From 04a06eb6b5b5813b4ec630fc1451b1734fbb22fc Mon Sep 17 00:00:00 2001
From: David Dworken <david@daviddworken.com>
Date: Tue, 17 Oct 2017 23:39:33 -0400
Subject: [PATCH] Added scanning for CSS injection and iframe injection

---
 examples/complex/xss_scanner.py   | 15 ++++++++++-----
 test/examples/test_xss_scanner.py |  8 +++++++-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/examples/complex/xss_scanner.py b/examples/complex/xss_scanner.py
index d954adf36..4b35c6c11 100755
--- a/examples/complex/xss_scanner.py
+++ b/examples/complex/xss_scanner.py
@@ -85,14 +85,19 @@ def get_cookies(flow: http.HTTPFlow) -> Cookies:
 
 def find_unclaimed_URLs(body: Union[str, bytes], requestUrl: bytes) -> None:
     """ Look for unclaimed URLs in script tags and log them if found"""
+    def getValue(attrs: List[Tuple[str, str]], attrName: str) -> str:
+        for name, value in attrs:
+            if attrName == name:
+                return value
+
     class ScriptURLExtractor(HTMLParser):
         script_URLs = []
 
         def handle_starttag(self, tag, attrs):
-            if tag == "script" and "src" in [name for name, value in attrs]:
-                for name, value in attrs:
-                    if name == "src":
-                        self.script_URLs.append(value)
+            if (tag == "script" or tag == "iframe") and "src" in [name for name, value in attrs]:
+                self.script_URLs.append(getValue(attrs, "src"))
+            if tag == "link" and getValue(attrs, "rel") == "stylesheet" and "href" in [name for name, value in attrs]:
+                self.script_URLs.append(getValue(attrs, "href"))
 
     parser = ScriptURLExtractor()
     try:
@@ -105,7 +110,7 @@ def find_unclaimed_URLs(body: Union[str, bytes], requestUrl: bytes) -> None:
         try:
             gethostbyname(domain)
         except gaierror:
-            ctx.log.error("XSS found in %s due to unclaimed URL \"%s\" in script tag." % (requestUrl, url))
+            ctx.log.error("XSS found in %s due to unclaimed URL \"%s\"." % (requestUrl, url))
 
 
 def test_end_of_URL_injection(original_body: str, request_URL: str, cookies: Cookies) -> VulnData:
diff --git a/test/examples/test_xss_scanner.py b/test/examples/test_xss_scanner.py
index 14ee69027..e15d7e102 100644
--- a/test/examples/test_xss_scanner.py
+++ b/test/examples/test_xss_scanner.py
@@ -314,7 +314,13 @@ class TestXSSScanner():
         assert logger.args == []
         xss.find_unclaimed_URLs("<html><script src=\"http://unclaimedDomainName.com\"></script></html>",
                                 "https://example.com")
-        assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com" in script tag.'
+        assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
+        xss.find_unclaimed_URLs("<html><iframe src=\"http://unclaimedDomainName.com\"></iframe></html>",
+                                "https://example.com")
+        assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
+        xss.find_unclaimed_URLs("<html><link rel=\"stylesheet\" href=\"http://unclaimedDomainName.com\"></html>",
+                                "https://example.com")
+        assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
 
     def test_log_XSS_data(self, monkeypatch, logger):
         logger.args = []