bscan 1.4.5 → 2.0.0

data/CONFIG.rdoc

@@ -91,7 +91,12 @@ to 'true', the detailed zipped report will be attached. You'll ned
 It's important not to exceed the maximum file number on your
 client, otherwise it might not work. It's also important to 
 set up a correct timeout (sleep_time) that should not be 
-bigger than server's read timeout.  
+bigger than server's read or write timeout. The timeouts are different
+for different servers and attack types: for slow reads the 
+timeout is usally bigger (100-200-.. secs), while for
+slow writes it worked well for 5 - 10 sec interval. I general,
+I found that slow writes are far more dangerous than slow reads
+and that's why I set the default for 'delay_on_write' to 'true'.
 
 * bscan.slowloris.hostport=<host>:<port>
   no defaults, must provide both
@@ -100,23 +105,29 @@ bigger than server's read timeout.
 * bscan.slowloris.method=<http method>
   POST or GET, default - GET
 * bscan.slowloris.threads=n 
-  Thread number, default - 20
+  Thread number, default - 20 for reads, 500 for writes
 * bscan.slowloris.con_nbr_per_thread=n 
-  Number of connections per thread, default - 50
+  Number of connections per thread. 
+  Default - 50 for reads, 1 for writes
 * bscan.slowloris.pack_per_con=n 
   Max number of data packets to be sent in each connection 
-  default - 5 (duration of test: pack_per_con*sleep_time)
+  Default - 5 for reads, 50 - for writes
 * bscan.slowloris.response_time_factor=n
   Normal response time will be multipled by this number to determine
   when report an issue, e.g. if normal reposne time is 2 sec then if 
   a response time under attack is bigger than 2*n, it will
   be logged as an issue. Default - 5 
 * bscan.slowloris.sleep_time=n 
-  number of seconds to sleep
-  after beginning of a request has been send, default 100
+  number of seconds to sleep after beginning of a request has been send
+  for reads or a delay to read message body for writes.
+  Default: 100 - for reads, 5 - for writes
 * bscan.slowloris.static_request=true
   Must be always set to 'true' for this module
-
+* delay_on_write=<true|false>
+  Make delays on server's writes if true. Default: true
+* health_check_int=n
+  Health check interval in seconds. Default: 2
+  
 == kill_apache.rb Module Parameters
 Similar to slowloris a monitoring thread will be checking
 a response time and log an issue if a threshold is reached

data/README.rdoc

@@ -28,14 +28,13 @@ Burp Suite from PortSwigger and Buby from Eric Monti and Timur Duehr
 == REQUIREMENTS:
 * JRuby - http://jruby.org
 * Burp pro if you want to use default Burp's scanners 
-* Burp free if you want to run BScan's modules only 
-* Buby 1.3.1 (see http://emonti.github.com/buby/)
+* Buby 1.3.1 (see http://emonti.github.com/buby/) (not neccessary for modules_only mode)
 
 == BUILD/INSTALL:
 
 === Gem
 
-  sudo jruby -S gem install buby -d --source=http://gemcutter.org
+  sudo jruby -S gem install buby -d --source=http://gemcutter.org (not necessary for modules_only)
   sudo jruby -S gem install bscan --source=http://gemcutter.org
   
   After Buby and BScan are installed, you'll need to link BScan to Burp's JAR (see below)
@@ -51,6 +50,8 @@ Burp Suite from PortSwigger and Buby from Eric Monti and Timur Duehr
 
 ==== Linking BScan and Buby to Burp's JAR. 
 
+* This step is not neccessary for modules_only mode
+
 After Buby and BScan are installed (either manually or by gem) 
 you'll need to link them to a Burp's JAR.
 
@@ -81,6 +82,8 @@ To get help for config layout run:
 == RUNNING, REGISTERING Burp Pro:
 You need to register you burp.jar before you can run it headless
 
+* Not neccessary for modules_only mode
+
 * Run your Burp as usual with GUI and provide you license. 
   After this is done, you can run it headless using 'bscan'
 

data/VERSION

@@ -1 +1 @@
-1.4.5
+2.0.0

data/bin/bscan

@@ -3,10 +3,9 @@
 #require File.expand_path(File.join(File.dirname(__FILE__), %w[.. lib bscan]))
 $: << File.expand_path(File.join(File.dirname(__FILE__), %w[.. lib]))
 
-require 'buby'
 require 'getoptlong'
-require 'bscan'
 require 'bscan/utils/bscan_helper'
+require 'json'
 
 include BscanHelper
 
@@ -29,6 +28,35 @@ USAGE: jruby [-J-Xmx<nnn>M] [-J-Djava.awt.headless=true] -S bscan --config path_
   exit(1)
 end  
 
+def read_config file
+   
+   burp_config = {}
+   bscan_config = {}
+   
+   begin
+      open_in_path(file).each_line do |line|
+      line.chomp!
+      line.strip!
+      next if (line =~ /^#/ or line.length < 1)  
+      data = line.split(/=/)
+      val = nil
+      val = data[1..-1].join('=') if data.size > 1 
+      if data[0] =~ /^bscan./
+        add_multi(bscan_config,data[0],val)
+      else
+        burp_config[data[0]] = val
+      end
+    end
+    rescue Exception => e
+      $stderr.puts("BScan.read_config Error: can't read config file '#{file}', exception: #{e.message}")
+      $stderr.puts(e.backtrace.join("\n"))
+      Process.exit(3)
+    end 
+    [burp_config, bscan_config]
+end
+
+
+
 def get_cmd_params
   params = {}
   
@@ -74,6 +102,16 @@ def get_cmd_params
   params  
 end
 
+params = get_cmd_params
+
+init_internals  params
+run_modules self
+exit 0 if @modules_only
+
+require 'buby'
+require 'burp'
+require 'bscan'
+
 $burp = Buby.new()
 $burp.extend(BScan)
-$burp.start_burp([get_cmd_params.to_json])
+$burp.start_burp([params.to_json])

data/bscan.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "bscan"
-  s.version = "1.4.5"
+  s.version = "2.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Oleg Gryb (ogryb)"]
-  s.date = "2012-08-15"
+  s.date = "2012-08-22"
   s.description = "BScan is a configurable and extendable web application security scanner that can be run from a command line headless (without UI). It's built on top of arguably the most popular commercial security testing tool Burp Suite from PortSwigger and Buby from Eric Monti and Timur Duehr"
   s.email = "oleg@gryb.info"
   s.executables = ["bscan"]

data/lib/bscan.rb

@@ -1,75 +1,20 @@
 #!/usr/bin/env jruby
 
-require 'pathname'
 require 'buby'
 require 'getoptlong'
-require 'json'
 require 'bscan/utils/bscan_helper'
 require 'bscan/utils/mailer'
 require 'java'
-
-class String
-  def camelize
-    self.split(/[^a-z0-9]/i).map{|w| w.capitalize}.join
-  end
-  def camelize!
-    self.replace(self.split(/[^a-z0-9]/i).map{|w| w.capitalize}.join)
-  end
-end
+require 'json'
 
 module BScan
   
   include BscanHelper
   include Mailer
   
-  attr_accessor :activity
-  attr_reader :modules_only
-  attr_reader :bscan_config
-  attr_accessor :stat
 
-  def Log (mtype, *msgs)
-    pr = "Unknown:"
-    case mtype
-    when 0
-      pr = "ERROR:"
-    when 1
-      pr = "WARN:"
-    when 2
-      pr = "INFO:"
-    when 3
-      pr = "DEBUG:"
-    end  
-    msgs.each do |msg|
-      if (@ll >= mtype)
-        dt = Time.now.strftime("%y%m%d %H%M%S")
-        @log.println "#{dt} #{pr} #{msg}"
-      end
-    end
-    @log.flush
-  end
-  
   def evt_commandline_args args
-    init_stat
-    @cmd_params ||= JSON.parse args[0]
-    @ll =  @cmd_params['loglevel'].to_i
-
-    lfile = @cmd_params['logfile']
-    if lfile != nil
-        begin
-          @log = java.io.PrintStream.new(lfile)
-        rescue Exception => e
-          $stderr.puts("BScan.evt_register_callbacks  Error: can't open log file '#{lfile}', exception: #{e.message}")
-          $stderr.puts(e.backtrace.join("\n"))
-          Process.exit!(2)
-        end
-    else
-      @log = $stdout
-    end
-
-    Log 2, "BScan.evt_commandline_args CMD_PARAMS: #{@cmd_params}"
-    @cmd_params.each_pair do |k,v|
-      Log 2,"BScan.evt_commandline_args #{k}:#{v}"
-    end
+      init_internals JSON.parse(args[0])
   end
   
   
@@ -95,50 +40,13 @@ module BScan
           Log 2, "BScan.evt_http_message Actively scanning: #{message_info.url.to_string}"
           isqi = do_active_scan(message_info.getHost(), message_info.getPort(), https, message_info.getRequest(), [])
           @queue.push(isqi)
-          run_modules message_info
+          run_modules self, message_info
         end
      end
     end  
   end
   
-  def is_module_static n,p
-    pref = 'bscan.' + n + '.'
-    pref += p + '.' if p and p.length > 0
-    @bscan_config[pref + 'static_request'] == 'true'  
-  end
-  
-  
-  def run_modules msg=nil
-    if @modules 
-      @modules.each do |m|
-        begin
-          mod,prop=m.split(':',2)
-          prop ||=''
-          mn = File.basename(mod,".rb")
-          is_static = is_module_static(mn,prop)
-          Log 2, "BScan.run_modules executing module #{mod}:#{prop} #{is_static}"
-          mn.camelize!
-          if (is_static && !msg) || (!is_static && msg)
-            eval("
-#           puts '=====================MODULE PATH: ' + $:.join(':') 
-            require '#{mod}'
-            require 'bscan/utils/bscan_helper.rb'
-            
-            class #{mn}#{prop}Class
-              include #{mn}
-              include BscanHelper
-            end
-            #{mn}#{prop}Class.new.run(self, msg, prop)
-            ")
-          end
-        rescue Exception => e
-          Log 1, "BScan.run_modules Can't exceute module #{mod}, Exception: #{e.message}"
-          Log 1, e.backtrace.join("\n")
-        end
-      end
-    end
-  end    
-  
+
   def evt_scan_issue issue
     super(issue)
 #    Buby::HttpRequestResponseHelper.implant(issue.http_messages)
@@ -152,32 +60,7 @@ module BScan
     }
   end
   
-  def write_issue_state issue
-#   Log 2,"INSPECT: #{issue.http_messages[0].methods}  #{issue.http_messages[0].inspect}  #{issue.http_messages[0].to_s} "
-    
-    @stat['high'] += 1 if issue.severity =~ /High/i
-    @stat['med'] += 1 if issue.severity =~ /Med/i
-    @stat['low'] += 1 if issue.severity =~ /Low/i
-    @stat['urls'] += "  #{issue.url}\n"
-    
-    Log 2,"BScan.write_issue_state #{not @istream} #{issue.http_messages[0].methods}  #{issue.http_messages[0].to_s} "
-    @istream or return
-    begin 
-      @istream.println '#'*70
-      @istream.println "#{issue.issue_name} : #{issue.url}"
-      @istream.println "Severity: #{issue.severity}(#{issue.confidence})"
-      @istream.println "Background: #{issue.issue_background}"
-      @istream.println "Details: #{issue.issue_detail}" 
-      @istream.println "Remediation: #{issue.remediation_background}"
-      @istream.println "Request: #{issue.http_messages[0].req_str}" 
-      @istream.println "Response: #{issue.http_messages[0].rsp_str}"
-      # sync_save_state issue throws exceptions
-      @istream.flush 
-    rescue Exception => e
-      Log 0, "BScan.write_issue_state Can't write issue #{issue.issue_name}, Exception: #{e.message}"
-      Log 0,  e.backtrace.join("\n")
-    end
-  end
+
   def evt_application_closing
     begin
       Log 2,"BScan.evt_application_closing #{@bscan_config['bscan.smtp.server']} #{@bscan_config['bscan.smtp.to']}"
@@ -193,32 +76,12 @@ module BScan
     
   def evt_register_callbacks cb
     super(cb)
+    @burp ||= self
     begin
-      
       Log 2, "="*30, "BScan.evt_register_callbacks registring, log = #{@cmd_params['logfile']}  ", "="*30 
-      @bscan_config = @cmd_params['bscan_config']
-      @burp_config = @cmd_params['burp_config']
-      @issues = @bscan_config['bscan.issues']
-      @modules_only = (@bscan_config['bscan.modules_only'] and @bscan_config['bscan.modules_only'] == 'true') 
-      
-      Log 1, "BScan.evt_register_callbacks No issues dir provided. Issues will not be logged." if not @issues
-      if (@issues)
-        begin 
-          dt = Time.now.strftime("%y%m%d_%H%M%S")
-          File.directory? @issues or %x{mkdir -p "#{@issues}"}
-          @sstream = "#{@issues}/session.#{dt}.zip"
-          ifile = "#{@issues}/issues.#{dt}.txt"
-          @istream = java.io.PrintStream.new(ifile)
-          @stat['issues'] = ifile
-        rescue Exception => e
-          Log 0, "BScan.evt_register_callbacks Can't create issues or session files, Exception: #{e.message}"
-          Log 0,  e.backtrace.join("\n")
-          exit_suite
-        end
-      end
+
           
       @queue ||= []
-      @activity = [false]
       @inactivity_to = @bscan_config['bscan.inactivity_to']
       @inactivity_to ||= '30'
       @inactivity_to = @inactivity_to.to_i
@@ -255,22 +118,11 @@ module BScan
       load_config params
       params.each_pair {|k,v| Log 2,"#{k}:#{v}"} # if k =~ /^(scanner|spider)/}
      
-     @modules ||= @bscan_config['bscan.modules']
-     @modules ||= [] if not @modules
-     @modules = [@modules] if not @modules.kind_of?(Array)
-     
-     mods = []
-     @modules.each do |m|
-       mods << m.split(',')
-     end
+#      run_modules
+#      exit_suite
 
-     @modules = mods.flatten 
-     
-    urls = @bscan_config['bscan.url']
-    Log 2, "BScan.evt_register_callbacks urls: #{@modules_only} #{urls}"
-  
-     run_modules # run_modules without 'msg' will do static reqs only 
-     return if @modules_only
+      urls = @bscan_config['bscan.url']
+      Log 2, "BScan.evt_register_callbacks urls: #{@modules_only} #{urls}"
   
       if not urls
        Log 0, "BScan.evt_register_callbacks No URL's provided in config. Use bscan.url param. Multiple entries are OK"
@@ -297,58 +149,4 @@ module BScan
 end
 
 
-def log ll, stream
-  stream.puts if true 
-end
-
-def add_multi map,k,v
-  if (map[k])
-    ov = map[k];
-    if (ov.kind_of?(Array))
-      map[k] << v
-    else 
-      map[k] = [ov,v]
-    end
-  else
-    map[k] = v  
-  end
-end
-
-def init_stat
-  @stat ||= {}
-  @stat['start_time'] = Time.now.strftime("%Y-%m-%d %H:%M:%S")
-  @stat['end_time'] = ''
-  @stat['high'] = 0
-  @stat['med'] = 0
-  @stat['low'] = 0
-  @stat['issues'] = ''
-  @stat['urls'] = ''
-end
-
-def read_config file
-   
-   burp_config = {}
-   bscan_config = {}
-   
-   begin
-      open_in_path(file).each_line do |line|
-      line.chomp!
-      line.strip!
-      next if (line =~ /^#/ or line.length < 1)  
-      data = line.split(/=/)
-      val = nil
-      val = data[1..-1].join('=') if data.size > 1 
-      if data[0] =~ /^bscan./
-        add_multi(bscan_config,data[0],val)
-      else
-        burp_config[data[0]] = val
-      end
-    end
-    rescue Exception => e
-      $stderr.puts("BScan.read_config Error: can't read config file '#{file}', exception: #{e.message}")
-      $stderr.puts(e.backtrace.join("\n"))
-      Process.exit(3)
-    end 
-    [burp_config, bscan_config]
-end