defmodule Sobelow.XSS do
@moduledoc """
# Cross-Site Scripting
Cross-Site Scripting (XSS) vulnerabilities are a result
of rendering untrusted input on a page without proper encoding.
XSS may allow an attacker to perform actions on behalf of
other users, steal session tokens, or access private data.
Read more about XSS here:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
If you wish to learn more about the specific vulnerabilities
found within the Cross-Site Scripting category, you may run the
following commands to find out more:
$ mix sobelow -d XSS.SendResp
$ mix sobelow -d XSS.ContentType
$ mix sobelow -d XSS.Raw
$ mix sobelow -d XSS.HTML
XSS checks of all types can be ignored with the following command:
$ mix sobelow -i XSS
"""
alias Sobelow.XSS.Raw
@submodules [Sobelow.XSS.SendResp, Sobelow.XSS.ContentType, Sobelow.XSS.Raw, Sobelow.XSS.HTML]
use Sobelow.FindingType
def get_vulns(fun, meta_file, web_root, skip_mods \\ []) do
controller =
if meta_file.is_controller? do
String.replace_suffix(meta_file.filename, "_controller.ex", "")
|> Path.basename()
end
allowed = @submodules -- (Sobelow.get_ignored() ++ skip_mods)
Enum.each(allowed, fn mod ->
if mod === Raw do
apply(mod, :run, [fun, meta_file, web_root, controller])
else
apply(mod, :run, [fun, meta_file])
end
end)
end
def get_template_vulns(meta_file) do
allowed = @submodules -- Sobelow.get_ignored()
funs = meta_file.raw
if Enum.member?(allowed, Raw) do
Enum.each(funs, fn fun ->
apply(Raw, :run, [[fun], meta_file, nil, nil])
end)
end
end
def details do
@moduledoc
end
end