Skip to content

Commit

Permalink
Merge pull request #441 from ricekot/spotless-js-scripts
Browse files Browse the repository at this point in the history
Format JS scripts with Prettier
  • Loading branch information
kingthorin authored Apr 12, 2024
2 parents f17ef7c + 9fa4064 commit a941beb
Show file tree
Hide file tree
Showing 124 changed files with 7,029 additions and 5,246 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- httpsender/RsaEncryptPayloadForZap.py - A script that encrypts requests using RSA
- selenium/FillOTPInMFA.js - A script that fills the OTP in MFA

### Changed
- Use Prettier to format all JavaScript scripts.

## [18] - 2024-01-29
### Added
- httpsender/RsaSigningForZap.py - A script that signs requests using RSA
Expand Down
126 changes: 68 additions & 58 deletions active/Cross Site WebSocket Hijacking.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,73 +37,83 @@
* Note: Active scripts are initially disabled, right click the script to enable it.
*/

var Base64 = Java.type("java.util.Base64")
var Random = Java.type("java.util.Random")
var String = Java.type("java.lang.String")
var ByteArray = Java.type("byte[]")
var Base64 = Java.type("java.util.Base64");
var Random = Java.type("java.util.Random");
var String = Java.type("java.lang.String");
var ByteArray = Java.type("byte[]");

var LOG_DEBUG_MESSAGES = false // change to true for more logs
var LOG_DEBUG_MESSAGES = false; // change to true for more logs

var RISK = 3
var CONFIDENCE = 2
var TITLE = "Cross-Site WebSocket Hijacking"
var DESCRIPTION = "Server accepted WebSocket connection through HTTP Upgrade request with modified Origin header."
var SOLUTION = "Validate Origin header on WebSocket connection handshake, to ensure only specified origins are allowed to connect.\
Also, WebSocket handshake should use random tokens, similar to anti CSRF tokens."
var REFERENCE = "https://tools.ietf.org/html/rfc6455#section-10.2"
var OTHER = "See also https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking\
or https://christian-schneider.net/CrossSiteWebSocketHijacking.html"
var CWEID = 346 // CWE-346: Origin Validation Error, http://cwe.mitre.org/data/definitions/346.html
var WASCID = 9 // WASC-9 Cross Site Request Forgery, http://projects.webappsec.org/w/page/13246919/Cross%20Site%20Request%20Forgery
var RISK = 3;
var CONFIDENCE = 2;
var TITLE = "Cross-Site WebSocket Hijacking";
var DESCRIPTION =
"Server accepted WebSocket connection through HTTP Upgrade request with modified Origin header.";
var SOLUTION =
"Validate Origin header on WebSocket connection handshake, to ensure only specified origins are allowed to connect.\
Also, WebSocket handshake should use random tokens, similar to anti CSRF tokens.";
var REFERENCE = "https://tools.ietf.org/html/rfc6455#section-10.2";
var OTHER =
"See also https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking\
or https://christian-schneider.net/CrossSiteWebSocketHijacking.html";
var CWEID = 346; // CWE-346: Origin Validation Error, http://cwe.mitre.org/data/definitions/346.html
var WASCID = 9; // WASC-9 Cross Site Request Forgery, http://projects.webappsec.org/w/page/13246919/Cross%20Site%20Request%20Forgery

function scanNode(as, msg) {
var target = msg.getRequestHeader().getURI().toString()

// check if this is a WebSocket HTTP Upgrade request (the message should include also "Connection: Upgrade" header if we wanted to check it strictly)
// TODO: in ZAP 2.11 we might use msg.isWebSocketUpgrade() check instead
var upgradeHeader = msg.getRequestHeader().getHeader("Upgrade")
if (!upgradeHeader || upgradeHeader.toLowerCase() !== "websocket") {
if (LOG_DEBUG_MESSAGES) {
print("Cross-Site WebSocket Hijacking rule skipped for url=" + target + ", it does not appear to be a WebSocket upgrade request")
}
return
}
var target = msg.getRequestHeader().getURI().toString();

// check if this is a WebSocket HTTP Upgrade request (the message should include also "Connection: Upgrade" header if we wanted to check it strictly)
// TODO: in ZAP 2.11 we might use msg.isWebSocketUpgrade() check instead
var upgradeHeader = msg.getRequestHeader().getHeader("Upgrade");
if (!upgradeHeader || upgradeHeader.toLowerCase() !== "websocket") {
if (LOG_DEBUG_MESSAGES) {
print("Cross-Site WebSocket Hijacking rule started for url=" + target)
print(
"Cross-Site WebSocket Hijacking rule skipped for url=" +
target +
", it does not appear to be a WebSocket upgrade request"
);
}
msg = msg.cloneRequest()
return;
}

if (LOG_DEBUG_MESSAGES) {
print("Cross-Site WebSocket Hijacking rule started for url=" + target);
}
msg = msg.cloneRequest();

// set random Sec-WebSocket-Key
var randomBytes = new ByteArray(16)
new Random().nextBytes(randomBytes)
var secWsKey = new String(Base64.getEncoder().encode(randomBytes))
msg.getRequestHeader().setHeader("Sec-WebSocket-Key", secWsKey)
// set random Sec-WebSocket-Key
var randomBytes = new ByteArray(16);
new Random().nextBytes(randomBytes);
var secWsKey = new String(Base64.getEncoder().encode(randomBytes));
msg.getRequestHeader().setHeader("Sec-WebSocket-Key", secWsKey);

// set Origin header using custom domain, .example is a reserved TLD in RFC 2606 so it should not match domain name of a scanned service
msg.getRequestHeader().setHeader("Origin", "https://cswsh.example")
// set Origin header using custom domain, .example is a reserved TLD in RFC 2606 so it should not match domain name of a scanned service
msg.getRequestHeader().setHeader("Origin", "https://cswsh.example");

as.sendAndReceive(msg, true, false)
as.sendAndReceive(msg, true, false);

var responseStatus = msg.getResponseHeader().getStatusCode()
if (responseStatus === 101) {
// should not have accepted connection with different origin
if (LOG_DEBUG_MESSAGES) {
print("Cross-Site WebSocket Hijacking vulnerability found, sending alert for url=" + target)
}
as.newAlert()
.setRisk(RISK)
.setConfidence(CONFIDENCE)
.setName(TITLE)
.setDescription(DESCRIPTION)
.setParam(target)
.setEvidence(msg.getResponseHeader().getPrimeHeader())
.setOtherInfo(OTHER)
.setSolution(SOLUTION)
.setReference(REFERENCE)
.setCweId(CWEID)
.setWascId(WASCID)
.setMessage(msg)
.raise()
}
var responseStatus = msg.getResponseHeader().getStatusCode();
if (responseStatus === 101) {
// should not have accepted connection with different origin
if (LOG_DEBUG_MESSAGES) {
print(
"Cross-Site WebSocket Hijacking vulnerability found, sending alert for url=" +
target
);
}
as.newAlert()
.setRisk(RISK)
.setConfidence(CONFIDENCE)
.setName(TITLE)
.setDescription(DESCRIPTION)
.setParam(target)
.setEvidence(msg.getResponseHeader().getPrimeHeader())
.setOtherInfo(OTHER)
.setSolution(SOLUTION)
.setReference(REFERENCE)
.setCweId(CWEID)
.setWascId(WASCID)
.setMessage(msg)
.raise();
}
}
Loading

0 comments on commit a941beb

Please sign in to comment.