Add XSS fbsamples#3

- Closes fbsamples#10
- Incorporated XSS fbsamples#3 into srp and baseline actions
- Minor updates and fixes

.github/workflows/baseline.yaml

@@ -69,7 +69,7 @@ jobs:
           popd
 
       - name: Create vulnerable test environment
-        run: ./caldera-security-tests TestEnv -v
+        run: ./caldera-security-tests testEnv -v
 
       - name: Wait until container is running
         run: |
@@ -79,13 +79,16 @@ jobs:
         shell: bash
 
       - name: Run security regression test for first XSS
-        run: ./caldera-security-tests StoredXSSUno
+        run: ./caldera-security-tests storedXSSUno
 
       - name: Run security regression test for second XSS
-        run: ./caldera-security-tests StoredXSSDos
+        run: ./caldera-security-tests storedXSSDos
+
+      - name: Run security regression test for third XSS
+        run: ./caldera-security-tests storedXSSTres
 
       - name: Destroy test environment
-        run: ./caldera-security-tests TestEnv -d
+        run: ./caldera-security-tests testEnv -d
 
       - name: Report failure
         uses: nashmaniac/[email protected]

.github/workflows/srp.yaml

@@ -53,8 +53,8 @@ jobs:
 
       - name: Set git config
         run: |
-          git config --global user.name "John Doe"
-          git config --global user.email johndoe@example.com
+          git config --global user.name "Github Actions"
+          git config --global user.email actions@example.com
 
       - name: Clone CALDERA repo
         run: |
@@ -63,7 +63,7 @@ jobs:
           popd
 
       - name: Create test environment with the most recent caldera release
-        run: ./caldera-security-tests TestEnv -r
+        run: ./caldera-security-tests testEnv -r
 
       - name: Wait until container is running
         run: |
@@ -74,13 +74,16 @@ jobs:
         shell: bash
 
       - name: Run security regression test for first XSS
-        run: ./caldera-security-tests StoredXSSUno
+        run: ./caldera-security-tests storedXSSUno
 
       - name: Run security regression test for second XSS
-        run: ./caldera-security-tests StoredXSSDos
+        run: ./caldera-security-tests storedXSSDos
+
+      - name: Run security regression test for third XSS
+        run: ./caldera-security-tests storedXSSTres
 
       - name: Destroy test environment
-        run: ./caldera-security-tests TestEnv -d
+        run: ./caldera-security-tests testEnv -d
 
       - name: Report failure
         uses: nashmaniac/[email protected]

.vscode/launch.json

@@ -1,16 +1,17 @@
 {
-  // Use IntelliSense to learn about possible attributes.
-  // Hover to view descriptions of existing attributes.
-  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
   "version": "0.2.0",
   "configurations": [
     {
-      "name": "Debug",
+      "name": "Run XSS #3.",
       "type": "go",
       "request": "launch",
       "mode": "debug",
       "program": "${workspaceRoot}",
-      "args": ["--debug", "StoredXSSDos"]
+      "args": [
+        // Verbose output
+        "--debug",
+        "StoredXSSTres"
+      ]
     }
   ]
 }

README.md

@@ -105,32 +105,42 @@ Create vulnerable test environment, run the [first XSS](https://github.com/metar
 and tear the test environment down:
 
 ```bash
-./caldera-security-tests TestEnv -v
-./caldera-security-tests StoredXSSUno
-./caldera-security-tests TestEnv -d
+./caldera-security-tests testEnv -v
+./caldera-security-tests storedXSSUno
+./caldera-security-tests testEnv -d
 ```
 
 Create vulnerable test environment, run the [second XSS](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-2gjc-v4hv-m4p9),
 and tear the test environment down:
 
 ```bash
-./caldera-security-tests TestEnv -v
-./caldera-security-tests StoredXSSDos
-./caldera-security-tests TestEnv -d
+./caldera-security-tests testEnv -v
+./caldera-security-tests storedXSSDos
+./caldera-security-tests testEnv -d
+```
+
+Create vulnerable test environment, run the [third XSS](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-7344-4pg9-qf45),
+and tear the test environment down:
+
+```bash
+./caldera-security-tests testEnv -v
+./caldera-security-tests storedXSSTres
+./caldera-security-tests testEnv -d
 ```
 
 Create test environment using the most recent commit
 to the default CALDERA branch, try running all attacks,
 and tear the test environment down:
 
 ```bash
-./caldera-security-tests TestEnv -r
-./caldera-security-tests StoredXSSUno
-./caldera-security-tests StoredXSSDos
-./caldera-security-tests TestEnv -d
+./caldera-security-tests testEnv -r
+./caldera-security-tests storedXSSUno
+./caldera-security-tests storedXSSDos
+./caldera-security-tests storedXSSTres
+./caldera-security-tests testEnv -d
 ```
 
 Parameters for the tests can be modified
 in the generated `config/config.yaml` file.
-This file is created as soon as the `TestEnv`
+This file is created as soon as the `testEnv`
 command in the above example is run.

cmd/caldera.go

@@ -90,9 +90,9 @@ func setupChrome(caldera Caldera) (ChromeDP, []func(), error) {
 	return chrome, cancels, nil
 }
 
-// Login logs into CALDERA using Google Chrome with the input
+// login logs into CALDERA using Google Chrome with the input
 // credentials and returns an authenticated session.
-func Login(caldera Caldera) (Caldera, error) {
+func login(caldera Caldera) (Caldera, error) {
 	// Selectors for chromeDP
 	rocketSelector := "#home > div.modal.is-active > div.modal-card > footer > button"
 	userSelector := "body > div > div > form > div:nth-child(1) > div > input"
@@ -119,9 +119,9 @@ func Login(caldera Caldera) (Caldera, error) {
 
 }
 
-// GetRedCreds navigates to the input calderaPath to
+// getRedCreds navigates to the input calderaPath to
 // retrieve the red user credentials for MITRE CALDERA.
-func GetRedCreds(calderaPath string) (Credentials, error) {
+func getRedCreds(calderaPath string) (Credentials, error) {
 	creds := Credentials{}
 	cwd := goutils.Gwd()
 	found := false

cmd/StoredXSSDos.go → cmd/storedXSSDos.go

@@ -44,17 +44,16 @@ import (
 )
 
 var (
-	// StoredXSSDosCmd runs the XSS vulnerability found after DEF CON 30.
-	StoredXSSDosCmd = &cobra.Command{
-		Use:   "StoredXSSDos",
-		Short: "Stored XSS found in addition to the previously reported one",
+	storedXSSDosCmd = &cobra.Command{
+		Use:   "storedXSSDos",
+		Short: "Second stored XSS found in MITRE Caldera by Jayson Grace from Meta's Purple Team",
 		Run: func(cmd *cobra.Command, args []string) {
 			fmt.Println(color.YellowString(
 				"Introducing stored XSS vulnerability #2, please wait..."))
 
 			caldera.URL = viper.GetString("login_url")
 			caldera.RepoPath = viper.GetString("repo_path")
-			caldera.Creds, err = GetRedCreds(caldera.RepoPath)
+			caldera.Creds, err = getRedCreds(caldera.RepoPath)
 			if err != nil {
 				log.WithError(err).Fatalf(
 					"failed to get Caldera credentials: %v", err)
@@ -70,7 +69,7 @@ var (
 
 			caldera.Driver = driver
 
-			caldera, err = Login(caldera)
+			caldera, err = login(caldera)
 			if err != nil {
 				log.WithError(err).Fatal("failed to login to caldera")
 			}
@@ -89,7 +88,7 @@ var (
 )
 
 func init() {
-	rootCmd.AddCommand(StoredXSSDosCmd)
+	rootCmd.AddCommand(storedXSSDosCmd)
 	storedXSSDosSuccess = false
 	introPayload = false
 }
@@ -224,7 +223,7 @@ func storedXSSDosVuln(payload string) error {
 		// Select Tactic from the operation graph dropdown menu
 		chromedp.SendKeys(tacticSelector, "Tactic"),
 		chromedp.Sleep(Wait(2000)),
-		// Trigger the vulnerability
+		// Trigger the exploit
 		chromedp.Evaluate(triggerVulnJS, &res),
 		chromedp.Sleep(Wait(2000)),
 		chromedp.ActionFunc(func(ctx context.Context) error {
@@ -267,7 +266,7 @@ func storedXSSDosVuln(payload string) error {
 		})); err != nil {
 		log.WithError(err).WithFields(log.Fields{
 			"Payload": payload,
-		}).Error("unexpected error while introducing the exploit")
+		}).Error("unexpected error while exploiting the vulnerability")
 		return err
 	}