From cfecf14044e9a4098b9dd26438aeb67bfea9e755 Mon Sep 17 00:00:00 2001 From: SakiiR Date: Wed, 2 Sep 2020 17:38:08 +0200 Subject: [PATCH 1/2] Added an example of toolbox script --- README.md | 51 +++++++++++++------------ toolbox_examples/checkGit.js | 74 ++++++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+), 24 deletions(-) create mode 100644 toolbox_examples/checkGit.js diff --git a/README.md b/README.md index f296d59..6d5b2b6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ PwnFox is a Firefox/Burp extension that provide usefull tools for your security audit. -If you are a chrome user you can check https://github.com/nccgroup/autochrome. +If you are a chrome user you can check https://github.com/nccgroup/autochrome. - [PwnFox](#img-srcfirefoxiconsiconsvg-width30-pwnfox) - [Features](#features) @@ -18,18 +18,17 @@ If you are a chrome user you can check https://github.com/nccgroup/autochrome. - [Burp](#burp) - [Changelog](#changelog) - ## Features ![popup](/screenshots/popup.png) ### Single click BurpProxy -Connect to Burp with a simple click, this will probably remove the need for other addons like foxyProxy. However if you need the extra features provided by foxyProxy you can leave this unchecked. +Connect to Burp with a simple click, this will probably remove the need for other addons like foxyProxy. However if you need the extra features provided by foxyProxy you can leave this unchecked. -### Containers Profiles +### Containers Profiles -PwnFox give you fast access to the Firefox containers. This allow you to have multiple identities in the same browser. +PwnFox give you fast access to the Firefox containers. This allow you to have multiple identities in the same browser. When PwnFox and the `Add container header` option are enabled, PwnFox will automatically add a `X-PwnFox-Color` header to hightlight the query in Burp. PwnFoxBurp will automatically highlight and strip the header, but you can also specify your own behavior with addons like logger++. @@ -37,8 +36,6 @@ PwnFoxBurp will automatically highlight and strip the header, but you can also s ![tabs](/screenshots/tabs.png) ![burp](/screenshots/burp.png) - - ### PostMessage Logger PwnFox add a new message tab in you devtool. This allow you to quickly visualize all postMessage between frames. @@ -47,54 +44,59 @@ PwnFox add a new message tab in you devtool. This allow you to quickly visualize You can also provide your own function to parse/filter the messages. You get access to 3 arguments: - * data -> the message data - * origin -> the window object representing the origin - * destion -> the window object representing the destination + +- data -> the message data +- origin -> the window object representing the origin +- destion -> the window object representing the destination You can return a string or a JSON serializable object. ![](/screenshots/post-dual.png) - ### Toolbox Inject you own javascript code on page load. The code will be loaded as soon as possible. This can used to add dangerous behavior detection, or just to add extra function to your js console. **Be carefull, the injected toolbox will run in the window context. Do not inject secret in untrusted domain.** - ![settings](/screenshots/settings.png) -I will publish some of my toolbox soon (ENOTIME) +#### Examples +> Catching .git/ exposed on the visited websites [checkGit.js](./toolbox_examples/checkGit.js) +> More to come ### Security header remover Sometime it's easier to work with security header disabled. You can now do it with a single button press. Don't forget to reenable them before testing your final payload. Headers stripped: -* Content-Security-Policy -* X-XSS-Protection -* X-Frame-Options -* X-Content-Type-Options -## Installation +- Content-Security-Policy +- X-XSS-Protection +- X-Frame-Options +- X-Content-Type-Options +## Installation You can find the latest build here: -* [https://github.com/B-i-t-K/PwnFox/releases](https://github.com/B-i-t-K/PwnFox/releases) + +- [https://github.com/B-i-t-K/PwnFox/releases](https://github.com/B-i-t-K/PwnFox/releases) ### Firefox - - visit `about:addons` and choose install from file, then select `PwnFox-$version.xpi` - - or install from -[https://addons.mozilla.org/en-US/firefox/addon/pwnfox/](https://addons.mozilla.org/en-US/firefox/addon/pwnfox/) + +- visit `about:addons` and choose install from file, then select `PwnFox-$version.xpi` +- or install from + [https://addons.mozilla.org/en-US/firefox/addon/pwnfox/](https://addons.mozilla.org/en-US/firefox/addon/pwnfox/) ### Burp + - Go to extender and add `PwnFox-Burp.jar` as a java extension. ## Build ### All + ```shell ./build.sh # Pwnfox-firefox.zip and PwnFox-burp.jar are available in /bin @@ -111,6 +113,7 @@ web-ext sign --api-key="$KEY" --api-secret="$SECRET" # the xpi file is available in /firefox/web-ext-artifacts/pwnfox-${version}.xpi ``` + ### Burp ```shell @@ -121,5 +124,5 @@ gradle build ## Changelog -* v1.0.2 - * First public release +- v1.0.2 + - First public release diff --git a/toolbox_examples/checkGit.js b/toolbox_examples/checkGit.js new file mode 100644 index 0000000..4235d3b --- /dev/null +++ b/toolbox_examples/checkGit.js @@ -0,0 +1,74 @@ +class PwnfoxGitChecker { + static GIT_HEAD_HEADER = "ref: refs/heads/"; + static KEY = "pwnfoxGitCheckedAt"; + static INTERVAL = 60 * 60 * 24; + + static timestamp() { + return new Date().getTime() / 1000; + } + + static getPaths() { + try { + const data = JSON.parse(localStorage.getItem(PwnfoxGitChecker.KEY)); + if (data == null) return {}; + return data; + } catch (_) { + return {}; + } + } + + static addPath(path) { + const paths = PwnfoxGitChecker.getPaths(); + + paths[path] = PwnfoxGitChecker.timestamp(); + localStorage.setItem(PwnfoxGitChecker.KEY, JSON.stringify(paths)); + } + + static hasToBeChecked(path) { + const paths = PwnfoxGitChecker.getPaths(); + + // No entry yet + if (!(path in paths)) return true; + + const ts = paths[path]; + + // Expired + const now = PwnfoxGitChecker.timestamp(); + if (now - PwnfoxGitChecker.INTERVAL > ts) return true; + + return false; + } + + static async checkPath(path) { + while (path.endsWith("/")) { + path = path.slice(0, -1); + } + + const url = `${path}/.git/HEAD`; + + if (!PwnfoxGitChecker.hasToBeChecked(url)) return false; + + const response = await fetch(url); + + PwnfoxGitChecker.addPath(url); + + if ( + response.status === 200 && + (await response.text()).startsWith(PwnfoxGitChecker.GIT_HEAD_HEADER) + ) { + PwnfoxGitChecker.triggerNotification(url); + return true; + } + return false; + } + + static async run() { + await PwnfoxGitChecker.checkPath(location.pathname); + } + + static triggerNotification(path) { + alert(`GitDetector: Possible '.git/' exposed @ '${path}'!`); + } +} + +PwnfoxGitChecker.run(); From 70ccff3b769995968eeea36616bf4b80e0e3e736 Mon Sep 17 00:00:00 2001 From: SakiiR Date: Wed, 2 Sep 2020 17:41:38 +0200 Subject: [PATCH 2/2] List -> Table --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6d5b2b6..4cc6395 100644 --- a/README.md +++ b/README.md @@ -63,8 +63,10 @@ Inject you own javascript code on page load. The code will be loaded as soon as #### Examples -> Catching .git/ exposed on the visited websites [checkGit.js](./toolbox_examples/checkGit.js) -> More to come +| **Name/Link** | **Description** | +| :-------------------------------------------- | :--------------------------------------------- | +| [checkGit.js](./toolbox_examples/checkGit.js) | Catching .git/ exposed on the visited websites | +| TODO | TODO | ### Security header remover