{"id":15116302,"url":"https://github.com/AvalZ/RevOK","last_synced_at":"2025-09-27T22:30:32.413Z","repository":{"id":37625929,"uuid":"252475391","full_name":"AvalZ/RevOK","owner":"AvalZ","description":"An HTTP Response fuzzer to find Vulnerabilities in Security Scanners","archived":false,"fork":false,"pushed_at":"2024-06-18T01:27:48.000Z","size":2657,"stargazers_count":26,"open_issues_count":2,"forks_count":7,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-09-26T01:51:23.422Z","etag":null,"topics":["exploitation-framework","vulnerability-scanner","web-security-research"],"latest_commit_sha":null,"homepage":"https://avalz.it/post/2020-05-21-metasploit-pro-xss-to-rce/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AvalZ.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-04-02T14:16:03.000Z","updated_at":"2024-03-08T16:39:37.000Z","dependencies_parsed_at":"2023-10-03T13:02:47.826Z","dependency_job_id":"7426beae-ec6e-459d-9246-b5b8475306ff","html_url":"https://github.com/AvalZ/RevOK","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AvalZ%2FRevOK","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AvalZ%2FRevOK/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AvalZ%2FRevOK/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AvalZ%2FRevOK/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AvalZ","download_url":"https://codeload.github.com/AvalZ/RevOK/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234461936,"owners_count":18837202,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploitation-framework","vulnerability-scanner","web-security-research"],"created_at":"2024-09-26T01:44:17.598Z","updated_at":"2025-09-27T22:30:27.159Z","avatar_url":"https://github.com/AvalZ.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# RevOK\n\nWe see the targets of our scan as passive entities, and this leads to underestimating the risk of performing a scan. However, the tools we use to scan are not immune to vulnerabilities.\nTesting these bugs is often hard since they require a dedicated testing infrastructure: RevOK supports analysts by simulating a malicious target and by tracking data in the security scanner.\n\n![RevOK flow](revok-flow.png)\n\nWhile the focus is on security scanners, RevOK can be used to test any software that takes (attacker-controlled) third-party data and displays it to a user (e.g., server-side REST API calls).\n\nRevOK helped us to find two [XSS to RCE bugs in Metasploit Pro](https://avalz.it/research/metasploit-pro-xss-to-rce/)[2] ([CVE-2020-7354](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-7354) and [CVE-2020-7355](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-7355)), as well as many other vulnerabilities.\nWe described this technique in our paper [\"Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners\"](https://www.researchgate.net/publication/344642774_Never_Trust_Your_Victim_Weaponizing_Vulnerabilities_in_Security_Scanners), accepted at [RAID 2020](https://raid2020.org/).\n\n## How to cite us\n\nRevOK implements the automatic testing methodology presented in [\"Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners\"](https://www.researchgate.net/publication/344642774_Never_Trust_Your_Victim_Weaponizing_Vulnerabilities_in_Security_Scanners).\n\nIf you want to cite us, please use the following (BibTeX) reference:\n\n```\n@inproceedings {valenza20revok,\nauthor = {Andrea Valenza and Gabriele Costa and Alessandro Armando},\ntitle = {Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners},\nbooktitle = {23rd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2020)},\nyear = {2020},\nisbn = {978-1-939133-18-2},\naddress = {San Sebastian},\npages = {17--29},\nurl = {https://www.usenix.org/conference/raid2020/presentation/valenza},\npublisher = {{USENIX} Association},\nmonth = oct,\n}\n```\n\n\n## Getting started\n\nThe core of RevOK is the **stub** component.\nIt listens for incoming requests and sends attack responses.\n\nResponses are crafted from a *template file* and a *substitution list* containing attack payloads.\n```\npython cli.py stub TEMPLATE_FILE SUBSTITUTION_LIST\n```\n\nThis is an example of a template file:\n```\nHTTP/1.1 200 OK\nServer: $a\n\n\u003chtml\u003e\n\u003chead\u003e\u003ctitle\u003eTitle\u003c/title\u003e\u003c/head\u003e\n\u003cbody\u003e\n    \u003ch1\u003eMy page\u003c/h1\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nFor each incoming request, the **stub** substitutes the placeholder (`$a` by default) with a new element of the substitution list.\nYou can also define custom placeholders using the `--placeholder` (`-p`) switch. Example usage:\n```\npython cli.py stub example.template example.substitutions -p \"$a\"\n```\nYou can find `example.template` and `example.substitutions` in this repo. WARNING: **stub** will substitute ANY occurrence of the defined placeholder; choose one that does not occur in any other part of the template.\n\nYou can also define a specific port using the `--port` switch, for example:\n\n```\npython cli.py stub example.template example.substitutions --port 3000\n```\n\nAdditional options are available from the `--help` switch.\n\n```\n:~$ python cli.py stub --help\n\nUsage: cli.py stub [OPTIONS] [TEMPLATE] [SUBSTITUTIONS]\n\n    Run a stub that serves tracking responses.\n\nOptions:\n    --log-file TEXT\n    --port INTEGER\n    --help           Show this message and exit.\n```\n\n### Automatic token deployment\n\n\"All responses are equal, but some responses are more equal than others\"\n\nResponses are not all parsed in the same way.\nSome parsers accept that the *Status message* is something different from \"OK\" or \"Moved permanently\",\nothers do not and discard the response.\n\nTo make testing easier, the stub component has a *tracking mode*, where it generates responses based on\na [*probabilistic context-free grammar*](fuzzer/probabilistichttpfuzzer.py).\n\nYou can launch the tracking mode of the stub component without defining the template and substitution list:\n\n```\npython cli.py server\n```\n\n### Enumerate tainted flows\n\n```\n:~$ python cli.py taint --help\n\nUsage: cli.py taint [OPTIONS] PACKETS_LOG SCANNER_REPORT\n\n    Get tainted paths between log and report.\n\nOptions:\n    --token-format TEXT\n    --help               Show this message and exit.\n\n```\n\n### Fetch attack template\n\n```\n:~$ python cli.py template --help\n\nUsage: cli.py template [OPTIONS] PACKETS_LOG TOKEN\n\n    Get a prebuilt template from a tainted token. The template can be used\n    from the stub component.\n    \n    WARNING! Use the same placeholder used by the stub.\n\nOptions:\n    -p, --placeholder TEXT\n    --help                  Show this message and exit.\n```\n\n## Vulnerable Targets\n\nTo let you try RevOK against a realistic target, we built [DVAS](https://github.com/AvalZ/DVAS), a *Damn Vulnerable Application Scanner*.\n\n## Why RevOK?\n\nIn short, RevOK makes scanners explode.\n\nThis is somewhat of an obscure reference from the 1981 movie *Scanners* [4].\n\nPrivate military company ConSec recruits \"scanners\" – super-powered individuals capable of telepathy and psychokinesis – and uses them in service of the company.\nHowever, when one of ConSec's scanners demonstrates his powers at a marketing event, the volunteer – Darryl Revok – turns out to be a more powerful scanner, who causes the ConSec scanner's head to explode.\n\n[Here](https://www.youtube.com/watch?v=qnp1jfLhtck) you can find the full scene.\n\n## References\n\n1. [Attacking the attackers](https://avalz.it/research/metasploit-pro-xss-to-rce/)\n2. [Metasploit Pro Release Notes for CVE-2020-7354 and CVE-2020-7355](https://help.rapid7.com/metasploit/release-notes/archive/2020/05/#20200514)\n3. [A. Valenza, G. Costa, A. Armando. \"Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners\"](https://www.researchgate.net/publication/344642774_Never_Trust_Your_Victim_Weaponizing_Vulnerabilities_in_Security_Scanners)\n4. [Scanners (1981)](https://www.imdb.com/title/tt0081455/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAvalZ%2FRevOK","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAvalZ%2FRevOK","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAvalZ%2FRevOK/lists"}