Awesome
Cyclops is a web browser with XSS detection feature
📝中文说明
The Cyclops's binary code can be directly downloaded here; It's source code is not provided now.
Cyclops is open evaluation for Microsoft Windows 10; Versions for Linux and Mac will be published soon.
User Manual
Cyclops is still in development. If any problem occurs, please contact us.
When using Cyclops, arg "--no-sandbox" is needed. If any suspicious XSS is detected, a log file named "SourceSink.txt" will be generated in running directory (Default:C:\Users\UserName\AppData\Local\Chromium\Application\97.0.4684.0). The format of SourceSink.txt will be introduced below.
DEMO video 1,DEMO video 2
Note Cyclops updates frequently so newly-developed features may not be included in the videos above.
To do list
Ordered by priorities
0. id field must be included in sink info.
E.g. "Sink:HTMLLIElement.className" without id field will display as Element type, and it must display its id if it is not null. This feature is in progress...
1.source and sink
Currently, the supported sources and sinks are as follows:
| source | sink |
|---|---|
| document.baseURI | element.innerHTML |
| document.URL | document.cookie |
| document.referrer | element.innerText |
| location.href/a.href | element.className |
| location.hash | element.href |
| location.host | element.src |
| location.hostname | document.write() |
| location.pathname | document.writeln() |
| location.search | window.alert() |
| document.domain | window.setTimeout() |
| document.cookie | window.setInterval() |
| document.documentURI | window.postMessage |
| element.textContent | document.createElement() |
| document.title | |
| element.classname | |
| element.namespaceURI | |
| element.src |
2.crash error fix
Our test cases only cover limited scenarios, so we will be appreciated if you raise an issue when encountering a crash.
3.optimization for SourceSink.txt
The current format of SourceSink.txt is temporary. We intend to output it as JSON or redirect it to a specific port. But limited by our finite ability and the complexity of Chromium's architecture, we have not solve the crash problem yet.
We are trying to implement our thoughts.
Description of SourceSink.txt
Each line of the file is a record of sink, with three parts divided by comma. The first part is sink info; The second part is a test ID; The third part is the source of the data, with embeddable units enclosed with []. Here is an example listed below:
[Sink:alert:qerwr , 910226, [ENURI:[Substring:[Location.search]]]]
"Sink:alert:qerwr", divided by colon, with "alert" as its destination method name, and its parameter is string "qerwr";
910226 represents to a test ID;
[ENURI:[Substring:[Location.search]]] describes the data source of the parameter of method "alert". alert(EncodeURI(location.search.substring()));
[Sink:HTMLLIElement.className ,910226, [Trim:[ADD:[ADD:[ADD:,[HTMLLIElement.className]],],]]]
Sink:HTMLLIElement.className divided by colon, represents the termination of the data is a className property of an Element.
910226 represents to a test ID;
[Trim:[ADD:[ADD:[ADD:,[HTMLLIElement.className]],],]]] ADD means operator +; If an operand does not contain tainted info, it will be an empty string "".
Note Test ID 910226 must be with data source. A test id without data source or data source without test id is a bug. Bug report around this issue will be appreciated. "Trim" and "ENURI" in the examples above are abbreviation marks used in Sink data flow. Full abbreivation mark table is listed below.
| Mark | JavaScript function | Direction | Illustration |
|---|---|---|---|
| A | string.anchor | [A:strX] | <a name=undefined>strX</a> |
| B | string.big | [B:strX] | <big>strX</big> |
| Blink | string.blink | [Blink:strX] | <blink>strX</blink> |
| Bold | string.bold | [Blod:strX] | <b>strX</b> |
| Fontcolor | string.fontcolor | ||
| Fontsize | string.fontsize | ||
| Fixed | string.fixed | ||
| Italics | string.Italics | ||
| Link | string.link | ||
| Small | string.small | ||
| Strike | string.strike | ||
| Sub | string.sub | ||
| Sup | string.sup | ||
| Pad:,S= | string.padStart | ||
| LC | string.toLowerCase | ||
| Substring | string.substring | ||
| DURI | decodeURI | ||
| DURIC | decodeURIComponent | ||
| ENURI | encodeURI | ||
| ENURIC | encodeURIComponent | ||
| Escape | escape | ||
| UnEscape | Unescape | ||
| Geval | eval method | ||
| Deval | eval method | ||
| ADD | addition | [ADD:strX,strY] | missing operand(s) means no tainted info |
| Pad:,E= | string.padEnd | [Pad:strx,E=strY] | b=strX.padend(num,strY), it will be recorded if the value of b differs from that of strX |
| Rep:rec=,s= | strin.replace | [Rep:rec=hello,s=world] | strX.replace("hello","world"), find the "hello" substring from strX and replace it with substring "world" |
| Repeat | string.repeat | [Repeat:strX] | Repeat times are currently not recorded. It will be updated soon |
| Slice | string.slice | [Slice:strX] | b=strX.slice(i,j),when the length of b is greater than zero and less than strX, it will be recorded |
| Substr | string.substr | [Substr:strX] | refer to the above example |
| Trim | string.trim | Does not distinguish trimStart, trimEnd, trimLeft and trimRight | |
| Concat | string.concat | [Concat:strX,strY] or [Concat:strX,strY,strZ...] | b=strX.concat(strY),b=strX.concat(strY,strZ...) |
| gAttr | element.getAttribute() | [gAttr:name:value] | e.g. <input id=name value='huidou'/>, method "input.getAttribute('value')" generates the record, represents that the data comes from a "value" property of an Element, whose id is "name"。 |
| sAttr | element.setAttribute() | [sAttr:name:value] | same as the above example, represents to a write action to the "value" property of an Element, whose "id" is name |
| F:P=,B= | Function() constructor | [F:P=p1,p2,B=evil] | P represents parameter, p1 and p2 represents data source of the two parameters;B represents the data source of the function body. Generates this record if P or B is attacker-controlled. |
Note common properties/methods such as location.href, settimeout and alert are not listed above because they just simply use their full names.
Disclaimer
The Cyclops can only be used in the safety construction of enterprises with sufficient legal authorization. During the use of the Cyclops, you should ensure that all your actions comply with local laws and regulations. If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself, and all developers and all contributors of this tool will not bear any legal and joint liability.