Fixing crawling for XSS (#969)

CERT-Polska · May 10, 2024 · 6b20643 · 6b20643
1 parent 82003c7
commit 6b20643
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/artemis/config.py b/artemis/config.py
@@ -481,8 +481,8 @@ class Nuclei:
                 default=",".join(
                     [
                         "http/vulnerabilities/generic/top-xss-params.yaml",
+                        "http/vulnerabilities/generic/xss-fuzz.yaml",
                         "http/vulnerabilities/generic/basic-xss-prober.yaml",
-                        "/opt/artemis/modules/data/nuclei_templates_custom/xss-inside-tag-top-params.yaml",
                         "http/vulnerabilities/generic/error-based-sql-injection.yaml",
                         "/opt/artemis/modules/data/nuclei_templates_custom/error-based-sql-injection.yaml",
                     ]

diff --git a/artemis/modules/nuclei.py b/artemis/modules/nuclei.py
@@ -3,6 +3,7 @@
 import os
 import random
 import subprocess
+import urllib
 from typing import Any, Dict, List
 
 from karton.core import Task
@@ -88,6 +89,10 @@ def _get_links(self, url: str) -> List[str]:
         links = links[: Config.Modules.Nuclei.NUCLEI_MAX_NUM_LINKS_TO_PROCESS]
         return links
 
+    def _strip_query_string(self, url: str) -> str:
+        url_parsed = urllib.parse.urlparse(url)
+        return urllib.parse.urlunparse(url_parsed._replace(query="", fragment=""))
+
     def _scan(self, templates: List[str], targets: List[str]) -> List[Dict[str, Any]]:
         if not targets:
             return []
@@ -158,7 +163,10 @@ def run_multiple(self, tasks: List[Task]) -> None:
         links_per_task = {}
         links = []
         for task in tasks:
-            links_per_task[task.uid] = self._get_links(get_target_url(task))
+            links = self._get_links(get_target_url(task))
+            # Let's scan both links with stripped query strings and with original one. We may catch a bug on either
+            # of them.
+            links_per_task[task.uid] = list(set(links) | set([self._strip_query_string(link) for link in links]))
             self.log.info("Links for %s: %s", get_target_url(task), links_per_task[task.uid])
             links.extend(links_per_task[task.uid])