Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- How Does It Work
- Setting Up JSPRIME
- Download link
|
How Does It Work?
Jsprime starts by feeding the code to esprima (a Ecma parser) and then generating an AST (Abstract Syntax Tree). The ast is then parsed to locate all the source and sinks at the same time keeping track of the scope. After locating the source and sinks, it traces if a particular source reaches an execution sink and then reports the line where the source reaches the sink responsible for causing a DOM- based XSS. Setting Up JSPRIME Installing and setting up Jsprime is extremely easy: Step 1 —Download the master.zip file from the link mentioned. Step 2 —Extract the master.zip file to your desired location. Step 3 —In the “jsprime-master” folder, you’d see a file named “index.html”; open it up in your web browser, and you will have jsprime up and running. Download link ◾ https://github.com/dpnishant/jsprime/archive/master.zip Let’s take a look at a few test cases and try testing them with Jsprime. More test cases are available in the following link; however, I have handpicked a few important ones to demonstrate the power of a static code analyzer. ◾ http://goo.gl/vf61Km Example 1 Let’s take a look at the following vulnerable code: var redir = location.hash.split("#")[1]; x = document.getElementById('anchor'); x.setAttribute('href',redir); 386 ◾ Ethical Hacking and Penetration Testing Guide “redir” is simply a variable that takes the value from user via the location.hash dom api. Next, the dom has an “anchor element” with the id “anchor”, and the value of redir variable is assigned to the href attribute of the anchor element via the setAttribute dom api. The sink that is the cause of the dom-based XSS is the “href.” Let’s see the results we get when we try analyzing the code with jsprime. As you can see, the location.hash is the active source, which reaches the active sink “href.” You can try replacing “href” with “src,” and it will still trigger an alert since “src” is also a sink. However, if you’d replace it with a nonexisting sink, it won’t trigger any alert. Example 2 Let’s take a look at another code as an example: function timedMsg(callback){ if(callback){ var t=setTimeout(eval('callback'),3000); return 0; }} function fire(){ var call = location.hash.split("#")[1]; timedMsg(call); } The code is very easy to understand: the call variable in the function fire takes input from a user, and then the call variable holding the user input is passed to the timeMsg function as an argument. When the timeMsg function is executed, the user input reaches the sink eval, hence resulting in a dom-based XSS. If the user inputs something like “ Site.com/test.html#alert(1)// ,” it would lead to an XSS. This jsprime scan report describes the whole story. |