Codeql module

bbot/core/core.py

@@ -84,6 +84,10 @@ def lib_dir(self):
     def scans_dir(self):
         return self.home / "scans"
 
+    @property
+    def wordlist_dir(self):
+        return Path(__file__).parent.parent / "wordlists"
+
     @property
     def config(self):
         """

bbot/core/helpers/yara_helper.py

@@ -35,16 +35,32 @@ def compile_strings(self, strings: list[str], nocase=False):
     def compile(self, *args, **kwargs):
         return yara.compile(*args, **kwargs)
 
-    async def match(self, compiled_rules, text):
+    async def match(self, compiled_rules, text, full_result=False):
         """
-        Given a compiled YARA rule and a body of text, return a list of strings that match the rule
+        Given a compiled YARA rule and a body of text, return matches.
+
+        Args:
+            compiled_rules: Compiled YARA rules
+            text: Text to match against
+            full_result (bool): If True, returns full match information including
+                              rule names and metadata. If False, returns only matched strings.
+
+        Returns:
+            If full_result=False: List[str] of matched strings
+            If full_result=True: List[dict] with full match information including:
+                - matched_string: The full matched string
+                - rule: The name of the matched rule
+                - meta: The metadata of the matched rule
         """
-        matched_strings = []
+        results = []
         matches = await self.parent_helper.run_in_executor(compiled_rules.match, data=text)
         if matches:
             for match in matches:
                 for string_match in match.strings:
                     for instance in string_match.instances:
                         matched_string = instance.matched_data.decode("utf-8")
-                        matched_strings.append(matched_string)
-        return matched_strings
+                        if full_result:
+                            results.append({"matched_string": matched_string, "rule": match.rule, "meta": match.meta})
+                        else:
+                            results.append(matched_string)
+        return results

bbot/presets/web/codeql-intense.yml

@@ -0,0 +1,15 @@
+description: Discover client-side web vulnerabilities using CodeQL. Limit to "error" and "warning" level findings, and include out of scope JS files.
+
+modules:
+  - httpx
+  - portfilter
+  - codeql
+
+config:
+  url_querystring_remove: False
+  modules:
+    excavate:
+      retain_querystring: True
+    codeql:
+      mode: all
+      min_severity: warning

bbot/presets/web/codeql-min.yml

@@ -0,0 +1,15 @@
+description: Discover client-side web vulnerabilities using CodeQL. Limit to "error" level findings, and only analyze the DOM itself.
+
+modules:
+  - httpx
+  - portfilter
+  - codeql
+
+config:
+  url_querystring_remove: False
+  modules:
+    excavate:
+      retain_querystring: True
+    codeql:
+      mode: dom_only
+      min_severity: error

bbot/presets/web/codeql.yml

@@ -0,0 +1,15 @@
+description: Discover client-side web vulnerabilities using CodeQL. Limit to "error" level findings, and skip out of scope JS files.
+
+modules:
+  - httpx
+  - portfilter
+  - codeql
+
+config:
+  url_querystring_remove: False
+  modules:
+    excavate:
+      retain_querystring: True
+    codeql:
+      mode: in_scope
+      min_severity: error

bbot/scanner/preset/environ.py

@@ -90,6 +90,8 @@ def prepare(self):
         # ensure bbot_tools
         environ["BBOT_TOOLS"] = str(self.preset.core.tools_dir)
         add_to_path(str(self.preset.core.tools_dir), environ=environ)
+        # ensure bbot_wordlists
+        environ["BBOT_WORDLISTS"] = str(self.preset.core.wordlist_dir)
         # ensure bbot_cache
         environ["BBOT_CACHE"] = str(self.preset.core.cache_dir)
         # ensure bbot_temp

bbot/wordlists/codeql_queries/dom-xss-jquery-contains.ql

@@ -0,0 +1,100 @@
+/**
+ * @name DOM-based XSS via potentially dangerous jQuery selectors
+ * @description Untrusted input like location.hash used in potentially dangerous jQuery selectors (such as :contains, has(), or other non-ID selectors) can lead to XSS when jQuery processes the selector.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id js/dom-xss-jquery-unsafe-selectors
+ * @tags security
+ * external/cwe/cwe-079
+ * external/cwe/cwe-116
+ */
+
+import javascript
+import DataFlow
+import DataFlow::PathGraph
+
+/**
+ * Taint tracking configuration for location.hash being used unsafely in jQuery selectors.
+ */
+class HashToJQueryContainsConfig extends TaintTracking::Configuration {
+  HashToJQueryContainsConfig() { this = "HashToJQueryContainsConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(DataFlow::PropRead hashProp |
+      hashProp = source and
+      hashProp.getPropertyName() = "hash" and
+      exists(DataFlow::PropRead locationProp |
+        locationProp = hashProp.getBase() and
+        locationProp.getPropertyName() = "location"
+      )
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(DataFlow::CallNode jqueryCall |
+      (jqueryCall.getCalleeName() = "$" or jqueryCall.getCalleeName() = "jQuery") and
+      sink = jqueryCall.getArgument(0) and
+      (
+        // Check for direct :contains usage in string literals
+        exists(string val | val = sink.getStringValue() and val.indexOf(":contains(") >= 0) or
+
+        // Check for string concatenation or binary expressions that aren't properly sanitized
+        exists(Expr expr | 
+          expr = sink.asExpr() and
+          (expr instanceof BinaryExpr or expr instanceof AddExpr) and
+          not isSafeIdSelector(expr)
+        )
+      )
+    )
+    or
+    // Also check for unsafe usage in jQuery has() method
+    exists(DataFlow::MethodCallNode hasCall |
+      hasCall.getMethodName() = "has" and
+      sink = hasCall.getArgument(0) and
+      not isSafeSelector(hasCall.getArgument(0))
+    )
+  }
+
+  /**
+   * Determines if an expression represents a safe ID selector (starting with #)
+   */
+  private predicate isSafeIdSelector(Expr expr) {
+    // Case: '#' + hash
+    exists(AddExpr addExpr, StringLiteral hashChar |
+      addExpr = expr and
+      hashChar = addExpr.getLeftOperand() and
+      hashChar.getValue() = "#"
+    )
+    or
+    // Case: $('#' + hash)
+    exists(StringLiteral strLit |
+      strLit = expr and
+      strLit.getValue().charAt(0) = "#"
+    )
+  }
+
+  /**
+   * Determines if a node represents a safe selector
+   */
+  private predicate isSafeSelector(DataFlow::Node node) {
+    exists(StringLiteral strLit |
+      strLit = node.asExpr() and
+      strLit.getValue().charAt(0) = "#"
+    )
+    or
+    exists(AddExpr addExpr, StringLiteral hashChar |
+      addExpr = node.asExpr() and
+      hashChar = addExpr.getLeftOperand() and
+      hashChar.getValue() = "#"
+    )
+  }
+}
+
+/**
+ * Execute the taint tracking analysis.
+ */
+from HashToJQueryContainsConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "The value from $@ is used unsafely in a jQuery selector, potentially leading to DOM XSS.", source.getNode(), "location.hash"

bbot/wordlists/codeql_queries/xmlhttprequest-to-eval.ql

@@ -0,0 +1,53 @@
+/**
+ * @name DOM-based XSS via dangerous eval of XMLHttpRequest responseText
+ * @description Evaluating untrusted data from an XMLHttpRequest's responseText via eval() can lead to code injection.
+ * @kind path-problem
+ * @problem.severity error
+ * @security.severity 9.5
+ * @precision high
+ * @id js/xhr-dynamic-eval-modified
+ * @tags security
+ * external/cwe/cwe-95
+ */
+
+ import javascript
+ import DataFlow
+ import DataFlow::PathGraph
+
+ /**
+  * Modified taint tracking configuration to catch cases where `this.responseText`
+  * flows into an eval call even when used in string concatenation.
+  */
+ class XHRResponseToEvalConfigModified extends TaintTracking::Configuration {
+   XHRResponseToEvalConfigModified() { this = "XHRResponseToEvalConfigModified" }
+
+   override predicate isSource(DataFlow::Node source) {
+     // Mark any property read of "responseText" as a taint source.
+     exists(DataFlow::PropRead propRead |
+       propRead = source and 
+       propRead.getPropertyName() = "responseText"
+     )
+   }
+
+   override predicate isSink(DataFlow::Node sink) {
+     // Mark the argument of eval() as a taint sink.
+     exists(CallExpr call |
+       call.getCallee().(Identifier).getName() = "eval" and
+       sink.asExpr() = call.getArgument(0)
+     )
+   }
+
+   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+     // Propagate taint through binary expressions (e.g. string concatenation).
+     exists(BinaryExpr binop |
+       // Check if the tainted value appears in either operand.
+       (binop.getLeftOperand() = pred.asExpr() or binop.getRightOperand() = pred.asExpr()) and
+       succ.asExpr() = binop
+     )
+   }
+ }
+
+ from XHRResponseToEvalConfigModified config, DataFlow::PathNode source, DataFlow::PathNode sink
+ where config.hasFlowPath(source, sink)
+ select sink.getNode(), source, sink, "Untrusted data from XMLHttpRequest.responseText flows to eval() after string concatenation.", source.getNode(), "XMLHttpRequest.responseText"
+