watobo 0.9.12 → 0.9.13
Sign up to get free protection for your applications and to get access to all the features.
- data/.yardopts +2 -2
- data/{CHANGELOG → CHANGELOG.md} +62 -0
- data/README.md +30 -0
- data/bin/nfq_server.rb +4 -3
- data/bin/watobo_gui.rb +1 -1
- data/config/ott_cache.yml +4 -0
- data/config/scanner.yml +1 -18
- data/config/sid_cache.yml +14 -0
- data/extras/private-hostspot.sh +17 -0
- data/extras/watobo-installer.sh +61 -0
- data/extras/watobo-transparent.sh +38 -0
- data/icons/BestPractice_16x16.ico +0 -0
- data/icons/BestPractice_24x24.ico +0 -0
- data/lib/watobo/adapters/data_store.rb +25 -3
- data/lib/watobo/adapters/file/file_store.rb +19 -11
- data/lib/watobo/adapters/session_store.rb +3 -2
- data/lib/watobo/adapters.rb +1 -1
- data/lib/watobo/ca.rb +1 -1
- data/lib/watobo/config.rb +17 -19
- data/lib/watobo/constants.rb +3 -2
- data/lib/watobo/core/active_check.rb +62 -40
- data/lib/watobo/core/active_checks.rb +73 -0
- data/lib/watobo/core/ca.rb +3 -2
- data/lib/watobo/core/cert_store.rb +3 -2
- data/lib/watobo/core/chat.rb +122 -0
- data/lib/watobo/core/chats.rb +301 -0
- data/lib/watobo/core/conversation.rb +71 -0
- data/lib/watobo/core/cookie.rb +9 -25
- data/lib/watobo/core/finding.rb +89 -0
- data/lib/watobo/core/findings.rb +132 -0
- data/lib/watobo/core/forwarding_proxy.rb +4 -2
- data/lib/watobo/core/fuzz_gen.rb +3 -2
- data/lib/watobo/core/intercept_carver.rb +24 -12
- data/lib/watobo/core/intercept_filter.rb +4 -3
- data/lib/watobo/core/interceptor.rb +9 -888
- data/lib/watobo/core/min_class.rb +27 -0
- data/lib/watobo/core/netfilter_queue.rb +3 -2
- data/lib/watobo/core/ott_cache.rb +156 -0
- data/lib/watobo/core/parameter.rb +66 -0
- data/lib/watobo/core/passive_check.rb +15 -22
- data/lib/watobo/core/passive_checks.rb +72 -0
- data/lib/watobo/core/passive_scanner.rb +69 -0
- data/lib/watobo/core/plugin.rb +33 -0
- data/lib/watobo/core/project.rb +40 -547
- data/lib/watobo/core/proxy.rb +7 -2
- data/lib/watobo/core/request.rb +95 -10
- data/lib/watobo/core/response.rb +44 -3
- data/lib/watobo/core/scanner.rb +6 -7
- data/lib/watobo/core/scanner3.rb +439 -0
- data/lib/watobo/core/scope.rb +106 -0
- data/lib/watobo/core/session.rb +106 -286
- data/lib/watobo/core/sid_cache.rb +121 -0
- data/lib/watobo/core/subscriber.rb +48 -0
- data/lib/watobo/core.rb +2 -2
- data/lib/watobo/defaults.rb +3 -2
- data/lib/watobo/external/diff/lcs/array.rb +1 -1
- data/lib/watobo/external/diff/lcs/block.rb +1 -1
- data/lib/watobo/external/diff/lcs/callbacks.rb +1 -1
- data/lib/watobo/external/diff/lcs/change.rb +1 -1
- data/lib/watobo/external/diff/lcs/hunk.rb +1 -1
- data/lib/watobo/external/diff/lcs/ldiff.rb +1 -1
- data/lib/watobo/external/diff/lcs/string.rb +1 -1
- data/lib/watobo/external/diff/lcs.rb +1 -1
- data/lib/watobo/external/ntlm/ntlm.rb +1 -1
- data/lib/watobo/externals.rb +1 -1
- data/lib/watobo/framework/create_project.rb +19 -12
- data/lib/watobo/framework/init.rb +4 -3
- data/lib/watobo/framework/init_modules.rb +32 -3
- data/lib/watobo/framework/license_text.rb +3 -2
- data/lib/watobo/framework/load_chat.rb +36 -0
- data/lib/watobo/framework.rb +2 -2
- data/lib/watobo/gui/about_watobo.rb +3 -2
- data/lib/watobo/gui/browser_preview.rb +4 -3
- data/lib/watobo/gui/certificate_dialog.rb +3 -2
- data/lib/watobo/gui/chat_diff.rb +6 -14
- data/lib/watobo/gui/chatviewer_frame.rb +30 -5
- data/lib/watobo/gui/checkboxtree.rb +13 -12
- data/lib/watobo/gui/checks_policy_frame.rb +8 -10
- data/lib/watobo/gui/client_cert_dialog.rb +8 -6
- data/lib/watobo/gui/confirm_scan_dialog.rb +5 -3
- data/lib/watobo/gui/conversation_table.rb +288 -51
- data/lib/watobo/gui/conversation_table_ctrl.rb +36 -3
- data/lib/watobo/gui/conversation_table_ctrl2.rb +416 -0
- data/lib/watobo/gui/csrf_token_dialog.rb +25 -33
- data/lib/watobo/gui/dashboard.rb +47 -45
- data/lib/watobo/gui/define_scope_frame.rb +27 -22
- data/lib/watobo/gui/differ_frame.rb +238 -0
- data/lib/watobo/gui/edit_comment.rb +3 -2
- data/lib/watobo/gui/edit_scope_dialog.rb +7 -6
- data/lib/watobo/gui/finding_info.rb +3 -2
- data/lib/watobo/gui/findings_tree.rb +101 -26
- data/lib/watobo/gui/full_scan_dialog.rb +5 -6
- data/lib/watobo/gui/fuzzer_gui.rb +51 -18
- data/lib/watobo/gui/goto_url_dialog.rb +92 -0
- data/lib/watobo/gui/hex_viewer.rb +16 -5
- data/lib/watobo/gui/html_viewer.rb +309 -0
- data/lib/watobo/gui/intercept_filter_dialog.rb +3 -2
- data/lib/watobo/gui/interceptor_gui.rb +5 -4
- data/lib/watobo/gui/interceptor_settings_dialog.rb +4 -3
- data/lib/watobo/gui/list_box.rb +4 -3
- data/lib/watobo/gui/log_file_viewer.rb +55 -0
- data/lib/watobo/gui/log_viewer.rb +3 -82
- data/lib/watobo/gui/login_wizzard.rb +3 -3
- data/lib/watobo/gui/main_window.rb +183 -164
- data/lib/watobo/gui/manual_request_editor.rb +157 -642
- data/lib/watobo/gui/master_pw_dialog.rb +3 -2
- data/lib/watobo/gui/mixins/gui_settings.rb +3 -2
- data/lib/watobo/gui/page_tree.rb +3 -2
- data/lib/watobo/gui/password_policy_dialog.rb +3 -2
- data/lib/watobo/gui/plugin_board.rb +103 -73
- data/lib/watobo/gui/preferences_dialog.rb +3 -2
- data/lib/watobo/gui/progress_window.rb +3 -2
- data/lib/watobo/gui/project_wizzard.rb +3 -2
- data/lib/watobo/gui/proxy_dialog.rb +3 -2
- data/lib/watobo/gui/quick_scan_dialog.rb +17 -32
- data/lib/watobo/gui/request_builder_frame.rb +134 -0
- data/lib/watobo/gui/request_editor.rb +14 -9
- data/lib/watobo/gui/rewrite_filters_dialog.rb +4 -3
- data/lib/watobo/gui/rewrite_rules_dialog.rb +4 -3
- data/lib/watobo/gui/save_chat_dialog.rb +7 -3
- data/lib/watobo/gui/scanner_settings_dialog.rb +4 -3
- data/lib/watobo/gui/select_chat_dialog.rb +15 -25
- data/lib/watobo/gui/session_management_dialog.rb +21 -25
- data/lib/watobo/gui/sites_tree.rb +5 -4
- data/lib/watobo/gui/status_bar.rb +3 -2
- data/lib/watobo/gui/table_editor.rb +398 -386
- data/lib/watobo/gui/tagless_viewer.rb +3 -2
- data/lib/watobo/gui/templates/plugin.rb +3 -2
- data/lib/watobo/gui/templates/plugin2.rb +4 -3
- data/lib/watobo/gui/templates/plugin_base.rb +168 -0
- data/lib/watobo/gui/text_viewer.rb +49 -3
- data/lib/watobo/gui/transcoder_window.rb +3 -2
- data/lib/watobo/gui/utils/gui_utils.rb +5 -4
- data/lib/watobo/gui/utils/init_icons.rb +5 -2
- data/lib/watobo/gui/utils/load_icons.rb +3 -2
- data/lib/watobo/gui/utils/load_plugins.rb +22 -5
- data/lib/watobo/gui/utils/master_password.rb +3 -2
- data/lib/watobo/gui/utils/save_default_settings.rb +7 -5
- data/lib/watobo/gui/utils/save_project_settings.rb +1 -1
- data/lib/watobo/gui/utils/save_proxy_settings.rb +4 -3
- data/lib/watobo/gui/utils/save_scanner_settings.rb +5 -4
- data/lib/watobo/gui/utils/session_history.rb +3 -2
- data/lib/watobo/gui/workspace_dialog.rb +3 -2
- data/lib/watobo/gui/www_auth_dialog.rb +4 -3
- data/lib/watobo/gui/xml_viewer_frame.rb +3 -2
- data/lib/watobo/gui.rb +6 -3
- data/lib/watobo/http/cookies/cookies.rb +66 -0
- data/lib/watobo/http/data/data.rb +68 -0
- data/lib/watobo/{gui/mixins/subscriber.rb → http/url/url.rb} +33 -19
- data/lib/watobo/http_socket/agent.rb +851 -0
- data/lib/watobo/http_socket/client_socket.rb +290 -0
- data/lib/watobo/http_socket/connection.rb +423 -0
- data/lib/watobo/http_socket/http_socket.rb +273 -0
- data/lib/watobo/http_socket/ntlm_auth.rb +152 -0
- data/lib/watobo/http_socket/proxy.rb +31 -0
- data/lib/watobo/http_socket.rb +25 -0
- data/lib/watobo/interceptor/proxy.rb +883 -0
- data/lib/watobo/interceptor/transparent.rb +37 -0
- data/lib/watobo/interceptor.rb +25 -0
- data/lib/watobo/mixins/check_info.rb +50 -0
- data/lib/watobo/mixins/httpparser.rb +92 -20
- data/lib/watobo/mixins/request_parser.rb +103 -88
- data/lib/watobo/mixins/shapers.rb +42 -11
- data/lib/watobo/mixins/transcoders.rb +61 -57
- data/lib/watobo/mixins.rb +3 -2
- data/lib/watobo/parser/html.rb +106 -0
- data/lib/watobo/parser.rb +22 -0
- data/lib/watobo/utils/check_regex.rb +3 -2
- data/lib/watobo/utils/copy_object.rb +3 -2
- data/lib/watobo/utils/crypto.rb +3 -2
- data/lib/watobo/utils/expand_range.rb +3 -2
- data/lib/watobo/utils/file_management.rb +7 -3
- data/lib/watobo/utils/hexprint.rb +3 -2
- data/lib/watobo/utils/load_chat.rb +4 -3
- data/lib/watobo/utils/load_icon.rb +3 -2
- data/lib/watobo/utils/print_debug.rb +3 -2
- data/lib/watobo/utils/response_builder.rb +6 -4
- data/lib/watobo/utils/response_hash.rb +66 -49
- data/lib/watobo/utils/secure_eval.rb +3 -2
- data/lib/watobo/utils/strings.rb +3 -2
- data/lib/watobo/utils/text2request.rb +4 -5
- data/lib/watobo/utils/url.rb +46 -0
- data/lib/watobo/utils.rb +3 -2
- data/lib/watobo.rb +13 -3
- data/modules/active/Apache/mod_status.rb +15 -11
- data/modules/active/Flash/crossdomain.rb +17 -14
- data/modules/active/RoR/cve_2013_015x.rb +21 -0
- data/modules/active/directories/dirwalker.rb +10 -16
- data/modules/active/discovery/fileextensions.rb +10 -7
- data/modules/active/discovery/http_methods.rb +8 -9
- data/modules/active/domino/domino_db.rb +10 -11
- data/modules/active/dotNET/custom_errors.rb +124 -0
- data/modules/active/dotNET/dotnet_files.rb +112 -0
- data/modules/active/fileinclusion/lfi_simple.rb +9 -7
- data/modules/active/jboss/jboss_basic.rb +12 -9
- data/modules/active/sap/its_commands.rb +10 -9
- data/modules/active/sap/its_service_parameter.rb +10 -9
- data/modules/active/sap/its_services.rb +10 -9
- data/modules/active/sap/its_xss.rb +11 -10
- data/modules/active/siebel/siebel_apps.rb +14 -16
- data/modules/active/sqlinjection/sql_boolean.rb +139 -75
- data/modules/active/sqlinjection/sqli_error.rb +9 -6
- data/modules/active/sqlinjection/sqli_timing.rb +13 -11
- data/modules/active/xml/xml_xxe.rb +134 -0
- data/modules/active/xss/{xss_rated.rb → xss_ng.rb} +89 -56
- data/modules/active/xss/xss_simple.rb +9 -6
- data/modules/passive/ajax.rb +85 -0
- data/modules/passive/autocomplete.rb +78 -0
- data/modules/passive/cookie_options.rb +3 -2
- data/modules/passive/cookie_xss.rb +3 -2
- data/modules/passive/detect_code.rb +7 -4
- data/modules/passive/detect_fileupload.rb +3 -2
- data/modules/passive/detect_infrastructure.rb +7 -4
- data/modules/passive/detect_one_time_tokens.rb +3 -2
- data/modules/passive/dirindexing.rb +3 -2
- data/modules/passive/disclosure_domino.rb +3 -2
- data/modules/passive/disclosure_emails.rb +3 -2
- data/modules/passive/disclosure_ipaddr.rb +3 -2
- data/modules/passive/filename_as_parameter.rb +3 -2
- data/modules/passive/form_spotter.rb +10 -7
- data/modules/passive/hidden_fields.rb +73 -0
- data/modules/passive/hotspots.rb +7 -4
- data/modules/passive/in_script_parameter.rb +3 -2
- data/modules/passive/multiple_server_headers.rb +4 -3
- data/modules/passive/possible_login.rb +3 -2
- data/modules/passive/redirect_url.rb +3 -2
- data/modules/passive/redirectionz.rb +6 -3
- data/modules/passive/xss_dom.rb +16 -9
- data/plugins/catalog/catalog.rb +119 -193
- data/plugins/crawler/crawler.rb +4 -3
- data/plugins/crawler/gui/auth_frame.rb +3 -2
- data/plugins/crawler/gui/crawler_gui.rb +3 -2
- data/plugins/crawler/gui/general_settings_frame.rb +3 -2
- data/plugins/crawler/gui/hooks_frame.rb +3 -2
- data/plugins/crawler/gui/scope_frame.rb +3 -2
- data/plugins/crawler/gui/settings_tabbook.rb +3 -2
- data/plugins/crawler/gui/status_frame.rb +3 -2
- data/plugins/crawler/gui.rb +3 -2
- data/plugins/crawler/lib/bags.rb +3 -2
- data/plugins/crawler/lib/constants.rb +3 -2
- data/plugins/crawler/lib/engine.rb +3 -2
- data/plugins/crawler/lib/grabber.rb +3 -2
- data/plugins/crawler/lib/uri_mp.rb +1 -1
- data/plugins/filefinder/filefinder.rb +92 -70
- data/plugins/sqlmap/bin/test.rb +3 -2
- data/plugins/sqlmap/gui/main.rb +3 -2
- data/plugins/sqlmap/gui/options_frame.rb +4 -3
- data/plugins/sqlmap/gui.rb +1 -1
- data/plugins/sqlmap/lib/sqlmap_ctrl.rb +3 -2
- data/plugins/sqlmap/sqlmap.rb +1 -1
- data/plugins/sslchecker/cli/sslchecker_cli.rb +1 -1
- data/plugins/sslchecker/gui/cipher_table.rb +17 -10
- data/plugins/sslchecker/gui/gui.rb +59 -56
- data/plugins/sslchecker/gui/sslchecker.rb +1 -1
- data/plugins/sslchecker/lib/check.rb +43 -18
- data/plugins/wshell/gui/main.rb +130 -0
- data/plugins/wshell/icons/wsh.ico +0 -0
- data/plugins/wshell/lib/core.rb +99 -0
- data/plugins/wshell/wshell.rb +33 -0
- metadata +80 -8
- data/README +0 -26
- data/lib/watobo/core/http_socket.rb +0 -161
- data/lib/watobo/gui/plugin/base.rb +0 -82
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
|
-
#
|
2
|
+
# xss_ng.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -19,18 +19,16 @@
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
|
-
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
23
24
|
module Modules
|
24
25
|
module Active
|
25
26
|
module Xss
|
26
27
|
|
27
28
|
|
28
|
-
class
|
29
|
+
class Xss_ng < Watobo::ActiveCheck
|
29
30
|
|
30
|
-
|
31
|
-
super(project, prefs)
|
32
|
-
|
33
|
-
threat =<<'EOF'
|
31
|
+
threat =<<'EOF'
|
34
32
|
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance.
|
35
33
|
A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser
|
36
34
|
within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to
|
@@ -49,49 +47,65 @@ EOF
|
|
49
47
|
measure = "All user input should be filtered and/or escaped using a method appropriate for the output context"
|
50
48
|
|
51
49
|
@info.update(
|
52
|
-
:check_name => '
|
50
|
+
:check_name => 'NextGeneration Cross Site Scripting Checks', # name of check which briefly describes functionality, will be used for tree and progress views
|
53
51
|
:check_group => AC_GROUP_XSS,
|
54
|
-
:description => "
|
52
|
+
:description => "XSS Checks with rating. Additional parameters are created by extracting input fields (name/value pairs) of the original response.", # description of checkfunction
|
55
53
|
:author => "Andreas Schmidt", # author of check
|
56
54
|
:version => "1.0" # check version
|
57
55
|
)
|
58
56
|
|
59
57
|
@finding.update(
|
60
58
|
:threat => threat, # thread of vulnerability, e.g. loss of information
|
61
|
-
:class => "Reflected XSS
|
59
|
+
:class => "Reflected XSS", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
62
60
|
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
63
61
|
:rating => VULN_RATING_HIGH,
|
64
62
|
:measure => measure
|
65
63
|
)
|
64
|
+
|
65
|
+
def initialize(project, prefs={})
|
66
|
+
super(project, prefs)
|
67
|
+
|
66
68
|
|
67
|
-
@envelop =
|
69
|
+
@envelop = "watobo"
|
70
|
+
@env_count = 0
|
68
71
|
@evasions = [ "%0a", "%00"]
|
69
72
|
@xss_chars= %w( < > ' " )
|
70
73
|
@escape_chars = ['\\']
|
74
|
+
@additional_parms = []
|
75
|
+
|
76
|
+
def reset
|
77
|
+
@additional_parms = []
|
78
|
+
@env_count = 0
|
79
|
+
end
|
80
|
+
|
71
81
|
|
72
82
|
end
|
73
83
|
|
74
84
|
|
75
85
|
def generateChecks(chat)
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
86
|
+
begin
|
87
|
+
#
|
88
|
+
if chat.response.respond_to? :input_fields
|
89
|
+
chat.response.input_fields do |field|
|
90
|
+
@additional_parms << field.to_www_form_parm if chat.request.method_post?
|
91
|
+
@additional_parms << field.to_url_parm
|
92
|
+
|
93
|
+
end
|
94
|
+
end
|
80
95
|
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
96
|
+
@parm_list = chat.request.parameters(:data, :url)
|
97
|
+
@parm_list.concat @additional_parms
|
98
|
+
@parm_list.each do |parm|
|
99
|
+
#log_console( "#{parm.location} - #{parm.name} = #{parm.value}")
|
100
|
+
|
86
101
|
checks = []
|
87
102
|
@xss_chars.each do |xss|
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
checks << [
|
93
|
-
checks << [xss.dup, "#{
|
94
|
-
checks << [xss.dup, "#{tp}#{pval}", pattern ]
|
103
|
+
@env_count += 1
|
104
|
+
|
105
|
+
check_id = "#{@envelop}#{@env_count}"
|
106
|
+
checks << [ xss.dup, "#{xss}", check_id ]
|
107
|
+
checks << [xss.dup, "#{parm.value}#{xss}", check_id ]
|
108
|
+
checks << [xss.dup, "#{xss}#{parm.value}", check_id ]
|
95
109
|
|
96
110
|
end
|
97
111
|
checker = proc {
|
@@ -99,13 +113,32 @@ EOF
|
|
99
113
|
rating = 0
|
100
114
|
test_request = nil
|
101
115
|
test_response = nil
|
102
|
-
|
116
|
+
|
117
|
+
# first we check, if parameter is injectable
|
118
|
+
test = chat.copyRequest
|
119
|
+
|
120
|
+
proof = "INJ#{Time.now.to_i.to_s}"
|
121
|
+
parm.value = proof
|
122
|
+
test.set parm
|
123
|
+
|
124
|
+
test_request,test_response = doRequest(test)
|
125
|
+
|
126
|
+
|
127
|
+
next [ test_request, test_response ] unless test_response.has_body?
|
128
|
+
|
129
|
+
next [ test_request, test_response ] unless test_response.body =~ /#{proof}/i
|
130
|
+
|
103
131
|
|
104
|
-
checks.each do |xss, check,
|
132
|
+
checks.each do |xss, check, check_id|
|
133
|
+
|
134
|
+
# accept only one (escape) char between check_id and check string
|
135
|
+
proof = "#{check_id}([^#{Regexp.quote(check)}]?(#{Regexp.quote(check)}){1})"
|
105
136
|
next if results.has_key? xss
|
106
137
|
test = chat.copyRequest
|
107
|
-
|
108
|
-
|
138
|
+
|
139
|
+
parm.value = check_id + CGI.escape(check)
|
140
|
+
test.set parm
|
141
|
+
|
109
142
|
test_request,test_response = doRequest(test)
|
110
143
|
|
111
144
|
if not test_response then
|
@@ -115,8 +148,8 @@ EOF
|
|
115
148
|
end
|
116
149
|
elsif test_response.join =~ /#{proof}/i
|
117
150
|
match = $1
|
118
|
-
#
|
119
|
-
if match ==
|
151
|
+
#puts "MATCH: [ #{match} ] / [ #{check} ]"
|
152
|
+
if match == check
|
120
153
|
results[xss] = { :match => :full, :check => check, :proof => proof }
|
121
154
|
end
|
122
155
|
|
@@ -124,67 +157,67 @@ EOF
|
|
124
157
|
@escape_chars.each do |ec|
|
125
158
|
ep = Regexp.quote("#{ec}#{xss}")
|
126
159
|
# puts "Escaped: #{match} / #{ep}"
|
127
|
-
results[xss] = { :match => :escaped, :check => check, :proof => proof} if match =~ /#{ep}/
|
160
|
+
results[xss] = { :match => :escaped, :check => check, :proof => proof, :escape_char => "#{ec}"} if match =~ /#{ep}/
|
128
161
|
end
|
129
162
|
end
|
130
163
|
|
131
|
-
results[xss] = { :match => :modified, :check => check, :proof => proof } unless results.has_key? xss
|
132
|
-
|
133
164
|
end
|
134
|
-
|
165
|
+
|
135
166
|
end
|
136
167
|
|
137
|
-
|
168
|
+
puts results.to_yaml if $DEBUG
|
138
169
|
xss_combo = ""
|
170
|
+
combo_patterns = []
|
139
171
|
results.each do |k,v|
|
140
172
|
mp = CGI.escape(k)
|
141
173
|
rp = CGI.escape(@xss_chars.join)
|
174
|
+
xss_combo += CGI.escape(k)
|
175
|
+
#puts "[#{k}] - #{v}"
|
142
176
|
case v[:match]
|
177
|
+
|
143
178
|
when :full
|
144
|
-
rating += 100/@xss_chars.length
|
145
|
-
|
179
|
+
rating += 100/@xss_chars.length
|
180
|
+
combo_patterns << k
|
146
181
|
when :escaped
|
147
182
|
rating += 100/(@xss_chars.length*4)
|
148
|
-
|
149
|
-
when :modified
|
150
|
-
rating += 100/(@xss_chars.length*4)
|
151
|
-
xss_combo = v[:check].gsub(/#{mp}/, rp) if xss_combo.empty?
|
183
|
+
combo_patterns << Regexp.quote("#{v[:escape_char]}#{k}")
|
152
184
|
end
|
153
185
|
end
|
154
186
|
|
155
187
|
if rating > 0
|
156
188
|
test = chat.copyRequest
|
157
|
-
puts "COMBO-REQUEST: #{xss_combo}"
|
158
|
-
|
189
|
+
#puts "COMBO-REQUEST: #{xss_combo}"
|
190
|
+
parm.value = "#{@envelop}#{@env_count}#{xss_combo}"
|
191
|
+
pattern = "(#{@envelop}#{@env_count}(#{combo_patterns.join("|")})+)"
|
192
|
+
test.set parm
|
159
193
|
|
160
|
-
# puts "Reflected XSS: #{ts}"
|
161
|
-
# pattern = "#{@envelop[0]}[^#{@envelop[0]}]*(\\\\)?#{@xss_chars.join('(\\\\)?')}#{@envelop[1]}"
|
162
194
|
match = ""
|
163
|
-
|
195
|
+
|
164
196
|
test_request,test_response = doRequest(test)
|
165
197
|
if not test_response then
|
166
198
|
puts "got no response :("
|
167
199
|
elsif test_response.join =~ /#{pattern}/i
|
168
200
|
match = $1
|
169
|
-
puts "MATCH: #{match}"
|
201
|
+
#puts "MATCH: #{match}"
|
170
202
|
end
|
171
203
|
|
204
|
+
fclass = "Reflected XSS - #{rating}%"
|
205
|
+
fclass = "Reflected XSS (POST) - #{rating}%" if parm.location == :data
|
172
206
|
addFinding( test_request, test_response,
|
173
207
|
:check_pattern => xss_combo,
|
174
208
|
:proof_pattern => "#{match}",
|
175
|
-
:test_item => parm,
|
176
|
-
:class =>
|
209
|
+
:test_item => parm.name,
|
210
|
+
:class => fclass,
|
177
211
|
:chat => chat,
|
178
|
-
:title => "[#{parm}
|
212
|
+
:title => "[#{parm.name}] - #{test_request.path}"
|
179
213
|
)
|
180
214
|
end
|
181
|
-
|
215
|
+
|
182
216
|
[ test_request, test_response ]
|
183
217
|
}
|
184
218
|
yield checker
|
185
219
|
|
186
220
|
end
|
187
|
-
|
188
221
|
|
189
222
|
rescue => bang
|
190
223
|
puts bang
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# xss_simple.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -19,7 +19,8 @@
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
|
-
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
23
24
|
module Modules
|
24
25
|
module Active
|
25
26
|
module Xss
|
@@ -27,10 +28,7 @@ module Watobo
|
|
27
28
|
|
28
29
|
class Xss_simple < Watobo::ActiveCheck
|
29
30
|
|
30
|
-
|
31
|
-
super(project, prefs)
|
32
|
-
|
33
|
-
threat =<<'EOF'
|
31
|
+
threat =<<'EOF'
|
34
32
|
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance.
|
35
33
|
A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser
|
36
34
|
within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to
|
@@ -63,6 +61,11 @@ EOF
|
|
63
61
|
:rating => VULN_RATING_HIGH,
|
64
62
|
:measure => measure
|
65
63
|
)
|
64
|
+
|
65
|
+
def initialize(project, prefs={})
|
66
|
+
super(project, prefs)
|
67
|
+
|
68
|
+
|
66
69
|
|
67
70
|
@xss_checks=[
|
68
71
|
["<script>watobo</script>", "<script>watobo</script>"],
|
@@ -0,0 +1,85 @@
|
|
1
|
+
# .
|
2
|
+
# ajax.rb
|
3
|
+
#
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
require 'cgi'
|
23
|
+
|
24
|
+
# @private
|
25
|
+
module Watobo#:nodoc: all
|
26
|
+
module Modules
|
27
|
+
module Passive
|
28
|
+
|
29
|
+
|
30
|
+
class Ajax < Watobo::PassiveCheck
|
31
|
+
|
32
|
+
def initialize(project)
|
33
|
+
@project = project
|
34
|
+
super(project)
|
35
|
+
|
36
|
+
@info.update(
|
37
|
+
:check_name => 'Ajax', # name of check which briefly describes functionality, will be used for tree and progress views
|
38
|
+
:description => "Spots Ajax Frameworks like jQuery.", # description of checkfunction
|
39
|
+
:author => "Andreas Schmidt", # author of check
|
40
|
+
:version => "1.0" # check version
|
41
|
+
)
|
42
|
+
|
43
|
+
@finding.update(
|
44
|
+
:threat => 'Framework may contain vulnerabilities.', # thread of vulnerability, e.g. loss of information
|
45
|
+
:class => "Ajax Framework", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
46
|
+
:type => FINDING_TYPE_INFO # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
47
|
+
)
|
48
|
+
|
49
|
+
@fw_patterns = []
|
50
|
+
@fw_patterns << { :name => 'jQuery', :pattern => 'jQuery v([0-9\.]*) jquery.com'}
|
51
|
+
end
|
52
|
+
|
53
|
+
def showError(chatid, message)
|
54
|
+
puts "!!! Error"
|
55
|
+
puts "Chat: [#{chatid}]"
|
56
|
+
puts message
|
57
|
+
end
|
58
|
+
|
59
|
+
def do_test(chat)
|
60
|
+
begin
|
61
|
+
|
62
|
+
return true unless chat.response.content_type =~ /(text|script)/
|
63
|
+
|
64
|
+
@fw_patterns.each do |pattern|
|
65
|
+
if chat.response.body =~ /#{pattern[:pattern]}/i then
|
66
|
+
version = $1.strip
|
67
|
+
addFinding(
|
68
|
+
:check_pattern => "#{pattern[:pattern]}",
|
69
|
+
:proof_pattern => "#{pattern}",
|
70
|
+
:chat=>chat,
|
71
|
+
:title =>"[ #{pattern[:name]} #{version} ] - #{chat.request.path}",
|
72
|
+
)
|
73
|
+
|
74
|
+
end
|
75
|
+
end
|
76
|
+
rescue => bang
|
77
|
+
# raise
|
78
|
+
showError(chat.id, bang)
|
79
|
+
end
|
80
|
+
end
|
81
|
+
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
# .
|
2
|
+
# autocomplete.rb
|
3
|
+
#
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
|
+
#
|
6
|
+
# This file is part of WATOBO (Web Application Tool Box)
|
7
|
+
# http://watobo.sourceforge.com
|
8
|
+
#
|
9
|
+
# WATOBO is free software; you can redistribute it and/or modify
|
10
|
+
# it under the terms of the GNU General Public License as published by
|
11
|
+
# the Free Software Foundation version 2 of the License.
|
12
|
+
#
|
13
|
+
# WATOBO is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with WATOBO; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
# .
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
24
|
+
module Modules
|
25
|
+
module Passive
|
26
|
+
|
27
|
+
|
28
|
+
class Autocomplete < Watobo::PassiveCheck
|
29
|
+
def initialize(project)
|
30
|
+
@project = project
|
31
|
+
super(project)
|
32
|
+
|
33
|
+
@info.update(
|
34
|
+
:check_name => 'Password AutoComplete', # name of check which briefly describes functionality, will be used for tree and progress views
|
35
|
+
:description => "Checks Password Fields For AutoCompletion", # description of checkfunction
|
36
|
+
:author => "Andreas Schmidt", # author of check
|
37
|
+
:version => "0.9" # check version
|
38
|
+
)
|
39
|
+
|
40
|
+
@finding.update(
|
41
|
+
:threat => 'Password values may be stored on the local filesystem.', # thread of vulnerability, e.g. loss of information
|
42
|
+
:class => "Password Autocompletion", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
43
|
+
:type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
44
|
+
:rating => VULN_RATING_LOW,
|
45
|
+
:measure => "The form field should have an attribute autocomplete=\"off\""
|
46
|
+
)
|
47
|
+
end
|
48
|
+
|
49
|
+
def do_test(chat)
|
50
|
+
begin
|
51
|
+
|
52
|
+
if chat.response.respond_to? :input_fields
|
53
|
+
chat.response.input_fields do |f|
|
54
|
+
|
55
|
+
ac = f.autocomplete.nil? ? "" : f.autocomplete
|
56
|
+
|
57
|
+
if f.type =~ /password/i and ( ac =~ /off/i or ac.empty? )
|
58
|
+
addFinding(
|
59
|
+
:proof_pattern => "input[^>]*type=[^>=]*password.*>{1}",
|
60
|
+
:title => "#{chat.request.file}",
|
61
|
+
:chat => chat
|
62
|
+
)
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
66
|
+
rescue => bang
|
67
|
+
# raise
|
68
|
+
puts "ERROR!! #{Module.nesting[0].name}"
|
69
|
+
puts bang
|
70
|
+
puts bang.backtrace if $DEBUG
|
71
|
+
end
|
72
|
+
return false
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# cookie_options.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -40,7 +40,8 @@
|
|
40
40
|
# along with WATOBO; if not, write to the Free Software
|
41
41
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
42
42
|
# .
|
43
|
-
|
43
|
+
# @private
|
44
|
+
module Watobo#:nodoc: all
|
44
45
|
module Modules
|
45
46
|
module Passive
|
46
47
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# cookie_xss.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -20,7 +20,8 @@
|
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
22
|
|
23
|
-
|
23
|
+
# @private
|
24
|
+
module Watobo#:nodoc: all
|
24
25
|
module Modules
|
25
26
|
module Passive
|
26
27
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# detect_code.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -19,7 +19,8 @@
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
|
-
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
23
24
|
module Modules
|
24
25
|
module Passive
|
25
26
|
|
@@ -46,7 +47,9 @@ module Watobo
|
|
46
47
|
|
47
48
|
@pattern_list = []
|
48
49
|
@pattern_list << ['<\?php', "PHP" ]
|
49
|
-
@pattern_list << [ '
|
50
|
+
@pattern_list << [ '<!--[^>]*select ', "COMMENT" ]
|
51
|
+
@pattern_list << [ '\/\*[^(\*\/)]*select ', "COMMENT" ]
|
52
|
+
@pattern_list << [ '\/\/[^(\*\/\n)]*select ', "COMMENT" ]
|
50
53
|
@pattern_list << [ 'sample code', "COMMENT" ]
|
51
54
|
@pattern_list << [ '<%[^<%]*%>', "ASP" ]
|
52
55
|
|
@@ -68,7 +71,7 @@ module Watobo
|
|
68
71
|
match = $1
|
69
72
|
path = "/" + chat.request.path
|
70
73
|
addFinding(
|
71
|
-
:proof_pattern => "#{match}",
|
74
|
+
:proof_pattern => "#{Regexp.quote(match)}",
|
72
75
|
:chat => chat,
|
73
76
|
:title => "[#{type}] - #{path}"
|
74
77
|
)
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# detect_fileupload.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -19,7 +19,8 @@
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
|
-
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
23
24
|
module Modules
|
24
25
|
module Passive
|
25
26
|
class Detect_fileupload < Watobo::PassiveCheck
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# detect_infrastructure.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -19,7 +19,8 @@
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
|
-
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
23
24
|
module Modules
|
24
25
|
module Passive
|
25
26
|
class Detect_infrastructure < Watobo::PassiveCheck
|
@@ -55,7 +56,9 @@ module Watobo
|
|
55
56
|
@pattern_list << [ 'SharePoint 2010', Regexp.new('MicrosoftSharePointTeamServices.*14.0.0.6106')]
|
56
57
|
# And in SharePoint 2007 site, the result is like this: MicrosoftSharePointTeamServices:12.0.0.4518
|
57
58
|
@pattern_list << [ 'SharePoint 2007', Regexp.new('MicrosoftSharePointTeamServices.*12.0.0.4518')]
|
58
|
-
|
59
|
+
# "vaadinVersion":"7.0.4"
|
60
|
+
@pattern_list << [ 'VAADIN }>', Regexp.new('vaadinVersion":"(\d+\.\d+\.\d+)')]
|
61
|
+
@pattern_list << [ 'JBoss' ,Regexp.new('JBoss Web.(\d+\.\d+\.\d+)')]
|
59
62
|
|
60
63
|
#@pattern_list << 'sample code'
|
61
64
|
|
@@ -76,7 +79,7 @@ module Watobo
|
|
76
79
|
addFinding(
|
77
80
|
:proof_pattern => "#{match}",
|
78
81
|
:chat => chat,
|
79
|
-
:title => "[#{pat[0]}] - #{match.slice(0..
|
82
|
+
:title => "[#{pat[0]}] - #{match.slice(0..21)}"
|
80
83
|
)
|
81
84
|
break
|
82
85
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# detect_one_time_tokens.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -19,7 +19,8 @@
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
|
-
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
23
24
|
module Modules
|
24
25
|
module Passive
|
25
26
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# dirindexing.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -20,7 +20,8 @@
|
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
22
|
|
23
|
-
|
23
|
+
# @private
|
24
|
+
module Watobo#:nodoc: all
|
24
25
|
module Modules
|
25
26
|
module Passive
|
26
27
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# .
|
2
2
|
# disclosure_domino.rb
|
3
3
|
#
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
5
5
|
#
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
7
7
|
# http://watobo.sourceforge.com
|
@@ -19,7 +19,8 @@
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
21
|
# .
|
22
|
-
|
22
|
+
# @private
|
23
|
+
module Watobo#:nodoc: all
|
23
24
|
module Modules
|
24
25
|
module Passive
|
25
26
|
|