Created
May 20, 2023 17:49
-
-
Save Zapotek/df153b3ccebe58b9b6c0fb76a12b9b3f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'pry' | |
| require 'scnr/introspector' | |
| require 'scnr/introspector/helpers/output' | |
| include SCNR | |
| include Introspector::Helpers::Output | |
| # Location of the web application environment loader. | |
| APP_PATH = "#{File.expand_path( File.dirname(__FILE__) )}/sinatra_xss.rb" | |
| # Introspection and scan options. | |
| OPTIONS = { | |
| # Scan coverage provides simple, high-level coverage data, it includes | |
| # file paths and the source lines that were executed. | |
| coverage: { | |
| scope: { | |
| # Only keep track of webapp code. | |
| path_start_with: APP_PATH | |
| }, | |
| }, | |
| # Tracing HTTP::Request operations can provide a much more in-depth | |
| # look into the web application's behavior; this is very useful when | |
| # resolving logged issues. | |
| trace: { | |
| scope: { | |
| # Only keep track of webapp code. | |
| path_start_with: APP_PATH | |
| } | |
| }, | |
| scan: { | |
| audit: { | |
| # We only care about links in our example. | |
| elements: [:links] | |
| }, | |
| # The simple XSS check will do. | |
| checks: ['xss'], | |
| # We don't need any browsers for this particular scan. | |
| dom: { | |
| pool_size: 0 | |
| } | |
| } | |
| } | |
| # Enable coverage tracking of the web application's source code. | |
| Introspector::Scan::Coverage.enable | |
| # Include the web application and its environment. | |
| require APP_PATH | |
| # Runs a scan and give us the usual SCNR::Report, easy peasy. | |
| # Although, **this** report will include some really cool extra goodies. | |
| report = Introspector.scan_and_report( OPTIONS ) | |
| # Let's see how much of the web application's source code the scan hit, file by | |
| # file, line by line. | |
| puts | |
| print_scan_coverage report.coverage | |
| # Shut the system up, it'll be quite annoying during tracing. | |
| Introspector.disable_output | |
| # Will be an XSS issue. | |
| issue = report.issues.first | |
| puts | |
| puts '-' * 100 | |
| puts "Trace for: #{issue.name} in '#{issue.vector.type}' input '#{issue.affected_input_name}':" | |
| # This is where the real magic happens, this will trace the issue through | |
| # the web application's execution flow and provide you with an abundance of | |
| # context. | |
| # An absolute joy for identifying and debugging issues. | |
| traced_issue = issue.with_trace( scope: { path_start_with: APP_PATH } ) | |
| puts | |
| print_request_trace traced_issue.request.trace | |
| # Re-enter the context the webapp was in during its vulnerable state with pry. | |
| traced_issue.request.trace.points.last.context.pry |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment