Zapotek · May 20, 2023 18:09
diff --git a/scnr_introspector_output.txt b/scnr_introspector_output.txt
 $ ./examples/sinatra_xss.rb
 [*] Preparing plugins...
 [*] ... done.

 [*] [HTTP: 200] http://myapp/
 [~] Identified as: linux, ruby, rack
 [~] Analysis resulted in 1 usable paths.
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
 [*] XSS: Auditing link input 'v' pointing to: 'http://myapp/'
 [*] XSS: Analyzing response #2 for link input 'v' pointing to: 'http://myapp/'
 [+] Cross-Site Scripting (XSS) in link input 'v' with action http://myapp/
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.

 [*] [HTTP: 200] http://myapp/?v=stuff
 [~] Identified as: linux, ruby, rack
 [~] Analysis resulted in 0 usable paths.
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.

 100.0% coverage
 ----------------------------------------------------------------------------------------------------
 -- /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb
 ---- Total:    25
 ---- Skipped:  15
 ---- Hit:      10 (100.0%)
 ---- Missed:   0 (0.0%)

 Hit (+), missed (-) or skipped lines:
 1 | + | require 'sinatra/base'
 2 |   | 
 3 | + | class MyApp < Sinatra::Base
 4 |   | 
 5 | + |     def noop
 6 |   |     end
 7 |   | 
 8 | + |     def process_params( params )
 9 | + |         noop
 10 | + |         params.values.join( ' ' )
 11 |   |     end
 12 |   | 
 13 | + |     get '/' do
 14 |   |         @instance_variable = {
 15 | + |             blah: 'foo'
 16 |   |         }
 17 | + |         local_variable = 1
 18 |   | 
 19 |   |         <<EOHTML
 20 | + | #{process_params( params )}
 21 |   |         <a href="?v=stuff">XSS</a>
 22 |   | EOHTML
 23 |   |     end
 24 |   | 
 25 |   | end

 --------------------


 ----------------------------------------------------------------------------------------------------
 Trace for: Cross-Site Scripting (XSS) in 'link' input 'v':

 [1] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:13 MyApp#GET / call in MyApp#GET /
    get '/' do

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"local_variable"=>"1"}

        INSTANCE VARIABLES
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 {"@default_layout"=>"layout",
 "@preferred_extension"=>"",
 "@app"=>"",
 "@template_cache"=>"#<Tilt::Cache:0x000000000327bcc8>",
 "@pinned_response"=>"",
 "@env"=>
  {"REQUEST_METHOD"=>"GET",
   "SCRIPT_NAME"=>"",
   "PATH_INFO"=>"/",
   "REQUEST_PATH"=>"/",
   "QUERY_STRING"=>"v=stuff%3Cxss_ab1149c5ca9edf84a01a473c5b9309cf%2F%3E",
   "SERVER_NAME"=>"0.0.0.0",
   "SERVER_PORT"=>"80",
   "HTTP_VERSION"=>"HTTP/1.1",
   "REMOTE_ADDR"=>"127.0.0.1",
   "HTTP_ACCEPT"=>
    "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
   "HTTP_USER_AGENT"=>"Mozilla/5.0 (Gecko) SCNR::Engine/v1.0dev",
   "HTTP_ACCEPT_LANGUAGE"=>"en-US,en;q=0.8,he;q=0.6",
   "HTTP_X_SCNR_ENGINE_SCAN_SEED"=>"ab1149c5ca9edf84a01a473c5b9309cf",
   "SERVER_PROTOCOL"=>"HTTP/1.1",
   "rack.version"=>"[1, 3]",
   "rack.input"=>"#<StringIO:0x0000000001faef28>",
   "rack.errors"=>"#<IO:0x000000000122b7c0>",
   "rack.multithread"=>"false",
   "rack.multiprocess"=>"false",
   "rack.run_once"=>"false",
   "rack.url_scheme"=>"http",
   "rack.hijack?"=>"false",
   "rack.logger"=>"#<Rack::NullLogger:0x00000000033c64c0>",
   "rack.request.query_string"=>
    "v=stuff%3Cxss_ab1149c5ca9edf84a01a473c5b9309cf%2F%3E",
   "rack.request.query_hash"=>
    {"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"},
   "sinatra.route"=>"GET /"},
 "@params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"},
 "@request"=>"#<Sinatra::Request:0x0000000001fae7a8>",
 "@response"=>"#<Sinatra::Response:0x0000000001fae780>",
 "@instance_variable"=>{"blah"=>"foo"}}

 [2] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:13 MyApp#GET / b_call in MyApp#GET /
    get '/' do

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"local_variable"=>"1"}

 [3] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:15 MyApp#GET / line in MyApp#GET /
            blah: 'foo'

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"local_variable"=>"1"}

 [4] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:17 MyApp#GET / line in MyApp#GET /
        local_variable = 1

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"local_variable"=>"1"}

 [5] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:20 MyApp#GET / line in MyApp#GET /
 #{process_params( params )}

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"local_variable"=>"1"}

 [6] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8 MyApp#process_params call in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
    def process_params( params )

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [7] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:9 MyApp#process_params line in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
        noop

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [8] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:5 MyApp#noop call in MyApp#noop@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:5
    def noop

 [9] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:6 MyApp#noop return in MyApp#noop@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:5
    end

 [10] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 MyApp#process_params line in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
        params.values.join( ' ' )

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [11] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Hash#values c_call in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
        params.values.join( ' ' )

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [12] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Hash#values c_return in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
        params.values.join( ' ' )

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [13] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Array#join c_call in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
        params.values.join( ' ' )

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [14] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Array#join c_return in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
        params.values.join( ' ' )

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [15] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:11 MyApp#process_params return in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
    end

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

 [16] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:23 MyApp#GET / b_return in MyApp#GET /
    end

        LOCAL VARIABLES
        --------------------------------------------------------------------------------
 {"local_variable"=>"1"}


 From: /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:23 self.GET /:

    18: 
    19:         <<EOHTML
    20: #{process_params( params )}
    21:         <a href="?v=stuff">XSS</a>
    22: EOHTML
 => 23:     end
    24: 
    25: end

 [1] pry(#<MyApp>)> params
 => {"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}
 [2] pry(#<MyApp>)> process_params params
 => "stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"
 [3] pry(#<MyApp>)> exit
	$ ./examples/sinatra_xss.rb
	[*] Preparing plugins...
	[*] ... done.

	[*] [HTTP: 200] http://myapp/
	[~] Identified as: linux, ruby, rack
	[~] Analysis resulted in 1 usable paths.
	[*] Harvesting HTTP responses...
	[~] Depending on server responsiveness and network conditions this may take a while.
	[*] XSS: Auditing link input 'v' pointing to: 'http://myapp/'
	[*] XSS: Analyzing response #2 for link input 'v' pointing to: 'http://myapp/'
	[+] Cross-Site Scripting (XSS) in link input 'v' with action http://myapp/
	[*] Harvesting HTTP responses...
	[~] Depending on server responsiveness and network conditions this may take a while.

	[*] [HTTP: 200] http://myapp/?v=stuff
	[~] Identified as: linux, ruby, rack
	[~] Analysis resulted in 0 usable paths.
	[*] Harvesting HTTP responses...
	[~] Depending on server responsiveness and network conditions this may take a while.

	100.0% coverage
	----------------------------------------------------------------------------------------------------
	-- /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb
	---- Total: 25
	---- Skipped: 15
	---- Hit: 10 (100.0%)
	---- Missed: 0 (0.0%)

	Hit (+), missed (-) or skipped lines:
	1 \| + \| require 'sinatra/base'
	2 \| \|
	3 \| + \| class MyApp < Sinatra::Base
	4 \| \|
	5 \| + \| def noop
	6 \| \| end
	7 \| \|
	8 \| + \| def process_params( params )
	9 \| + \| noop
	10 \| + \| params.values.join( ' ' )
	11 \| \| end
	12 \| \|
	13 \| + \| get '/' do
	14 \| \| @instance_variable = {
	15 \| + \| blah: 'foo'
	16 \| \| }
	17 \| + \| local_variable = 1
	18 \| \|
	19 \| \| <<EOHTML
	20 \| + \| #{process_params( params )}
	21 \| \| <a href="?v=stuff">XSS</a>
	22 \| \| EOHTML
	23 \| \| end
	24 \| \|
	25 \| \| end

	--------------------


	----------------------------------------------------------------------------------------------------
	Trace for: Cross-Site Scripting (XSS) in 'link' input 'v':

	[1] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:13 MyApp#GET / call in MyApp#GET /
	get '/' do

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"local_variable"=>"1"}

	INSTANCE VARIABLES
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	{"@default_layout"=>"layout",
	"@preferred_extension"=>"",
	"@app"=>"",
	"@template_cache"=>"#<Tilt::Cache:0x000000000327bcc8>",
	"@pinned_response"=>"",
	"@env"=>
	{"REQUEST_METHOD"=>"GET",
	"SCRIPT_NAME"=>"",
	"PATH_INFO"=>"/",
	"REQUEST_PATH"=>"/",
	"QUERY_STRING"=>"v=stuff%3Cxss_ab1149c5ca9edf84a01a473c5b9309cf%2F%3E",
	"SERVER_NAME"=>"0.0.0.0",
	"SERVER_PORT"=>"80",
	"HTTP_VERSION"=>"HTTP/1.1",
	"REMOTE_ADDR"=>"127.0.0.1",
	"HTTP_ACCEPT"=>
	"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8",
	"HTTP_USER_AGENT"=>"Mozilla/5.0 (Gecko) SCNR::Engine/v1.0dev",
	"HTTP_ACCEPT_LANGUAGE"=>"en-US,en;q=0.8,he;q=0.6",
	"HTTP_X_SCNR_ENGINE_SCAN_SEED"=>"ab1149c5ca9edf84a01a473c5b9309cf",
	"SERVER_PROTOCOL"=>"HTTP/1.1",
	"rack.version"=>"[1, 3]",
	"rack.input"=>"#<StringIO:0x0000000001faef28>",
	"rack.errors"=>"#<IO:0x000000000122b7c0>",
	"rack.multithread"=>"false",
	"rack.multiprocess"=>"false",
	"rack.run_once"=>"false",
	"rack.url_scheme"=>"http",
	"rack.hijack?"=>"false",
	"rack.logger"=>"#<Rack::NullLogger:0x00000000033c64c0>",
	"rack.request.query_string"=>
	"v=stuff%3Cxss_ab1149c5ca9edf84a01a473c5b9309cf%2F%3E",
	"rack.request.query_hash"=>
	{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"},
	"sinatra.route"=>"GET /"},
	"@params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"},
	"@request"=>"#<Sinatra::Request:0x0000000001fae7a8>",
	"@response"=>"#<Sinatra::Response:0x0000000001fae780>",
	"@instance_variable"=>{"blah"=>"foo"}}

	[2] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:13 MyApp#GET / b_call in MyApp#GET /
	get '/' do

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"local_variable"=>"1"}

	[3] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:15 MyApp#GET / line in MyApp#GET /
	blah: 'foo'

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"local_variable"=>"1"}

	[4] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:17 MyApp#GET / line in MyApp#GET /
	local_variable = 1

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"local_variable"=>"1"}

	[5] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:20 MyApp#GET / line in MyApp#GET /
	#{process_params( params )}

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"local_variable"=>"1"}

	[6] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8 MyApp#process_params call in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	def process_params( params )

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[7] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:9 MyApp#process_params line in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	noop

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[8] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:5 MyApp#noop call in MyApp#noop@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:5
	def noop

	[9] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:6 MyApp#noop return in MyApp#noop@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:5
	end

	[10] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 MyApp#process_params line in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	params.values.join( ' ' )

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[11] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Hash#values c_call in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	params.values.join( ' ' )

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[12] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Hash#values c_return in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	params.values.join( ' ' )

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[13] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Array#join c_call in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	params.values.join( ' ' )

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[14] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:10 Array#join c_return in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	params.values.join( ' ' )

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[15] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:11 MyApp#process_params return in MyApp#process_params@/home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:8
	end

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"params"=>{"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}}

	[16] /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:23 MyApp#GET / b_return in MyApp#GET /
	end

	LOCAL VARIABLES
	--------------------------------------------------------------------------------
	{"local_variable"=>"1"}


	From: /home/zapotek/workspace/scnr/introspector/examples/sinatra/sinatra_xss.rb:23 self.GET /:

	18:
	19: <<EOHTML
	20: #{process_params( params )}
	21: <a href="?v=stuff">XSS</a>
	22: EOHTML
	=> 23: end
	24:
	25: end

	[1] pry(#<MyApp>)> params
	=> {"v"=>"stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"}
	[2] pry(#<MyApp>)> process_params params
	=> "stuff<xss_ab1149c5ca9edf84a01a473c5b9309cf/>"
	[3] pry(#<MyApp>)> exit