/V1/AutoXssAnalyzer/XAUserInterface.cs

# · C# · 312 lines · 253 code · 47 blank · 12 comment · 45 complexity · 1dd53e055d616fd87590a243b7c78e72 MD5 · raw file 

    

  1. using System;
    2. 

  2. using System.Collections.Generic;
    3. 

  3. using System.ComponentModel;
    4. 

  4. using System.Drawing;
    5. 

  5. using System.Data;
    6. 

  6. using System.Text;
    7. 

  7. using System.Windows.Forms;
    8. 

  8. using Fiddler;
    9. 

  9. using Casaba;
    10. 

  10. 

  11. 

  12. 

  13. public partial class XAUserInterface : UserControl {
    14. 

  14.     
    15. 

  15.     //Delegate's to handle updating the DataGridView due to the "Creation thread" constraints. 
    16. 

  16.     public delegate void AddRow(List<ResponseResult> matches);
    17. 

  17.     public AddRow ar;
    18. 

  18.     public delegate void SetColumnAutoSort();
    19. 

  19.     public SetColumnAutoSort scas;
    20. 

  20. 

  21.     //Instance variables..
    22. 

  22.     SortableBindingList<ResponseResult> matches;
    23. 

  23.    
    24. 

  24. 

  25.     public XAUserInterface(XssAnalyzerEngine xa) {
    26. 

  26.         InitializeComponent();
    27. 

  27.         this.matches = new SortableBindingList<ResponseResult>();
    28. 

  28.         this.xa = xa;
    29. 

  29.         SetState();
    30. 

  30.         //Adding the default canary... 
    31. 

  31.         string canary = XssUtilities.UnescapeUnicodeCodePoints("\uFF21\uFF22\uFF23\uFF11\uFF12\uFF13");
    32. 

  32. 

  33.         xa.Settings.canary = canary;
    34. 

  34.         this.tbCanary.Text = xa.Settings.canary;
    35. 

  35.         this.tbCanary.Enabled = false;
    36. 

  36.        
    37. 

  37.         this.lbDomainFilters.DataSource = xa.Settings.domainFilters;
    38. 

  38.         this.dataGridView1.DataSource = this.matches;
    39. 

  39.         //Delegate method to ensure when adding data to the datasource it origanates from the creating thread. 
    40. 

  40.         ar = new AddRow(AddRowMethod);
    41. 

  41.         this.dataGridView1.Columns[1].Width = this.dataGridView1.Width - this.dataGridView1.Columns[0].Width - this.dataGridView1.RowHeadersWidth - 2;
    42. 

  42.         //Set columns to sortable
    43. 

  43.         this.scas = new SetColumnAutoSort(setColumnAutoSort);
    44. 

  44.         this.Dock = DockStyle.Fill;
    45. 

  45.         //Pre populate Special Chars.. 
    46. 

  46.         this.xa.Settings.specialChars = XssUtilities.UnescapeUnicodeCodePoints("\uFF1C\uFF1E\uFF02\uFF07\u00AB\u2A74\uFE13\uFE55\uFE64\uFE65");
    47. 

  47.         this.sCharTxtBox.Text = xa.Settings.specialChars;
    48. 

  48.         this.xa.Settings.scc = SpecialCharsContainer.Create(this.xa.Settings.specialChars);
    49. 

  49.     }
    50. 

  50.     public void setColumnAutoSort() {
    51. 

  51.         for (int i = 0; i < this.dataGridView1.Columns.Count; i++) {
    52. 

  52.             this.dataGridView1.Columns[i].SortMode = DataGridViewColumnSortMode.Automatic;
    53. 

  53.         }
    54. 

  54.     }
    55. 

  55.     private void SetState() {
    56. 

  56.         if(this.xa.Settings.Enabled){
    57. 

  57.             this.chkbEnabled.Checked = true;
    58. 

  58.             this.chkbEnabled.Enabled = true;
    59. 

  59.         }
    60. 

  60. 

  61.         if (this.xa.Settings.checkRequestForCanary) {
    62. 

  62.             this.chkbCheckRequestCanary.Checked = true;         
    63. 

  63.         }
    64. 

  64.         
    65. 

  65.         if (this.xa.Settings.enabledAutoGen){         
    66. 

  66.             this.chkbAutoGenSC.Checked = true;
    67. 

  67.         }
    68. 

  68.        
    69. 

  69.         if (this.xa.Settings.injectIntoQueryString) {
    70. 

  70.             this.chkbInjectQueryParam.Checked = true;
    71. 

  71.  
    72. 

  72.         }
    73. 

  73.         if (this.xa.Settings.injectIntoPost)
    74. 

  74.         {
    75. 

  75.             this.chkbAutoInjectPost.Checked = true;
    76. 

  76.         }
    77. 

  77.       
    78. 

  78.         if (this.xa.Settings.filterRequests) {
    79. 

  79.             this.chkbFilterReq.Checked = true;
    80. 

  80.            
    81. 

  81.         }
    82. 

  82. 

  83.         if (this.xa.Settings.filterResponse) {
    84. 

  84.             this.chkbFilterRes.Checked = true;
    85. 

  85.            
    86. 

  86.         }
    87. 

  87. 

  88.         if (this.xa.Settings.domainFilterEnabled) {
    89. 

  89.             this.chkbEnableDomainFilter.Checked = true;
    90. 

  90.           
    91. 

  91.         }
    92. 

  92. 

  93.         if (this.xa.Settings.urlEncodeQueryStringParams) {
    94. 

  94.             this.chkbEncodeQueryStringParam.Checked = true;
    95. 

  95.         }
    96. 

  96.       
    97. 

  97.       
    98. 

  98.         this.sCharTxtBox.Text = this.xa.Settings.specialChars;
    99. 

  99.     }
    100. 

  100.     public void ClearMatchListMethod() {
    101. 

  101.         this.matches.Clear();
    102. 

  102.     }
    103. 

  103. 

  104.     //This delegate method is used to ensure that the Datagridview is updated via the thread that created it. 
    105. 

  105.     public void AddRowMethod(List<ResponseResult> matches) {
    106. 

  106.         foreach (ResponseResult m in matches) {
    107. 

  107.             if (!this.matches.Contains(m)) {
    108. 

  108.                 this.matches.Add(m); 
    109. 

  109.             }
    110. 

  110.         }
    111. 

  111.     }
    112. 

  112.     private void enabledChkBox_CheckedChanged(object sender, EventArgs e) {
    113. 

  113.         if (this.chkbEnabled.Checked) {
    114. 

  114.             this.xa.Settings.Enabled = true;
    115. 

  115.             this.chkbAutoGenSC.Enabled = true;
    116. 

  116.             this.chkbAutoInjectPost.Enabled = true;
    117. 

  117.             this.chkbCheckRequestCanary.Enabled = true;
    118. 

  118.             this.chkbEnableDomainFilter.Enabled = true;
    119. 

  119.             this.chkbInjectQueryParam.Enabled = true;
    120. 

  120.             this.chkbEncodeQueryStringParam.Enabled = true;
    121. 

  121.         } else {
    122. 

  122.             this.xa.Settings.Enabled = false;
    123. 

  123.             this.chkbAutoGenSC.Enabled = false;
    124. 

  124.             this.chkbAutoInjectPost.Enabled = false;
    125. 

  125.             this.chkbCheckRequestCanary.Enabled = false;
    126. 

  126.             this.chkbEnableDomainFilter.Enabled = false;
    127. 

  127.             this.chkbFilterReq.Enabled = false;
    128. 

  128.             this.chkbFilterRes.Enabled = false;
    129. 

  129.             this.chkbInjectQueryParam.Enabled = false;
    130. 

  130.             this.chkbEncodeQueryStringParam.Enabled = false;
    131. 

  131.         }
    132. 

  132.     }
    133. 

  133.     public void refreshBindings(){
    134. 

  134.         BindingManagerBase bmb = this.dataGridView1.BindingContext[this.xa.Matches];
    135. 

  135.         bmb.SuspendBinding();
    136. 

  136.         bmb.ResumeBinding();
    137. 

  137.     }
    138. 

  138.     private void dataGridView1_RowEnter(object sender, DataGridViewCellEventArgs e) {
    139. 

  139.         this.richTextBox1.Text = "Can't jump to location..";
    140. 

  140.         ResponseResult res = matches[e.RowIndex];
    141. 

  141.         Fiddler.Session[] sessions = Fiddler.FiddlerApplication.UI.GetAllSessions();
    142. 

  142.         Fiddler.Session targetSession = null;
    143. 

  143.         int tSessionIndex = -1;
    144. 

  144.         //Locate the session object and it's index..
    145. 

  145.         for (int i = 0; i < sessions.Length; i++) {  
    146. 

  146.             if (sessions[i].id == res.Match.SessionId) {
    147. 

  147.                 targetSession = sessions[i];
    148. 

  148.                 tSessionIndex = i;
    149. 

  149.                 break;
    150. 

  150.             }
    151. 

  151.         }
    152. 

  152.         if (targetSession == null || tSessionIndex == -1) {
    153. 

  153.             //ouch, no jump for this session ;(
    154. 

  154.             return;
    155. 

  155.         }
    156. 

  156.         //Jump to fiddler session in the right box. 
    157. 

  157.         FiddlerApplication.UI.lvSessions.SelectedItems.Clear();
    158. 

  158.         FiddlerApplication.UI.lvSessions.Items[tSessionIndex].Focused = true;
    159. 

  159.         FiddlerApplication.UI.lvSessions.Items[tSessionIndex].Selected = true;
    160. 

  160. 

  161.         //Dump text to textbox and bail. 
    162. 

  162.         string headers = targetSession.oResponse.headers.ToString();
    163. 

  163.         string body = Encoding.UTF8.GetString(targetSession.responseBodyBytes);
    164. 

  164.         this.richTextBox1.Text = headers + "\r\n\r\n" + body;
    165. 

  165. 

  166.         //Lets see if we can jump to the proper place in the RichTextBox to highlihgt the location for quicker inspection. 
    167. 

  167.         int offset = 0;
    168. 

  168.         if (res.Match is HeaderMatch) {
    169. 

  169.             HeaderMatch hm = (HeaderMatch)res.Match;
    170. 

  170.             offset = headers.IndexOf(hm.HeaderName) + hm.HeaderName.Length + 2; //+2  to cover the : and space..
    171. 

  171.             offset += res.Match.Offset;
    172. 

  172.         } else if (res.Match is BodyMatch) {
    173. 

  173.             BodyMatch bm = (BodyMatch)res.Match;
    174. 

  174.             offset = headers.Length + 4 + bm.Offset; 
    175. 

  175.         }
    176. 

  176.         if (offset - 20 > 0 && offset + 20 < headers.Length + 4 + body.Length) {
    177. 

  177.             this.richTextBox1.Select(offset - 20, 40);
    178. 

  178.             this.richTextBox1.SelectionColor = Color.Red;
    179. 

  179.             this.richTextBox1.ScrollToCaret();
    180. 

  180.         }
    181. 

  181.     }
    182. 

  182. 

  183.     private void clearBtn_Click(object sender, EventArgs e) {
    184. 

  184.         this.matches.Clear();
    185. 

  185.         this.xa.Matches.Clear();
    186. 

  186.         this.matches = new SortableBindingList<ResponseResult>();
    187. 

  187.         this.dataGridView1.DataSource = this.matches;
    188. 

  188. 

  189.         this.richTextBox1.Text = "";
    190. 

  190.     }
    191. 

  191. 

  192.     private void enableSCharChkBox_CheckedChanged(object sender, EventArgs e) { 
    193. 

  193.         if (this.chkbAutoGenSC.Checked == true) {
    194. 

  194.             this.xa.Settings.enabledAutoGen = true;
    195. 

  195.            
    196. 

  196.         } else {
    197. 

  197.             this.xa.Settings.enabledAutoGen = false;
    198. 

  198.            
    199. 

  199.         }
    200. 

  200.     }
    201. 

  201. 

  202.     private void sCharTxtBox_TextChanged(object sender, EventArgs e) {
    203. 

  203.         this.xa.Settings.specialChars = this.sCharTxtBox.Text;
    204. 

  204.         this.xa.Settings.scc = SpecialCharsContainer.Create(this.xa.Settings.specialChars);
    205. 

  205.     }
    206. 

  206. 

  207.    
    208. 

  208.     private void chkbInjectQueryParam_CheckedChanged(object sender, EventArgs e) {
    209. 

  209.         if (this.chkbInjectQueryParam.Checked) {
    210. 

  210.             this.xa.Settings.injectIntoQueryString = true;
    211. 

  211.         } else {
    212. 

  212.             this.xa.Settings.injectIntoQueryString = false;
    213. 

  213.         }
    214. 

  214.     }
    215. 

  215. 

  216.     private void btnAddToDomainFilterList_Click(object sender, EventArgs e) {
    217. 

  217.         if (this.tbDomain.Text != "") {
    218. 

  218.             this.xa.Settings.domainFilters.Add(this.tbDomain.Text);
    219. 

  219.             this.tbDomain.Text = "";
    220. 

  220.             BindingManagerBase bmb = this.lbDomainFilters.BindingContext[this.xa.Settings.domainFilters];
    221. 

  221.             bmb.SuspendBinding();
    222. 

  222.             bmb.ResumeBinding();
    223. 

  223.         }
    224. 

  224.     }
    225. 

  225. 

  226.     private void btnRemoveDomainFilter_Click(object sender, EventArgs e) {
    227. 

  227.         if (this.lbDomainFilters.SelectedIndex >= 0) {
    228. 

  228.             string s = this.xa.Settings.domainFilters[this.lbDomainFilters.SelectedIndex];
    229. 

  229.             this.tbDomain.Text = s;
    230. 

  230.             this.xa.Settings.domainFilters.Remove(s);
    231. 

  231.             BindingManagerBase bmb = this.lbDomainFilters.BindingContext[this.xa.Settings.domainFilters];
    232. 

  232.             bmb.SuspendBinding();
    233. 

  233.             bmb.ResumeBinding();
    234. 

  234.         }
    235. 

  235.     }
    236. 

  236.     private void btnClrDomainList_Click(object sender, EventArgs e) {
    237. 

  237.         this.xa.Settings.domainFilters.Clear();
    238. 

  238.         BindingManagerBase bmb = this.lbDomainFilters.BindingContext[this.xa.Settings.domainFilters];
    239. 

  239.         bmb.SuspendBinding();
    240. 

  240.         bmb.ResumeBinding();
    241. 

  241.     }
    242. 

  242. 

  243.     private void chkbFilterReq_CheckedChanged(object sender, EventArgs e) {
    244. 

  244.         if (this.chkbFilterReq.Checked) {
    245. 

  245.             this.xa.Settings.filterRequests = true;
    246. 

  246.         } else {
    247. 

  247.             this.xa.Settings.filterRequests = false;
    248. 

  248.         }
    249. 

  249.     }
    250. 

  250. 

  251.     private void chkbFilterRes_CheckedChanged(object sender, EventArgs e) {
    252. 

  252.         if (this.chkbFilterRes.Checked) {
    253. 

  253.             this.xa.Settings.filterResponse = true;
    254. 

  254.         } else {
    255. 

  255.             this.xa.Settings.filterResponse = false;
    256. 

  256.         }
    257. 

  257.     }
    258. 

  258. 

  259.     private void chkbEnableDomainFilter_CheckedChanged(object sender, EventArgs e) {
    260. 

  260.         if (this.chkbEnableDomainFilter.Checked) {
    261. 

  261.             this.xa.Settings.domainFilterEnabled = true;
    262. 

  262.             this.chkbFilterReq.Enabled = true;
    263. 

  263.             this.chkbFilterRes.Enabled = true;
    264. 

  264.         } else {
    265. 

  265.             this.xa.Settings.domainFilterEnabled = false;
    266. 

  266.             this.chkbFilterReq.Enabled = false;
    267. 

  267.             this.chkbFilterRes.Enabled = false;
    268. 

  268.         }
    269. 

  269.     }
    270. 

  270. 

  271.     private void exportBtn_Click(object sender, EventArgs e) {
    272. 

  272. 

  273.     }
    274. 

  274. 

  275.     private void chkbEncodeQueryStringParam_CheckedChanged(object sender, EventArgs e) {
    276. 

  276.         if (this.chkbEncodeQueryStringParam.Checked) {
    277. 

  277.             this.xa.Settings.urlEncodeQueryStringParams = true;
    278. 

  278.         } else {
    279. 

  279.             this.xa.Settings.urlEncodeQueryStringParams = false;
    280. 

  280.         }
    281. 

  281.     }
    282. 

  282. 

  283.     private void clearBtn_Click_1(object sender, EventArgs e) {
    284. 

  284.         this.matches.Clear();
    285. 

  285.         this.xa.Matches.Clear();
    286. 

  286.         this.matches = new SortableBindingList<ResponseResult>();
    287. 

  287.         this.dataGridView1.DataSource = this.matches;
    288. 

  288. 

  289.         this.richTextBox1.Text = "";
    290. 

  290.     }
    291. 

  291. 

  292.     private void chkbAutoInjectPost_CheckedChanged(object sender, EventArgs e) {
    293. 

  293.         if (this.chkbAutoInjectPost.Checked) {
    294. 

  294.             this.xa.Settings.injectIntoPost = true;
    295. 

  295.         } else {
    296. 

  296.             this.xa.Settings.injectIntoPost = false;
    297. 

  297.         }
    298. 

  298.     }
    299. 

  299. 

  300.     private void chkbCheckRequestCanary_CheckedChanged(object sender, EventArgs e) {
    301. 

  301.         if (this.chkbCheckRequestCanary.Checked) {
    302. 

  302.             this.xa.Settings.checkRequestForCanary = true;
    303. 

  303.         } else {
    304. 

  304.             this.xa.Settings.checkRequestForCanary = false;
    305. 

  305.         }
    306. 

  306.     }
    307. 

  307. 

  308.     private void dataGridView1_CellDoubleClick(object sender, DataGridViewCellEventArgs e) {
    309. 

  309.         FiddlerApplication.UI.actInspectSession();
    310. 

  310.     }
    311. 

  311. 

  312. }
    313.