browser_obj: 'required - browser_obj returned from #open method)',
+            steps: 'optional - number of steps taken (Defaults to 1)'
           )
 
           #{self}.toggle_devtools(

data/lib/pwn/plugins.rb

@@ -30,6 +30,7 @@ module PWN
     autoload :Github, 'pwn/plugins/github'
     autoload :GQRX, 'pwn/plugins/gqrx'
     autoload :HackerOne, 'pwn/plugins/hacker_one'
+    autoload :Hunter, 'pwn/plugins/hunter'
     autoload :IPInfo, 'pwn/plugins/ip_info'
     autoload :IRC, 'pwn/plugins/irc'
     autoload :Jenkins, 'pwn/plugins/jenkins'

data/lib/pwn/sast/local_storage.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: false
+
+require 'socket'
+
+module PWN
+  module SAST
+    # SAST Module used to identify any localStorage function/method
+    # declarations within source code in an effort to
+    # determine if XSS is possible
+    module LocalStorage
+      @@logger = PWN::Plugins::PWNLogger.create
+
+      # Supported Method Parameters::
+      # PWN::SAST::LocalStorage.scan(
+      #   dir_path: 'optional path to dir defaults to .'
+      #   git_repo_root_uri: 'optional http uri of git repo scanned'
+      # )
+
+      public_class_method def self.scan(opts = {})
+        dir_path = opts[:dir_path]
+        git_repo_root_uri = opts[:git_repo_root_uri].to_s.scrub
+        result_arr = []
+        logger_results = ''
+
+        PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
+          if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/ && entry !~ /test/i
+            line_no_and_contents_arr = []
+            entry_beautified = false
+
+            if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
+              js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
+              entry = "#{entry}.JS-BEAUTIFIED"
+              entry_beautified = true
+            end
+
+            test_case_filter = "
+              grep -n \
+              -e 'localStorage.getItem(' \
+              -e 'localStorage.setItem(' #{entry}
+            "
+
+            str = `#{test_case_filter}`.to_s.scrub
+
+            if str.to_s.empty?
+              # If str length is >= 64 KB do not include results. (Due to Mongo Document Size Restrictions)
+              logger_results = "#{logger_results}~" # Catching bugs is good :)
+            else
+              str = "1:Result larger than 64KB -> Size: #{str.to_s.length}.  Please click the \"Path\" link for more details." if str.to_s.length >= 64_000
+
+              hash_line = {
+                timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
+                security_references: security_references,
+                filename: { git_repo_root_uri: git_repo_root_uri, entry: entry },
+                line_no_and_contents: '',
+                raw_content: str,
+                test_case_filter: test_case_filter
+              }
+
+              # COMMMENT: Must be a better way to implement this (regex is kinda funky)
+              line_contents_split = str.split(/^(\d{1,}):|\n(\d{1,}):/)[1..-1]
+              line_no_count = line_contents_split.length # This should always be an even number
+              current_count = 0
+              while line_no_count > current_count
+                line_no = line_contents_split[current_count]
+                contents = line_contents_split[current_count + 1]
+                if Dir.exist?("#{dir_path}/.git") ||
+                   Dir.exist?('.git')
+
+                  repo_root = dir_path
+                  repo_root = '.' if Dir.exist?('.git')
+
+                  author = PWN::Plugins::Git.get_author(
+                    repo_root: repo_root,
+                    from_line: line_no,
+                    to_line: line_no,
+                    target_file: entry,
+                    entry_beautified: entry_beautified
+                  )
+                else
+                  author = 'N/A'
+                end
+                hash_line[:line_no_and_contents] = line_no_and_contents_arr.push(
+                  line_no: line_no,
+                  contents: contents,
+                  author: author
+                )
+
+                current_count += 2
+              end
+              result_arr.push(hash_line)
+              logger_results = "#{logger_results}x" # Seeing progress is good :)
+            end
+          end
+        end
+        logger_banner = "http://#{Socket.gethostname}:8808/doc_root/pwn-#{PWN::VERSION.to_s.scrub}/#{to_s.scrub.gsub('::', '/')}.html"
+        if logger_results.empty?
+          @@logger.info("#{logger_banner}: No files applicable to this test case.\n")
+        else
+          @@logger.info("#{logger_banner} => #{logger_results}complete.\n")
+        end
+        result_arr
+      rescue StandardError => e
+        raise e
+      end
+
+      # Used primarily to map NIST 800-53 Revision 4 Security Controls
+      # https://web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH
+      # to PWN Exploit & Static Code Anti-Pattern Matching Modules to
+      # Determine the level of Testing Coverage w/ PWN.
+
+      public_class_method def self.security_references
+        {
+          sast_module: self,
+          section: 'MALICIOUS CODE PROTECTION',
+          nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-3',
+          cwe_id: '79',
+          cwe_uri: 'https://cwe.mitre.org/data/definitions/79.html'
+        }
+      rescue StandardError => e
+        raise e
+      end
+
+      # Author(s):: 0day Inc. <support@0dayinc.com>
+
+      public_class_method def self.authors
+        "AUTHOR(S):
+          0day Inc. <support@0dayinc.com>
+        "
+      end
+
+      # Display Usage for this Module
+
+      public_class_method def self.help
+        puts "USAGE:
+          sast_arr = #{self}.scan(
+            dir_path: 'optional path to dir defaults to .',
+            git_repo_root_uri: 'optional http uri of git repo scanned'
+          )
+
+          #{self}.authors
+        "
+      end
+    end
+  end
+end