#!/usr/bin/env python3 """ DOMPurify CTF Analyzer Analyzes the modified DOMPurify to find potential backdoors or bypasses """ import re import json from difflib import SequenceMatcher, unified_diff def read_file(filename): with open(filename, 'r', encoding='utf-8') as f: return f.read() def extract_functions(code): """Extract function definitions from JavaScript code""" # Match function declarations func_pattern = r'function\s+(\w+)\s*\([^)]*\)\s*{' functions = re.findall(func_pattern, code) return functions def extract_regexes(code): """Extract regex patterns that might be security-critical""" # Match regex literals regex_pattern = r'/[^/\n]+/[gimsuvy]*' regexes = re.findall(regex_pattern, code) return regexes def find_suspicious_patterns(code): """Look for potentially suspicious modifications""" suspicious = [] # Check for relaxed security patterns patterns = [ (r'return\s+true\s*;', 'Always returns true'), (r'return\s+dirty\s*;', 'Returns unsanitized input'), (r'//\s*BYPASS', 'Contains BYPASS comment'), (r'===\s*false', 'False comparisons'), (r'!\s*=\s*false', 'Negated false checks'), (r'allowscripts?', 'Script allowance', re.IGNORECASE), (r'(eval|Function|setTimeout|setInterval)\s*\(', 'Dynamic code execution'), ] for pattern, description, *flags in patterns: flag = flags[0] if flags else 0 matches = list(re.finditer(pattern, code, flag)) if matches: for match in matches[:5]: # Limit to first 5 context_start = max(0, match.start() - 100) context_end = min(len(code), match.end() + 100) context = code[context_start:context_end] suspicious.append({ 'pattern': pattern, 'description': description, 'position': match.start(), 'context': context.replace('\n', ' ').replace('\r', '') }) return suspicious def analyze_security_configs(code): """Extract security-related configuration""" configs = {} config_patterns = { 'ALLOWED_TAGS': r'ALLOWED_TAGS\s*=\s*([^;]+);', 'ALLOWED_ATTR': r'ALLOWED_ATTR\s*=\s*([^;]+);', 'FORBID_TAGS': r'FORBID_TAGS\s*=\s*([^;]+);', 'SAFE_FOR_TEMPLATES': r'SAFE_FOR_TEMPLATES\s*=\s*([^;]+);', 'SANITIZE_DOM': r'SANITIZE_DOM\s*=\s*([^;]+);', } for config_name, pattern in config_patterns.items(): match = re.search(pattern, code) if match: configs[config_name] = match.group(1).strip() return configs def main(): print("="*70) print("DOMPurify CTF Analyzer") print("="*70) print() # Read the CTF version ctf_content = read_file('paste.txt') ctf_code = '\n'.join(ctf_content.split('\n')[1:]) # Skip first line print("[1] BASIC INFORMATION") print("-"*70) print(f"Code length: {len(ctf_code):,} characters") print(f"Lines of code: {len(ctf_code.splitlines()):,}") print() # Extract functions print("[2] FUNCTION ANALYSIS") print("-"*70) functions = extract_functions(ctf_code) print(f"Total functions found: {len(functions)}") print(f"Key functions: {', '.join(functions[:10])}") print() # Extract regexes print("[3] REGEX PATTERNS") print("-"*70) regexes = extract_regexes(ctf_code) print(f"Total regex patterns found: {len(regexes)}") print("Sample patterns:") for regex in regexes[:5]: print(f" {regex}") print() # Find suspicious patterns print("[4] SUSPICIOUS PATTERNS") print("-"*70) suspicious = find_suspicious_patterns(ctf_code) if suspicious: print(f"Found {len(suspicious)} potentially suspicious patterns:\n") for i, item in enumerate(suspicious, 1): print(f"{i}. {item['description']}") print(f" Position: {item['position']}") print(f" Context: ...{item['context'][:150]}...") print() else: print("No obviously suspicious patterns found.") print("This might indicate subtle modifications.") print() # Analyze configurations print("[5] SECURITY CONFIGURATIONS") print("-"*70) configs = analyze_security_configs(ctf_code) if configs: for config, value in configs.items(): print(f"{config}: {value[:100]}") else: print("Unable to extract explicit configuration defaults.") print() # Look for common XSS bypass opportunities print("[6] POTENTIAL BYPASS VECTORS") print("-"*70) bypass_checks = [ ('mXSS', r'(innerHTML|outerHTML)'), ('DOM Clobbering', r'(getElementById|getElementsByName)'), ('Namespace confusion', r'(SVG|MathML|XHTML)'), ('Template literals', r'(MUSTACHE|ERB|TMPLIT)'), ('Protocol handlers', r'(javascript:|data:|vbscript:)'), ] for vector_name, pattern in bypass_checks: matches = len(re.findall(pattern, ctf_code, re.IGNORECASE)) status = "✓" if matches > 0 else "✗" print(f"{status} {vector_name}: {matches} references found") print() print("="*70) print("Analysis complete! Review suspicious patterns for CTF solutions.") print("="*70) if __name__ == '__main__': main()