Merge branch 'develop' (#11).

Author: tijme

.semver

@@ -1 +1 @@
-3.0.3
+3.0.4

.travis.yml

@@ -1,18 +1,16 @@
 os: linux
 dist: trusty
-sudo: required
 language: python
 
 python:
   - "2.7"
-  - "3.3"
   - "3.4"
   - "3.5"
   - "3.6"
   - "3.7-dev"
 
 install:
-  - pip install -r requirements.txt
+  - python setup.py install
 
 script:
   - python -m unittest discover

README.rst

@@ -37,7 +37,7 @@ Table of contents
 Installation
 ------------
 
-First make sure you're on `Python 2.7/3.3 <https://www.python.org/>`__ or higher. Then run the command below to install ACSTIS.
+First make sure you're on `Python 2.7/3.4 <https://www.python.org/>`__ or higher. Then run the command below to install ACSTIS.
 
 ``$ pip install git+https://github.com/tijme/angularjs-csti-scanner.git``
 
@@ -68,25 +68,26 @@ Usage
 
 .. code:: text
 
-   usage: acstis [-h] -d DOMAIN [-c] [-vp] [-av ANGULAR_VERSION] [-pmm] [-sos] [-soh] [-sot] [-siv] [-md MAX_DEPTH] [-mt MAX_THREADS]
+   usage: acstis [-h] -d DOMAIN [-c] [-vp] [-av ANGULAR_VERSION] [-vrl VULNERABLE_REQUESTS_LOG] [-siv] [-pmm] [-sos] [-soh] [-sot] [-md MAX_DEPTH] [-mt MAX_THREADS] [-iic] [-tc TRUSTED_CERTIFICATES]
 
    required arguments:
-       -d DOMAIN, --domain DOMAIN                                             the domain to scan (e.g. finnwea.com)
+      -d DOMAIN, --domain DOMAIN                                                       the domain to scan (e.g. finnwea.com)
 
    optional arguments:
-       -h, --help                                                             show this help message and exit
-       -c, --crawl                                                            use the crawler to scan all the entire domain
-       -vp, --verify-payload                                                  use a javascript engine to verify if the payload was executed (otherwise false positives may occur)
-       -av ANGULAR_VERSION, --angular-version ANGULAR_VERSION                 manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work
-       -pmm, --protocol-must-match                                            (crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)
-       -sos, --scan-other-subdomains                                          (crawler option) also scan pages that have another subdomain than the startpoint
-       -soh, --scan-other-hostnames                                           (crawler option) also scan pages that have another hostname than the startpoint
-       -sot, --scan-other-tlds                                                (crawler option) also scan pages that have another tld than the startpoint
-       -siv, --stop-if-vulnerable                                             (crawler option) stop scanning if a vulnerability was found
-       -md MAX_DEPTH, --max-depth MAX_DEPTH                                   (crawler option) the maximum search depth (default is unlimited)
-       -mt MAX_THREADS, --max-threads MAX_THREADS                             (crawler option) the maximum amount of simultaneous threads to use (default is 8)
-       -iic, --ignore-invalid-certificates                                    (crawler option) ignore invalid ssl certificates
-       -tc TRUSTED_CERTIFICATES, --trusted-certificates TRUSTED_CERTIFICATES  (crawler option) trust this CA_BUNDLE file (.pem) or directory with certificates
+      -h, --help                                                                       show this help message and exit
+      -c, --crawl                                                                      use the crawler to scan all the entire domain
+      -vp, --verify-payload                                                            use a javascript engine to verify if the payload was executed (otherwise false positives may occur)
+      -av ANGULAR_VERSION, --angular-version ANGULAR_VERSION                           manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work
+      -vrl VULNERABLE_REQUESTS_LOG, --vulnerable-requests-log VULNERABLE_REQUESTS_LOG  log all vulnerable requests to this file (e.g. /var/logs/acstis.log or urls.log)
+      -siv, --stop-if-vulnerable                                                       (crawler option) stop scanning if a vulnerability was found
+      -pmm, --protocol-must-match                                                      (crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)
+      -sos, --scan-other-subdomains                                                    (crawler option) also scan pages that have another subdomain than the startpoint
+      -soh, --scan-other-hostnames                                                     (crawler option) also scan pages that have another hostname than the startpoint
+      -sot, --scan-other-tlds                                                          (crawler option) also scan pages that have another tld than the startpoint
+      -md MAX_DEPTH, --max-depth MAX_DEPTH                                             (crawler option) the maximum search depth (default is unlimited)
+      -mt MAX_THREADS, --max-threads MAX_THREADS                                       (crawler option) the maximum amount of simultaneous threads to use (default is 8)
+      -iic, --ignore-invalid-certificates                                              (crawler option) ignore invalid ssl certificates
+      -tc TRUSTED_CERTIFICATES, --trusted-certificates TRUSTED_CERTIFICATES            (crawler option) trust this CA_BUNDLE file (.pem) or directory with certificates
 
 **Authentication, Cookies, Headers, Proxies & Scope options**
 

acstis/Driver.py

@@ -36,6 +36,7 @@
 from nyawc.helpers.HTTPRequestHelper import HTTPRequestHelper
 from acstis.helpers.BrowserHelper import BrowserHelper
 from acstis.helpers.PackageHelper import PackageHelper
+from acstis.helpers.FileLoggingHelper import FileLoggingHelper
 from acstis.Scanner import Scanner
 
 class Driver:
@@ -75,6 +76,8 @@ def __init__(self, args, options):
             "User-Agent": user_agent(PackageHelper.get_alias(), PackageHelper.get_version())
         })
 
+        FileLoggingHelper.set_file(self.__args.vulnerable_requests_log)
+
     def __signal_handler(self, signum, frame):
         """On sigint (e.g. CTRL+C) stop the crawler.
 
@@ -208,6 +211,7 @@ def cb_request_after_finish(self, queue, queue_item, new_queue_items):
 
         for vulnerable_item in queue_item.vulnerable_items:
             colorlog.getLogger().success(self.__request_to_string(vulnerable_item.request))
+            FileLoggingHelper.log(self.__request_to_string(vulnerable_item.request))
 
             if vulnerable_item.payload["message"]:
                 colorlog.getLogger().warning(vulnerable_item.payload["message"])

acstis/helpers/FileLoggingHelper.py

@@ -0,0 +1,90 @@
+# -*- coding: utf-8 -*-
+
+# MIT License
+#
+# Copyright (c) 2017 Tijme Gommers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+import os
+import sys
+import colorlog
+
+class FileLoggingHelper:
+    """The FileLoggingHelper enables logging messages to a file.
+
+    Attributes:
+        __phantomjs_driver (str): The cached path to the executable PhantomJS driver.
+
+    """
+
+    __filename = None
+
+    @staticmethod
+    def set_file(filename=None):
+        """Set the filename to log messages to.
+
+        Args:
+            filename (str): The filename (including absolute or relative path) to log to.
+
+        Note:
+            If the log filename already exists it will be appended with a number. So output.log
+            could become `output.log.1` or `output.log.2`.
+
+        """
+
+        if not filename:
+            return
+
+        filename_backup = filename
+        filename_append = 0
+        filename_changed = False
+        filename_error = False
+
+        while os.path.isfile(filename) and not filename_error:
+            filename_changed = True
+            filename_append += 1
+            filename = filename_backup + "." + str(filename_append)
+
+            if filename_append == sys.maxsize:
+                filename_error = True
+
+        if filename_error:
+            colorlog.getLogger().error("The output log file already exists and therefore no logs will be written.")
+            return
+
+        if filename_changed:
+            colorlog.getLogger().warning("The output log filename was changed to `" + filename + "` since `" + filename_backup + "` already exists.")
+
+        FileLoggingHelper.__filename = filename
+
+    @staticmethod
+    def log(message):
+        """Write the given message to the initialized log file.
+
+        Args:
+            message (str): The message to write to the log file.
+
+        """
+
+        if not FileLoggingHelper.__filename:
+            return
+
+        with open(FileLoggingHelper.__filename, "a") as log:
+            log.write(message + "\n")

acstis_scripts/acstis_cli.py

@@ -40,7 +40,7 @@ def require_arguments():
 
     parser = argparse.ArgumentParser(
         prog=PackageHelper.get_alias(),
-        formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=180, width=180)
+        formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=220, width=220)
     )
 
     optional = parser._action_groups.pop()
@@ -51,6 +51,7 @@ def require_arguments():
     optional.add_argument("-c", "--crawl", help="use the crawler to scan all the entire domain", action="store_true")
     optional.add_argument("-vp", "--verify-payload", help="use a javascript engine to verify if the payload was executed (otherwise false positives may occur)", action="store_true")
     optional.add_argument("-av", "--angular-version", help="manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work", type=str, default=None)
+    optional.add_argument("-vrl", "--vulnerable-requests-log", help="log all vulnerable requests to this file (e.g. /var/logs/acstis.log or urls.log)", type=str, default=None)
     optional.add_argument("-siv", "--stop-if-vulnerable", help="(crawler option) stop scanning if a vulnerability was found", action="store_true")
     optional.add_argument("-pmm", "--protocol-must-match", help="(crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)", action="store_true")
     optional.add_argument("-sos", "--scan-other-subdomains", help="(crawler option) also scan pages that have another subdomain than the startpoint", action="store_true")

extended.py

@@ -82,6 +82,7 @@ def require_arguments():
     optional.add_argument("-c", "--crawl", help="use the crawler to scan all the entire domain", action="store_true")
     optional.add_argument("-vp", "--verify-payload", help="use a javascript engine to verify if the payload was executed (otherwise false positives may occur)", action="store_true")
     optional.add_argument("-av", "--angular-version", help="manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work", type=str, default=None)
+    optional.add_argument("-vrl", "--vulnerable-requests-log", help="log all vulnerable requests to this file (e.g. /var/logs/acstis.log or urls.log)", type=str, default=None)
     optional.add_argument("-siv", "--stop-if-vulnerable", help="(crawler option) stop scanning if a vulnerability was found", action="store_true")
     optional.add_argument("-pmm", "--protocol-must-match", help="(crawler option) only scan pages with the same protocol as the startpoint (e.g. only https)", action="store_true")
     optional.add_argument("-sos", "--scan-other-subdomains", help="(crawler option) also scan pages that have another subdomain than the startpoint", action="store_true")

setup.py

@@ -54,7 +54,6 @@
         "Programming Language :: Python :: 3.6",
         "Programming Language :: Python :: 3.5",
         "Programming Language :: Python :: 3.4",
-        "Programming Language :: Python :: 3.3",
         "Programming Language :: Python :: 2.7",
         "Topic :: Security"
     ],

test/test_angular_scope.py

@@ -49,7 +49,7 @@ def test_inside_app(self):
 
             exitcode = process.wait()
         except Exception as e:
-            print(e)
+            print("Exception: " + str(e))
             exitcode = 1
 
         server.stop()
@@ -71,7 +71,7 @@ def test_outside_app(self):
 
             exitcode = process.wait()
         except Exception as e:
-            print(e)
+            print("Exception: " + str(e))
             exitcode = 1
 
         server.stop()
@@ -93,7 +93,7 @@ def test_inside_non_bindable(self):
 
             exitcode = process.wait()
         except Exception as e:
-            print(e)
+            print("Exception: " + str(e))
             exitcode = 1
 
         server.stop()
@@ -115,7 +115,7 @@ def test_inside_script(self):
 
             exitcode = process.wait()
         except Exception as e:
-            print(e)
+            print("Exception: " + str(e))
             exitcode = 1
 
         server.stop()

test/test_payloads.py

@@ -168,7 +168,7 @@ def test_payloads(self):
 
                 exitcode = process.wait()
             except Exception as e:
-                print(e)
+                print("Exception: " + str(e))
                 exitcode = 1
 
             server.stop()