pentest 1.0.0

data/lib/pentest/checkers/sqli_checker.rb

@@ -0,0 +1,226 @@
+require 'pentest/checkers/base_checker'
+require 'pentest/payload'
+require 'pentest/sql_proxy'
+require 'term/ansicolor'
+require 'pairwise'
+require 'arproxy'
+require 'callsite'
+require 'gda'
+
+class Pentest::SqliChecker < Pentest::BaseChecker
+  Pentest::Checkers.add self
+
+  @description = "Checks for SQL injections"
+
+  SQLI_PAYLOADS = File.read(File.expand_path('../fuzzers/sqli.txt', File.dirname(__FILE__)), encoding: 'utf-8').lines.map(&:strip).select {|l| l.size > 5 && l =~ /\W/}
+  CRACKER_PAYLOAD = %q(<>"'%;()&+)
+
+  def initialize(endpoint, params)
+    super(endpoint, params)
+    @queries = []
+    @parser = GDA::SQL::Parser.new
+  end
+
+  def generate_preattack_payloads(params, seeds, injection_point)
+    values_list = if params.size - 1 <= 0
+      [[]]
+    elsif params.size - 1 == 1
+      seeds.map {|s| [s]}
+    else
+      Pairwise.combinations(*([seeds] * (params.size - 1)))
+    end
+
+    values_list.map do |values|
+      values.insert(injection_point, CRACKER_PAYLOAD)
+
+      Pentest::Payload.new(
+        params: params,
+        route: @route,
+        values: values,
+        injection_point: injection_point,
+        injection: CRACKER_PAYLOAD,
+      )
+    end.take(50)
+  end
+
+  def handle_query(sql)
+    @queries << [sql, caller]
+  end
+
+  def attack(param, injection_point, ingredients)
+    preattack_payloads = generate_preattack_payloads(@params, ingredients, injection_point)
+
+    errors = []
+
+    penetrated_payload = nil
+    preattack_payloads.shuffle.each do |payload|
+      request, response, err = dispatch(payload)
+      status = get_status(err) || response.status
+
+      Pentest::Logger.put_progress (status / 100).to_s
+
+      errors << normalize_error(err, payload)
+
+      if ::ActiveRecord::StatementInvalid === err
+        payload.penetration_type = 'SQL Injection Vulnerability'
+        payload.penetration_confidence = :preattack
+        penetrated_payload = payload
+        break
+      end
+    end
+
+    # preattack not succeeded. skipping
+    return [nil, errors] if penetrated_payload.nil?
+
+    # attack
+    attack_payloads = generate_attack_payloads(params, penetrated_payload.values, injection_point)
+
+    Pentest::SqlProxy.enable!(self.method(:handle_query))
+
+    attack_payloads.shuffle.each do |payload|
+      request, response, err = dispatch(payload)
+      status = get_status(err) || response.status
+
+      Pentest::Logger.put_progress (status / 100).to_s
+
+      errors << normalize_error(err, payload)
+
+      check_attack_result(payload, err);
+
+      if payload.penetration_confidence == :attack
+        penetrated_payload = payload
+        break
+      end
+    end
+
+    Pentest::SqlProxy.disable!(self.method(:handle_query))
+
+    [penetrated_payload, errors]
+  end
+
+  def generate_attack_payloads(params, values, injection_point)
+    SQLI_PAYLOADS.map do |injection|
+      new_values = values.dup
+      new_values[injection_point] = injection
+
+      Pentest::Payload.new(
+        params: params,
+        route: @route,
+        values: new_values,
+        injection_point: injection_point,
+        injection: injection,
+      )
+    end
+  end
+
+  def check_attack_result(payload, err)
+    @queries.each do |query, trace|
+      begin
+        stmt = @parser.parse(query.tr('`?', '"0'))
+      rescue RuntimeError => e
+        next
+      end
+
+      if query.include?(payload.injection) && !(GDA::Nodes::Unknown === stmt.ast)
+        tokens = extract_values(stmt.ast)
+        if tokens.all? {|token| !token.force_encoding("UTF-8").include? payload.injection}
+          callsites = Callsite.parse(trace)
+          project_call = callsites.find do |callsite|
+            callsite.filename.starts_with?(@app_path)
+          end
+          unless project_call.nil?
+            line = File.read(project_call.filename).lines[project_call.line - 1].rstrip
+          end
+
+          payload.penetration_type = 'SQL Injection Vulnerability'
+          payload.penetration_confidence = :attack
+          payload.penetration_message = [
+            *(line.nil? ? [] : [
+              "#{project_call.filename}:#{project_call.line}",
+              "> #{line}",
+            ]),
+            "Issued query: #{query.gsub(payload.injection, Term::ANSIColor.red(payload.injection))}",
+          ].join("\n")
+          break
+        end
+      end
+    end
+  end
+
+  def extract_values(stmt)
+    ret = []
+
+    if stmt.nil?
+      # nop
+    elsif stmt.is_a?(String)
+      ret << stmt
+    elsif stmt.is_a?(Integer)
+      ret << stmt.to_s
+    elsif stmt.is_a?(Array)
+      stmt.each do |s|
+        ret += extract_values(s)
+      end
+    elsif GDA::Nodes::Table === stmt
+      ret += extract_values(stmt.table_name)
+    elsif GDA::Nodes::Field === stmt
+      ret += extract_values(stmt.field_name)
+    elsif GDA::Nodes::Expr === stmt
+      ret += extract_values(stmt.func)
+      ret += extract_values(stmt.cond)
+      ret += extract_values(stmt.select)
+      ret += extract_values(stmt.case_s)
+      ret += extract_values(stmt.param_spec)
+      ret += extract_values(stmt.cast_as)
+      ret << stmt.value
+    elsif GDA::Nodes::Select === stmt
+      ret += extract_values(stmt.distinct_expr)
+      ret += extract_values(stmt.expr_list)
+      ret += extract_values(stmt.from)
+      ret += extract_values(stmt.where_cond)
+      ret += extract_values(stmt.group_by)
+      ret += extract_values(stmt.having_cond)
+      ret += extract_values(stmt.order_by)
+      ret += extract_values(stmt.limit_count)
+      ret += extract_values(stmt.limit_offset)
+    elsif GDA::Nodes::SelectField === stmt
+      ret += extract_values(stmt.expr)
+      ret += extract_values(stmt.field_name)
+      ret += extract_values(stmt.table_name)
+      ret += extract_values(stmt.as)
+    elsif GDA::Nodes::From === stmt
+      ret += extract_values(stmt.targets)
+      ret += extract_values(stmt.joins)
+    elsif GDA::Nodes::Operation === stmt
+      ret += extract_values(stmt.operands)
+    elsif GDA::Nodes::Target === stmt
+      ret += extract_values(stmt.expr)
+      ret += extract_values(stmt.table_name)
+      ret += extract_values(stmt.as)
+    elsif GDA::Nodes::Function === stmt
+      ret += extract_values(stmt.args_list)
+      ret += extract_values(stmt.function_name)
+    elsif GDA::Nodes::Order === stmt
+      ret += extract_values(stmt.expr)
+      ret += extract_values(stmt.collation_name)
+    elsif GDA::Nodes::Insert === stmt
+      ret += extract_values(stmt.table)
+      ret += extract_values(stmt.fields_list)
+      ret += extract_values(stmt.expr_list)
+      ret += extract_values(stmt.cond)
+      ret += extract_values(stmt.conflict)
+    elsif GDA::Nodes::Delete === stmt
+      ret += extract_values(stmt.table)
+      ret += extract_values(stmt.cond)
+    elsif GDA::Nodes::Join === stmt
+      ret += extract_values(stmt.expr)
+      ret += extract_values(stmt.use)
+      ret += extract_values(stmt.position)
+    elsif GDA::Nodes::Compound === stmt
+      ret += extract_values(stmt.compound_type)
+    elsif GDA::Nodes::Unknown === stmt
+      ret += extract_values(stmt.expressions)
+    end
+
+    ret
+  end
+end

data/lib/pentest/checkers/xss_checker.rb

@@ -0,0 +1,87 @@
+require 'pentest/checkers/base_checker'
+require 'pentest/payload'
+require 'term/ansicolor'
+require 'pairwise'
+
+class Pentest::XssChecker < Pentest::BaseChecker
+  Pentest::Checkers.add self
+
+  @description = "Checks for Cross-Site Scripting"
+
+  XSS_PAYLOADS = File.read(File.expand_path('../fuzzers/xss.txt', File.dirname(__FILE__)), encoding: 'utf-8').lines.map(&:strip).select {|l| l.size > 5 && l =~ /\W/}
+  CRACKER_PAYLOAD = %q(>>"<>=""'&<<"'&)
+
+  def initialize(endpoint, params)
+    super(endpoint, params)
+  end
+
+  def attack(param, injection_point, ingredients)
+    preattack_payloads = generate_preattack_payloads(@params, ingredients, injection_point)
+
+    errors = []
+
+    penetrated_payload = nil
+    preattack_payloads.shuffle.each do |payload|
+      request, response, err = dispatch(payload)
+      status = get_status(err) || response.status
+
+      Pentest::Logger.put_progress (status / 100).to_s
+
+      errors << normalize_error(err, payload)
+      document = Nokogiri::HTML(response.body)
+      document_errors = document.errors.reject {|e| is_allowable_error(e)}
+
+      if document_errors.any?
+        payload.penetration_type = 'Cross-Site Scripting Vulnerability'
+        payload.penetration_confidence = :preattack
+        payload.penetration_message = report_errors(response.body, document_errors)
+        penetrated_payload = payload
+        break
+      end
+    end
+
+    [penetrated_payload, errors]
+  end
+
+  def generate_preattack_payloads(params, seeds, injection_point)
+    values_list = if params.size - 1 <= 0
+      [[]]
+    elsif params.size - 1 == 1
+      seeds.map {|s| [s]}
+    else
+      Pairwise.combinations(*([seeds] * (params.size - 1)))
+    end
+
+    values_list.map do |values|
+      values.insert(injection_point, CRACKER_PAYLOAD)
+
+      Pentest::Payload.new(
+        params: params,
+        route: @route,
+        values: values,
+        injection_point: injection_point,
+        injection: CRACKER_PAYLOAD,
+      )
+    end.take(50)
+  end
+
+  private
+
+  def is_allowable_error(error)
+    error.to_s =~ /Tag \w+ invalid/ || error.to_s =~ /already defined/ || error.to_s =~ /Unexpected end tag/
+  end
+
+  def report_errors(body, errors)
+    body_lines = body.lines
+
+    error_strings = errors.map do |error|
+      lines = []
+      lines << error.to_s
+      lines << body_lines[error.line - 1].rstrip
+      lines << ' ' * (error.column - 1) + '^'
+      lines.join("\n")
+    end
+
+    error_strings.join("\n\n")
+  end
+end

data/lib/pentest/commandline.rb

@@ -0,0 +1,41 @@
+require 'optparse'
+
+module Pentest
+  # Implements Command-Line Interface of Pentest
+
+  class Commandline
+    class << self
+      # Runs everything:
+      def run default_app_path = "."
+        options, args = get_options
+
+        if args.size >= 1
+          options[:app_path] = args[0]
+        else
+          options[:app_path] = default_app_path
+        end
+
+        result = Pentest.run options.merge(:print_report => true)
+
+        if result.nil?
+          exit 0
+        else
+          exit 1
+        end
+      end
+
+      def get_options
+        options = {}
+        parser = create_option_parser options
+        args = parser.parse! ARGV
+        [options, args]
+      end
+
+      def create_option_parser options
+        OptionParser.new do |opts|
+          opts.banner = "Usage: pentest [options] rails/root/path"
+        end
+      end
+    end
+  end
+end

data/lib/pentest/dsl.rb

@@ -0,0 +1,15 @@
+module Pentest
+  module DSL
+    private
+
+    def pentest_setup(*args, &block)
+      Pentest::add_setup(*args, &block)
+    end
+
+    def pentest_before_attack(*args, &block)
+      Pentest::add_before_attack(*args, &block)
+    end
+  end
+end
+
+self.extend Pentest::DSL

data/lib/pentest/endpoint.rb

@@ -0,0 +1,149 @@
+require 'pentest/checkers'
+
+module Pentest
+  class Endpoint
+    attr_reader :route, :app_path
+
+    def initialize(route, app_path, hooks)
+      @route = route
+      @app_path = app_path
+      @hooks = hooks
+
+      @controller = route.defaults[:controller]
+      @action = route.defaults[:action]
+
+      return if @controller.nil? || @action.nil?
+
+      @controller_name = ::ActiveSupport::Inflector.camelize(@controller) + "Controller"
+      @controller_class = ::ActiveSupport::Inflector.constantize(@controller_name)
+
+      @error_patterns = Set.new
+    end
+
+    def valid?
+      !@controller.nil? && !@action.nil? && @controller_class.method_defined?(@action.to_sym)
+    end
+
+    def scan!(ingredients)
+      params = get_params
+
+      Logger.info "#{@route.verb} #{path}"
+      Logger.debug "Attacking #{@controller_class.inspect}##{@action}...", timestamp: false
+      Logger.debug "Detected Parameters: #{params.to_a.inspect}", timestamp: false
+
+      error_patterns = Set.new
+      penetrated_payloads = []
+
+      Logger.start_progress
+
+      Checkers.run_checkers(self, params) do |checker|
+        params.each_with_index do |param, injection_point|
+          penetrated_payload, errors = checker.attack(param, injection_point, ingredients)
+
+          accumulate_errors(errors)
+
+          unless penetrated_payload.nil?
+            penetrated_payloads << penetrated_payload
+          end
+        end
+      end
+
+      Logger.end_progress
+
+      @error_patterns.each do |error_pattern|
+        Logger.warn("Error: #{error_pattern}", timestamp: false)
+      end
+
+      penetrated_payloads
+    end
+
+    def dispatch(payload)
+      request = ActionDispatch::TestRequest.create
+      request.request_method = @route.verb
+      request.path = path(payload.params_hash)
+
+      @hooks[:before_attacks].each do |before_attack_proc|
+        before_attack_proc.call(request)
+      end
+
+      request.path_parameters = {
+        controller: @controller,
+        action: @action,
+      }
+
+      payload.params_hash.each do |param_parts, value|
+        if param_parts.size == 1
+          param, = param_parts
+          if @route.required_parts.include? param
+            request.path_parameters[param] = value
+          else
+            request.query_parameters[param] = value
+          end
+        elsif param_parts.size == 2
+          request.query_parameters[param_parts[0]] ||= {}
+          request.query_parameters[param_parts[0]][param_parts[1]] = value
+        end
+      end
+
+      request.path_parameters.each do |param, value|
+        request.update_param(param, value)
+      end
+
+      request.query_parameters.each do |param, value|
+        request.update_param(param, value)
+      end
+
+      response = ActionDispatch::TestResponse.create
+
+      err = nil
+      begin
+        @controller_class.new.dispatch(@action.to_sym, request, response)
+      rescue => e
+        err = e
+      end
+
+      [request, response, err]
+    end
+
+    private
+
+    def method
+      @controller_class.instance_method(@action.to_sym)
+    end
+
+    def path(options = {})
+      @route.required_parts.each do |part|
+        options[part] ||= ":#{part}"
+      end
+
+      @route.format(options)
+    end
+
+    def get_params
+      exp = RubyParser.get_sexp(method)
+      param_usages = AstUtils.search_for_params(exp)
+      deep_parameters = Set.new
+      non_deep_parameters = Set.new
+
+      param_usages.each do |param, type, method, arg|
+        if type == :callee && method == :[]
+          deep_parameters << [ param, arg[1] ]
+        else
+          non_deep_parameters << param
+        end
+      end
+
+      non_deep_parameters += @route.required_parts.map(&:to_sym)
+      non_deep_parameters -= deep_parameters.map {|a| a[0]}
+      deep_parameters.to_a + non_deep_parameters.map {|param| [param]}
+    end
+
+    def accumulate_errors(errors)
+      errors.each do |error|
+        unless error.nil?
+          @error_patterns << error
+        end
+      end
+    end
+  end
+end