set of web security test cases and a toolkit to construct new ones
Switch branches/tags
Nothing to show
Clone or download
dmitris Merge pull request #28 from dmitris/golint-fix
fix golint and gosimple issues
Latest commit c9d0236 Jul 9, 2018
Permalink
Failed to load latest commit information.
cmd/webseclab fix golint and gosimple issues Jul 7, 2018
templates golint fixes (breaking API) Aug 1, 2016
.gitignore add text for textarea injection, refactor transform mechanism May 1, 2015
.travis.yml add .travis.yml for Travis CI Feb 2, 2015
LICENSE initial commit of opensource version Feb 1, 2015
README.md minor changes in README on GOPATH, add godoc badge Jan 5, 2018
common.go initial commit of opensource version Feb 1, 2015
common_test.go fix golint and gosimple issues Jul 7, 2018
ctx.go golint fixes (breaking API) Aug 1, 2016
custom.go fix golint and gosimple issues Jul 7, 2018
custom_test.go add basic (minimal) case; add tests for the content-type fix Feb 2, 2015
doc.go golint fixes (breaking API) Aug 1, 2016
filters.go Add new filter/transform, fix issue #12 exploitable js4_dq_fp May 1, 2015
genstatic.go fix golint nit in the generated code Sep 24, 2016
handler.go fix golint and gosimple issues Jul 7, 2018
input.go fix golint and gosimple issues Jul 7, 2018
input_test.go golint fixes (breaking API) Aug 1, 2016
ip.go golint fixes (breaking API) Aug 1, 2016
ip_test.go fix logic error Aug 4, 2016
process.go golint fixes (breaking API) Aug 1, 2016
process_test.go golint fixes (breaking API) Aug 1, 2016
static.go fix golint nit in the generated code Sep 24, 2016
templates.go fix logic error Aug 4, 2016
templates_test.go pack templates into standalone executable, generate static.go May 21, 2015
transform.go fix golint and gosimple issues Jul 7, 2018
transform_test.go Add new filter/transform, fix issue #12 exploitable js4_dq_fp May 1, 2015
utils.go pack templates into standalone executable, generate static.go May 21, 2015
utils_test.go pack templates into standalone executable, generate static.go May 21, 2015
version.go golint fixes (breaking API) Aug 1, 2016

README.md

Webseclab

Build Status GoDoc

Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners, to replicate or reconstruct issues, or to help with investigations or discussions of particular types of web security bugs.

Install

If you don't have Go installed yet, grab the latest stable version from https://golang.org/dl/ and install following instructions on https://golang.org/doc/install.

Set GOPATH environment variable as described in http://golang.org/doc/code.html#GOPATH - for example export GOPATH=$HOME/go. (You may wish to add $GOPATH/go/bin to your PATH.) Then run:

$ go get github.com/yahoo/webseclab/...

Run

$GOPATH/bin/webseclab [-http=:8080]

or simply webseclab if $GOPATH/bin is in your PATH.

Run webseclab -help to view the options.

Webseclab Tests

In all tests, excepts where specially mentioned, the attack input is assumed to be placed in the "in" CGI variable: <url>?in=<attack_string>. See the index page for PoEs (proof of exploits).

Reflected XSS

  • xss/reflect/raw1 - echoes "raw" tags = literal '<' and '>' sent by the browser (IE-related). Can be tested with curl (Firefox/Chrome/Safari escape tag characters when sending to the server)

  • xss/reflect/basic - echo of unfiltered input in a "normal" HTML context (not between tags, etc.). The example shows the minimal Webseclab template consisting of just {{.In}} placeholder. PoE: /xss/reflect/basic?in=<script>alert(/HACKED/)</script> or /xss/reflect/basic?in=<img src=foo onerror=alert(12345)>

  • xss/reflect/basic_in_tag - echo of unfiltered input inside of a "regular" HTML tag (<B>) PoE: /xss/reflect/basic_in_tag?in=<script>alert(/HACKED/)</script> or /xss/reflect/basic_in_tag?in=<img src=foo onerror=alert(12345)>

  • xss/reflect/full1 - Javascript injection with closed quotes and a script tag echoed

  • xss/reflect/post1 - same as above with injection via POST "in" form field (only POST method is allowed). xss/reflect/post1_splash can be used as a starting page with the action URL of xss/reflect/post1.

  • xss/reflect/doubq1 - injection of double-escaped tags such as: xss/reflect/doubq1?in=%253Cscript%253Ealert%28%252FXSS%252F%29%253C%252Fscript%253E

  • xss/reflect/rs1 - Response-Splitting attack, injection of %0D%0A%0D%0A which echoed unescaped in the header turning it into the response body. PoE: /xss/reflect/rs1?in=xyz%0D%0A%0D%0A<script>alert(/BAD_NEWS/)</script>

  • xss/reflect/onmouseover* - XSS due to attribute injections in tags (such as onmouseover handler)

  • xss/reflect/oneclick1 - JS injection into JS executable context (unquoted input) - so-called "oneclick XSS".

  • xss/reflect/refer - the Referer header echoed. You can set up a page pointing to <WEBSECLAB_URL>/misc/webseclab_refer.html?%3Cscript%3Ealert%28789%29%3C/script%3E as a starting point to set the referer.

  • xss/reflect/js* - different cases of injection into Javascript blocks, see the index page for more details

  • xss/reflect/enc2 - double quotes escaped with a backslash but backslash itself is not. Exploitable injection into Javascript strings.

  • xss/reflect/backslash1?in=xyz - Unicode escape sequences like \u0022 unescaped by the server to became the corresponding (dangerous) character (double quotes).

DOM XSS

  • xss/dom/domwrite?in=foo - passing the unescaped document.location value to document.write(), PoE (Firefox): /xss/dom/domwrite?in=%3Cimg%20src=foo%20onerror=alert%28123%29%3E

  • xss/dom/domwrite_hash?#whatever - passing the unescaped document.hash value to document.write(). PoE (Firefox): /xss/dom/domwrite_hash?#in=%3Cimg%20src=foo%20onerror=alert%281246%29%3E

  • xss/dom/domwrite_hash_urlstyle#/foo/bar?in=whatever - passing the unescaped document.hash URL-style value to document.write(). PoE (Firefox): /xss/dom/domwrite_hash_urlstyle#/foo/bar?in=%3Cimg%20src=foo%20onerror=alert%281246%29%3E

  • xss/dom/yuinode_hash?#in=xyz - passing the hash value to YUI's setHTML function. PoE (Chrome/Firefox): /xss/dom/yuinode_hash?#in=xyz">/xss/dom/yuinode_hash?#in=xyz - DOM XSS using YUI (location.hash)

  • xss/dom/yuinode_hash_urlstyle/#/foo/bar?in=xyz - passing the URL-style hash value to YUI's setHTML function. PoE (Chrome/Firefox): /xss/dom/yuinode_hash_urlstyle/#/foo/bar?in=xyz">/xss/dom/yuinode_hash_urlstyle/#/foo/bar?in=xyz - DOM XSS using YUI (location.hash, URL-style value)

  • xss/dom/yuinode_hash_unencoded?#in=xyz - passing the unencoded hash value to YUI's setHTML function. PoE (Firefox / Chrome): /xss/dom/yuinode_hash?#in=xyz">/xss/dom/yuinode_hash?#in=xyz - DOM XSS using YUI (decoded location.hash)

Modifying Tests

When modifying, adding or deleting any tests, you need to rerun go generate.

For most of the tests, you need to add a template that contains the "moustache" with {{.In}}.

To add a new test where input is echoed unfiltered, just drop an html template under templates directory (for example templates/xss/newfile) with the template containing the {{.In}} placeholder.

To add a new "filter-based" case, add a template as above and add a mapping of the corresponding entrypoint (such as /xss/newfile ) to the map in the filterMap function in custom.go. For example:
mp["/xss/reflect/newtest"] = []filter{TagsOff, SingleQuotesOff, GreaterThanOff}
for a test with the corresponding input filtering. See filters.go for the list of the available filters.

To add a new fully custom testcase, add a template (if needed), add a mapping of the entrypoint to the handling function to CustomMap in custom.go and implement the custom function with the signature: func(http.ResponseWriter, *http.Request). For example, for a test case with XSS injection through the Morse code, you could add:
mp["/xss/reflect/morse"] = XssUnsafeMorse. See entrypoints and implementing functions in CustomMap in custom.go.