watobo 0.9.12 → 0.9.13

Sign up to get free protection for your applications and to get access to all the features.
Files changed (263) hide show
  1. data/.yardopts +2 -2
  2. data/{CHANGELOG → CHANGELOG.md} +62 -0
  3. data/README.md +30 -0
  4. data/bin/nfq_server.rb +4 -3
  5. data/bin/watobo_gui.rb +1 -1
  6. data/config/ott_cache.yml +4 -0
  7. data/config/scanner.yml +1 -18
  8. data/config/sid_cache.yml +14 -0
  9. data/extras/private-hostspot.sh +17 -0
  10. data/extras/watobo-installer.sh +61 -0
  11. data/extras/watobo-transparent.sh +38 -0
  12. data/icons/BestPractice_16x16.ico +0 -0
  13. data/icons/BestPractice_24x24.ico +0 -0
  14. data/lib/watobo/adapters/data_store.rb +25 -3
  15. data/lib/watobo/adapters/file/file_store.rb +19 -11
  16. data/lib/watobo/adapters/session_store.rb +3 -2
  17. data/lib/watobo/adapters.rb +1 -1
  18. data/lib/watobo/ca.rb +1 -1
  19. data/lib/watobo/config.rb +17 -19
  20. data/lib/watobo/constants.rb +3 -2
  21. data/lib/watobo/core/active_check.rb +62 -40
  22. data/lib/watobo/core/active_checks.rb +73 -0
  23. data/lib/watobo/core/ca.rb +3 -2
  24. data/lib/watobo/core/cert_store.rb +3 -2
  25. data/lib/watobo/core/chat.rb +122 -0
  26. data/lib/watobo/core/chats.rb +301 -0
  27. data/lib/watobo/core/conversation.rb +71 -0
  28. data/lib/watobo/core/cookie.rb +9 -25
  29. data/lib/watobo/core/finding.rb +89 -0
  30. data/lib/watobo/core/findings.rb +132 -0
  31. data/lib/watobo/core/forwarding_proxy.rb +4 -2
  32. data/lib/watobo/core/fuzz_gen.rb +3 -2
  33. data/lib/watobo/core/intercept_carver.rb +24 -12
  34. data/lib/watobo/core/intercept_filter.rb +4 -3
  35. data/lib/watobo/core/interceptor.rb +9 -888
  36. data/lib/watobo/core/min_class.rb +27 -0
  37. data/lib/watobo/core/netfilter_queue.rb +3 -2
  38. data/lib/watobo/core/ott_cache.rb +156 -0
  39. data/lib/watobo/core/parameter.rb +66 -0
  40. data/lib/watobo/core/passive_check.rb +15 -22
  41. data/lib/watobo/core/passive_checks.rb +72 -0
  42. data/lib/watobo/core/passive_scanner.rb +69 -0
  43. data/lib/watobo/core/plugin.rb +33 -0
  44. data/lib/watobo/core/project.rb +40 -547
  45. data/lib/watobo/core/proxy.rb +7 -2
  46. data/lib/watobo/core/request.rb +95 -10
  47. data/lib/watobo/core/response.rb +44 -3
  48. data/lib/watobo/core/scanner.rb +6 -7
  49. data/lib/watobo/core/scanner3.rb +439 -0
  50. data/lib/watobo/core/scope.rb +106 -0
  51. data/lib/watobo/core/session.rb +106 -286
  52. data/lib/watobo/core/sid_cache.rb +121 -0
  53. data/lib/watobo/core/subscriber.rb +48 -0
  54. data/lib/watobo/core.rb +2 -2
  55. data/lib/watobo/defaults.rb +3 -2
  56. data/lib/watobo/external/diff/lcs/array.rb +1 -1
  57. data/lib/watobo/external/diff/lcs/block.rb +1 -1
  58. data/lib/watobo/external/diff/lcs/callbacks.rb +1 -1
  59. data/lib/watobo/external/diff/lcs/change.rb +1 -1
  60. data/lib/watobo/external/diff/lcs/hunk.rb +1 -1
  61. data/lib/watobo/external/diff/lcs/ldiff.rb +1 -1
  62. data/lib/watobo/external/diff/lcs/string.rb +1 -1
  63. data/lib/watobo/external/diff/lcs.rb +1 -1
  64. data/lib/watobo/external/ntlm/ntlm.rb +1 -1
  65. data/lib/watobo/externals.rb +1 -1
  66. data/lib/watobo/framework/create_project.rb +19 -12
  67. data/lib/watobo/framework/init.rb +4 -3
  68. data/lib/watobo/framework/init_modules.rb +32 -3
  69. data/lib/watobo/framework/license_text.rb +3 -2
  70. data/lib/watobo/framework/load_chat.rb +36 -0
  71. data/lib/watobo/framework.rb +2 -2
  72. data/lib/watobo/gui/about_watobo.rb +3 -2
  73. data/lib/watobo/gui/browser_preview.rb +4 -3
  74. data/lib/watobo/gui/certificate_dialog.rb +3 -2
  75. data/lib/watobo/gui/chat_diff.rb +6 -14
  76. data/lib/watobo/gui/chatviewer_frame.rb +30 -5
  77. data/lib/watobo/gui/checkboxtree.rb +13 -12
  78. data/lib/watobo/gui/checks_policy_frame.rb +8 -10
  79. data/lib/watobo/gui/client_cert_dialog.rb +8 -6
  80. data/lib/watobo/gui/confirm_scan_dialog.rb +5 -3
  81. data/lib/watobo/gui/conversation_table.rb +288 -51
  82. data/lib/watobo/gui/conversation_table_ctrl.rb +36 -3
  83. data/lib/watobo/gui/conversation_table_ctrl2.rb +416 -0
  84. data/lib/watobo/gui/csrf_token_dialog.rb +25 -33
  85. data/lib/watobo/gui/dashboard.rb +47 -45
  86. data/lib/watobo/gui/define_scope_frame.rb +27 -22
  87. data/lib/watobo/gui/differ_frame.rb +238 -0
  88. data/lib/watobo/gui/edit_comment.rb +3 -2
  89. data/lib/watobo/gui/edit_scope_dialog.rb +7 -6
  90. data/lib/watobo/gui/finding_info.rb +3 -2
  91. data/lib/watobo/gui/findings_tree.rb +101 -26
  92. data/lib/watobo/gui/full_scan_dialog.rb +5 -6
  93. data/lib/watobo/gui/fuzzer_gui.rb +51 -18
  94. data/lib/watobo/gui/goto_url_dialog.rb +92 -0
  95. data/lib/watobo/gui/hex_viewer.rb +16 -5
  96. data/lib/watobo/gui/html_viewer.rb +309 -0
  97. data/lib/watobo/gui/intercept_filter_dialog.rb +3 -2
  98. data/lib/watobo/gui/interceptor_gui.rb +5 -4
  99. data/lib/watobo/gui/interceptor_settings_dialog.rb +4 -3
  100. data/lib/watobo/gui/list_box.rb +4 -3
  101. data/lib/watobo/gui/log_file_viewer.rb +55 -0
  102. data/lib/watobo/gui/log_viewer.rb +3 -82
  103. data/lib/watobo/gui/login_wizzard.rb +3 -3
  104. data/lib/watobo/gui/main_window.rb +183 -164
  105. data/lib/watobo/gui/manual_request_editor.rb +157 -642
  106. data/lib/watobo/gui/master_pw_dialog.rb +3 -2
  107. data/lib/watobo/gui/mixins/gui_settings.rb +3 -2
  108. data/lib/watobo/gui/page_tree.rb +3 -2
  109. data/lib/watobo/gui/password_policy_dialog.rb +3 -2
  110. data/lib/watobo/gui/plugin_board.rb +103 -73
  111. data/lib/watobo/gui/preferences_dialog.rb +3 -2
  112. data/lib/watobo/gui/progress_window.rb +3 -2
  113. data/lib/watobo/gui/project_wizzard.rb +3 -2
  114. data/lib/watobo/gui/proxy_dialog.rb +3 -2
  115. data/lib/watobo/gui/quick_scan_dialog.rb +17 -32
  116. data/lib/watobo/gui/request_builder_frame.rb +134 -0
  117. data/lib/watobo/gui/request_editor.rb +14 -9
  118. data/lib/watobo/gui/rewrite_filters_dialog.rb +4 -3
  119. data/lib/watobo/gui/rewrite_rules_dialog.rb +4 -3
  120. data/lib/watobo/gui/save_chat_dialog.rb +7 -3
  121. data/lib/watobo/gui/scanner_settings_dialog.rb +4 -3
  122. data/lib/watobo/gui/select_chat_dialog.rb +15 -25
  123. data/lib/watobo/gui/session_management_dialog.rb +21 -25
  124. data/lib/watobo/gui/sites_tree.rb +5 -4
  125. data/lib/watobo/gui/status_bar.rb +3 -2
  126. data/lib/watobo/gui/table_editor.rb +398 -386
  127. data/lib/watobo/gui/tagless_viewer.rb +3 -2
  128. data/lib/watobo/gui/templates/plugin.rb +3 -2
  129. data/lib/watobo/gui/templates/plugin2.rb +4 -3
  130. data/lib/watobo/gui/templates/plugin_base.rb +168 -0
  131. data/lib/watobo/gui/text_viewer.rb +49 -3
  132. data/lib/watobo/gui/transcoder_window.rb +3 -2
  133. data/lib/watobo/gui/utils/gui_utils.rb +5 -4
  134. data/lib/watobo/gui/utils/init_icons.rb +5 -2
  135. data/lib/watobo/gui/utils/load_icons.rb +3 -2
  136. data/lib/watobo/gui/utils/load_plugins.rb +22 -5
  137. data/lib/watobo/gui/utils/master_password.rb +3 -2
  138. data/lib/watobo/gui/utils/save_default_settings.rb +7 -5
  139. data/lib/watobo/gui/utils/save_project_settings.rb +1 -1
  140. data/lib/watobo/gui/utils/save_proxy_settings.rb +4 -3
  141. data/lib/watobo/gui/utils/save_scanner_settings.rb +5 -4
  142. data/lib/watobo/gui/utils/session_history.rb +3 -2
  143. data/lib/watobo/gui/workspace_dialog.rb +3 -2
  144. data/lib/watobo/gui/www_auth_dialog.rb +4 -3
  145. data/lib/watobo/gui/xml_viewer_frame.rb +3 -2
  146. data/lib/watobo/gui.rb +6 -3
  147. data/lib/watobo/http/cookies/cookies.rb +66 -0
  148. data/lib/watobo/http/data/data.rb +68 -0
  149. data/lib/watobo/{gui/mixins/subscriber.rb → http/url/url.rb} +33 -19
  150. data/lib/watobo/http_socket/agent.rb +851 -0
  151. data/lib/watobo/http_socket/client_socket.rb +290 -0
  152. data/lib/watobo/http_socket/connection.rb +423 -0
  153. data/lib/watobo/http_socket/http_socket.rb +273 -0
  154. data/lib/watobo/http_socket/ntlm_auth.rb +152 -0
  155. data/lib/watobo/http_socket/proxy.rb +31 -0
  156. data/lib/watobo/http_socket.rb +25 -0
  157. data/lib/watobo/interceptor/proxy.rb +883 -0
  158. data/lib/watobo/interceptor/transparent.rb +37 -0
  159. data/lib/watobo/interceptor.rb +25 -0
  160. data/lib/watobo/mixins/check_info.rb +50 -0
  161. data/lib/watobo/mixins/httpparser.rb +92 -20
  162. data/lib/watobo/mixins/request_parser.rb +103 -88
  163. data/lib/watobo/mixins/shapers.rb +42 -11
  164. data/lib/watobo/mixins/transcoders.rb +61 -57
  165. data/lib/watobo/mixins.rb +3 -2
  166. data/lib/watobo/parser/html.rb +106 -0
  167. data/lib/watobo/parser.rb +22 -0
  168. data/lib/watobo/utils/check_regex.rb +3 -2
  169. data/lib/watobo/utils/copy_object.rb +3 -2
  170. data/lib/watobo/utils/crypto.rb +3 -2
  171. data/lib/watobo/utils/expand_range.rb +3 -2
  172. data/lib/watobo/utils/file_management.rb +7 -3
  173. data/lib/watobo/utils/hexprint.rb +3 -2
  174. data/lib/watobo/utils/load_chat.rb +4 -3
  175. data/lib/watobo/utils/load_icon.rb +3 -2
  176. data/lib/watobo/utils/print_debug.rb +3 -2
  177. data/lib/watobo/utils/response_builder.rb +6 -4
  178. data/lib/watobo/utils/response_hash.rb +66 -49
  179. data/lib/watobo/utils/secure_eval.rb +3 -2
  180. data/lib/watobo/utils/strings.rb +3 -2
  181. data/lib/watobo/utils/text2request.rb +4 -5
  182. data/lib/watobo/utils/url.rb +46 -0
  183. data/lib/watobo/utils.rb +3 -2
  184. data/lib/watobo.rb +13 -3
  185. data/modules/active/Apache/mod_status.rb +15 -11
  186. data/modules/active/Flash/crossdomain.rb +17 -14
  187. data/modules/active/RoR/cve_2013_015x.rb +21 -0
  188. data/modules/active/directories/dirwalker.rb +10 -16
  189. data/modules/active/discovery/fileextensions.rb +10 -7
  190. data/modules/active/discovery/http_methods.rb +8 -9
  191. data/modules/active/domino/domino_db.rb +10 -11
  192. data/modules/active/dotNET/custom_errors.rb +124 -0
  193. data/modules/active/dotNET/dotnet_files.rb +112 -0
  194. data/modules/active/fileinclusion/lfi_simple.rb +9 -7
  195. data/modules/active/jboss/jboss_basic.rb +12 -9
  196. data/modules/active/sap/its_commands.rb +10 -9
  197. data/modules/active/sap/its_service_parameter.rb +10 -9
  198. data/modules/active/sap/its_services.rb +10 -9
  199. data/modules/active/sap/its_xss.rb +11 -10
  200. data/modules/active/siebel/siebel_apps.rb +14 -16
  201. data/modules/active/sqlinjection/sql_boolean.rb +139 -75
  202. data/modules/active/sqlinjection/sqli_error.rb +9 -6
  203. data/modules/active/sqlinjection/sqli_timing.rb +13 -11
  204. data/modules/active/xml/xml_xxe.rb +134 -0
  205. data/modules/active/xss/{xss_rated.rb → xss_ng.rb} +89 -56
  206. data/modules/active/xss/xss_simple.rb +9 -6
  207. data/modules/passive/ajax.rb +85 -0
  208. data/modules/passive/autocomplete.rb +78 -0
  209. data/modules/passive/cookie_options.rb +3 -2
  210. data/modules/passive/cookie_xss.rb +3 -2
  211. data/modules/passive/detect_code.rb +7 -4
  212. data/modules/passive/detect_fileupload.rb +3 -2
  213. data/modules/passive/detect_infrastructure.rb +7 -4
  214. data/modules/passive/detect_one_time_tokens.rb +3 -2
  215. data/modules/passive/dirindexing.rb +3 -2
  216. data/modules/passive/disclosure_domino.rb +3 -2
  217. data/modules/passive/disclosure_emails.rb +3 -2
  218. data/modules/passive/disclosure_ipaddr.rb +3 -2
  219. data/modules/passive/filename_as_parameter.rb +3 -2
  220. data/modules/passive/form_spotter.rb +10 -7
  221. data/modules/passive/hidden_fields.rb +73 -0
  222. data/modules/passive/hotspots.rb +7 -4
  223. data/modules/passive/in_script_parameter.rb +3 -2
  224. data/modules/passive/multiple_server_headers.rb +4 -3
  225. data/modules/passive/possible_login.rb +3 -2
  226. data/modules/passive/redirect_url.rb +3 -2
  227. data/modules/passive/redirectionz.rb +6 -3
  228. data/modules/passive/xss_dom.rb +16 -9
  229. data/plugins/catalog/catalog.rb +119 -193
  230. data/plugins/crawler/crawler.rb +4 -3
  231. data/plugins/crawler/gui/auth_frame.rb +3 -2
  232. data/plugins/crawler/gui/crawler_gui.rb +3 -2
  233. data/plugins/crawler/gui/general_settings_frame.rb +3 -2
  234. data/plugins/crawler/gui/hooks_frame.rb +3 -2
  235. data/plugins/crawler/gui/scope_frame.rb +3 -2
  236. data/plugins/crawler/gui/settings_tabbook.rb +3 -2
  237. data/plugins/crawler/gui/status_frame.rb +3 -2
  238. data/plugins/crawler/gui.rb +3 -2
  239. data/plugins/crawler/lib/bags.rb +3 -2
  240. data/plugins/crawler/lib/constants.rb +3 -2
  241. data/plugins/crawler/lib/engine.rb +3 -2
  242. data/plugins/crawler/lib/grabber.rb +3 -2
  243. data/plugins/crawler/lib/uri_mp.rb +1 -1
  244. data/plugins/filefinder/filefinder.rb +92 -70
  245. data/plugins/sqlmap/bin/test.rb +3 -2
  246. data/plugins/sqlmap/gui/main.rb +3 -2
  247. data/plugins/sqlmap/gui/options_frame.rb +4 -3
  248. data/plugins/sqlmap/gui.rb +1 -1
  249. data/plugins/sqlmap/lib/sqlmap_ctrl.rb +3 -2
  250. data/plugins/sqlmap/sqlmap.rb +1 -1
  251. data/plugins/sslchecker/cli/sslchecker_cli.rb +1 -1
  252. data/plugins/sslchecker/gui/cipher_table.rb +17 -10
  253. data/plugins/sslchecker/gui/gui.rb +59 -56
  254. data/plugins/sslchecker/gui/sslchecker.rb +1 -1
  255. data/plugins/sslchecker/lib/check.rb +43 -18
  256. data/plugins/wshell/gui/main.rb +130 -0
  257. data/plugins/wshell/icons/wsh.ico +0 -0
  258. data/plugins/wshell/lib/core.rb +99 -0
  259. data/plugins/wshell/wshell.rb +33 -0
  260. metadata +80 -8
  261. data/README +0 -26
  262. data/lib/watobo/core/http_socket.rb +0 -161
  263. data/lib/watobo/gui/plugin/base.rb +0 -82
data/modules/active/xss/{xss_rated.rb → xss_ng.rb} RENAMED
@@ -1,7 +1,7 @@
1
1
  # .
2
- # xss_rated.rb
2
+ # xss_ng.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -19,18 +19,16 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- module Watobo
22
+ # @private
23
+ module Watobo#:nodoc: all
23
24
  module Modules
24
25
  module Active
25
26
  module Xss
26
27
 
27
28
 
28
- class Xss_rated < Watobo::ActiveCheck
29
+ class Xss_ng < Watobo::ActiveCheck
29
30
 
30
- def initialize(project, prefs={})
31
- super(project, prefs)
32
-
33
- threat =<<'EOF'
31
+ threat =<<'EOF'
34
32
  Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance.
35
33
  A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser
36
34
  within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to
@@ -49,49 +47,65 @@ EOF
49
47
  measure = "All user input should be filtered and/or escaped using a method appropriate for the output context"
50
48
 
51
49
  @info.update(
52
- :check_name => 'Rated Cross Site Scripting Checks', # name of check which briefly describes functionality, will be used for tree and progress views
50
+ :check_name => 'NextGeneration Cross Site Scripting Checks', # name of check which briefly describes functionality, will be used for tree and progress views
53
51
  :check_group => AC_GROUP_XSS,
54
- :description => "Checking every URL parameter for missing output sanitisation. The results have a rated exploitability.", # description of checkfunction
52
+ :description => "XSS Checks with rating. Additional parameters are created by extracting input fields (name/value pairs) of the original response.", # description of checkfunction
55
53
  :author => "Andreas Schmidt", # author of check
56
54
  :version => "1.0" # check version
57
55
  )
58
56
 
59
57
  @finding.update(
60
58
  :threat => threat, # thread of vulnerability, e.g. loss of information
61
- :class => "Reflected XSS [RATED]", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
59
+ :class => "Reflected XSS", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
62
60
  :type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
63
61
  :rating => VULN_RATING_HIGH,
64
62
  :measure => measure
65
63
  )
64
+
65
+ def initialize(project, prefs={})
66
+ super(project, prefs)
67
+
66
68
 
67
- @envelop = [ "watobo", "watobo".reverse]
69
+ @envelop = "watobo"
70
+ @env_count = 0
68
71
  @evasions = [ "%0a", "%00"]
69
72
  @xss_chars= %w( < > ' " )
70
73
  @escape_chars = ['\\']
74
+ @additional_parms = []
75
+
76
+ def reset
77
+ @additional_parms = []
78
+ @env_count = 0
79
+ end
80
+
71
81
 
72
82
  end
73
83
 
74
84
 
75
85
  def generateChecks(chat)
76
- #
77
- # Check GET-Parameters
78
- #
79
- begin
86
+ begin
87
+ #
88
+ if chat.response.respond_to? :input_fields
89
+ chat.response.input_fields do |field|
90
+ @additional_parms << field.to_www_form_parm if chat.request.method_post?
91
+ @additional_parms << field.to_url_parm
92
+
93
+ end
94
+ end
80
95
 
81
- log_console("generating checks ...")
82
- urlParmNames(chat).each do |parm|
83
- log_console( parm )
84
- # puts "#{Module.nesting[0].name}: run check on chat-id (#{chat.id}) with parm (#{parm})"
85
- pval = chat.request.get_parm_value(parm)
96
+ @parm_list = chat.request.parameters(:data, :url)
97
+ @parm_list.concat @additional_parms
98
+ @parm_list.each do |parm|
99
+ #log_console( "#{parm.location} - #{parm.name} = #{parm.value}")
100
+
86
101
  checks = []
87
102
  @xss_chars.each do |xss|
88
- tp = "#{@envelop[0]}"
89
- tp << CGI.escape(xss)
90
- tp << "#{@envelop[1]}"
91
- pattern = "#{@envelop[0]}([^#{@envelop[0]}]*#{xss})#{@envelop[1]}"
92
- checks << [ xss.dup, "#{tp}" , pattern ]
93
- checks << [xss.dup, "#{pval}#{tp}", pattern ]
94
- checks << [xss.dup, "#{tp}#{pval}", pattern ]
103
+ @env_count += 1
104
+
105
+ check_id = "#{@envelop}#{@env_count}"
106
+ checks << [ xss.dup, "#{xss}", check_id ]
107
+ checks << [xss.dup, "#{parm.value}#{xss}", check_id ]
108
+ checks << [xss.dup, "#{xss}#{parm.value}", check_id ]
95
109
 
96
110
  end
97
111
  checker = proc {
@@ -99,13 +113,32 @@ EOF
99
113
  rating = 0
100
114
  test_request = nil
101
115
  test_response = nil
102
-
116
+
117
+ # first we check, if parameter is injectable
118
+ test = chat.copyRequest
119
+
120
+ proof = "INJ#{Time.now.to_i.to_s}"
121
+ parm.value = proof
122
+ test.set parm
123
+
124
+ test_request,test_response = doRequest(test)
125
+
126
+
127
+ next [ test_request, test_response ] unless test_response.has_body?
128
+
129
+ next [ test_request, test_response ] unless test_response.body =~ /#{proof}/i
130
+
103
131
 
104
- checks.each do |xss, check, proof|
132
+ checks.each do |xss, check, check_id|
133
+
134
+ # accept only one (escape) char between check_id and check string
135
+ proof = "#{check_id}([^#{Regexp.quote(check)}]?(#{Regexp.quote(check)}){1})"
105
136
  next if results.has_key? xss
106
137
  test = chat.copyRequest
107
- test.replace_get_parm(parm, check)
108
-
138
+
139
+ parm.value = check_id + CGI.escape(check)
140
+ test.set parm
141
+
109
142
  test_request,test_response = doRequest(test)
110
143
 
111
144
  if not test_response then
@@ -115,8 +148,8 @@ EOF
115
148
  end
116
149
  elsif test_response.join =~ /#{proof}/i
117
150
  match = $1
118
- # puts "MATCH: #{match}/#{xss}"
119
- if match == xss
151
+ #puts "MATCH: [ #{match} ] / [ #{check} ]"
152
+ if match == check
120
153
  results[xss] = { :match => :full, :check => check, :proof => proof }
121
154
  end
122
155
 
@@ -124,67 +157,67 @@ EOF
124
157
  @escape_chars.each do |ec|
125
158
  ep = Regexp.quote("#{ec}#{xss}")
126
159
  # puts "Escaped: #{match} / #{ep}"
127
- results[xss] = { :match => :escaped, :check => check, :proof => proof} if match =~ /#{ep}/
160
+ results[xss] = { :match => :escaped, :check => check, :proof => proof, :escape_char => "#{ec}"} if match =~ /#{ep}/
128
161
  end
129
162
  end
130
163
 
131
- results[xss] = { :match => :modified, :check => check, :proof => proof } unless results.has_key? xss
132
-
133
164
  end
134
- puts results.to_yaml if $DEBUG
165
+
135
166
  end
136
167
 
137
-
168
+ puts results.to_yaml if $DEBUG
138
169
  xss_combo = ""
170
+ combo_patterns = []
139
171
  results.each do |k,v|
140
172
  mp = CGI.escape(k)
141
173
  rp = CGI.escape(@xss_chars.join)
174
+ xss_combo += CGI.escape(k)
175
+ #puts "[#{k}] - #{v}"
142
176
  case v[:match]
177
+
143
178
  when :full
144
- rating += 100/@xss_chars.length
145
- xss_combo = v[:check].gsub(/#{mp}/, rp)
179
+ rating += 100/@xss_chars.length
180
+ combo_patterns << k
146
181
  when :escaped
147
182
  rating += 100/(@xss_chars.length*4)
148
- xss_combo = v[:check].gsub(/#{mp}/, rp) if xss_combo.empty?
149
- when :modified
150
- rating += 100/(@xss_chars.length*4)
151
- xss_combo = v[:check].gsub(/#{mp}/, rp) if xss_combo.empty?
183
+ combo_patterns << Regexp.quote("#{v[:escape_char]}#{k}")
152
184
  end
153
185
  end
154
186
 
155
187
  if rating > 0
156
188
  test = chat.copyRequest
157
- puts "COMBO-REQUEST: #{xss_combo}"
158
- test.replace_get_parm(parm, xss_combo)
189
+ #puts "COMBO-REQUEST: #{xss_combo}"
190
+ parm.value = "#{@envelop}#{@env_count}#{xss_combo}"
191
+ pattern = "(#{@envelop}#{@env_count}(#{combo_patterns.join("|")})+)"
192
+ test.set parm
159
193
 
160
- # puts "Reflected XSS: #{ts}"
161
- # pattern = "#{@envelop[0]}[^#{@envelop[0]}]*(\\\\)?#{@xss_chars.join('(\\\\)?')}#{@envelop[1]}"
162
194
  match = ""
163
- pattern = "#{@envelop[0]}([^#{@envelop[0]}]*(#{@xss_chars.join("|")})+[^#{@envelop[0]}]*)#{@envelop[1]}"
195
+
164
196
  test_request,test_response = doRequest(test)
165
197
  if not test_response then
166
198
  puts "got no response :("
167
199
  elsif test_response.join =~ /#{pattern}/i
168
200
  match = $1
169
- puts "MATCH: #{match}"
201
+ #puts "MATCH: #{match}"
170
202
  end
171
203
 
204
+ fclass = "Reflected XSS - #{rating}%"
205
+ fclass = "Reflected XSS (POST) - #{rating}%" if parm.location == :data
172
206
  addFinding( test_request, test_response,
173
207
  :check_pattern => xss_combo,
174
208
  :proof_pattern => "#{match}",
175
- :test_item => parm,
176
- :class => "Reflected XSS",
209
+ :test_item => parm.name,
210
+ :class => fclass,
177
211
  :chat => chat,
178
- :title => "[#{parm} - #{rating}%] - #{test_request.path}"
212
+ :title => "[#{parm.name}] - #{test_request.path}"
179
213
  )
180
214
  end
181
- #@project.new_finding(:short_name=>"#{parm}", :check=>"#{check}", :proof=>"#{pattern}", :kategory=>"XSS-Post", :type=>"Vuln", :chat=>test_chat, :rating=>"High")
215
+
182
216
  [ test_request, test_response ]
183
217
  }
184
218
  yield checker
185
219
 
186
220
  end
187
-
188
221
 
189
222
  rescue => bang
190
223
  puts bang
data/modules/active/xss/xss_simple.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # xss_simple.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -19,7 +19,8 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- module Watobo
22
+ # @private
23
+ module Watobo#:nodoc: all
23
24
  module Modules
24
25
  module Active
25
26
  module Xss
@@ -27,10 +28,7 @@ module Watobo
27
28
 
28
29
  class Xss_simple < Watobo::ActiveCheck
29
30
 
30
- def initialize(project, prefs={})
31
- super(project, prefs)
32
-
33
- threat =<<'EOF'
31
+ threat =<<'EOF'
34
32
  Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance.
35
33
  A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser
36
34
  within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to
@@ -63,6 +61,11 @@ EOF
63
61
  :rating => VULN_RATING_HIGH,
64
62
  :measure => measure
65
63
  )
64
+
65
+ def initialize(project, prefs={})
66
+ super(project, prefs)
67
+
68
+
66
69
 
67
70
  @xss_checks=[
68
71
  ["<script>watobo</script>", "<script>watobo</script>"],
data/modules/passive/ajax.rb ADDED
@@ -0,0 +1,85 @@
1
+ # .
2
+ # ajax.rb
3
+ #
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ require 'cgi'
23
+
24
+ # @private
25
+ module Watobo#:nodoc: all
26
+ module Modules
27
+ module Passive
28
+
29
+
30
+ class Ajax < Watobo::PassiveCheck
31
+
32
+ def initialize(project)
33
+ @project = project
34
+ super(project)
35
+
36
+ @info.update(
37
+ :check_name => 'Ajax', # name of check which briefly describes functionality, will be used for tree and progress views
38
+ :description => "Spots Ajax Frameworks like jQuery.", # description of checkfunction
39
+ :author => "Andreas Schmidt", # author of check
40
+ :version => "1.0" # check version
41
+ )
42
+
43
+ @finding.update(
44
+ :threat => 'Framework may contain vulnerabilities.', # thread of vulnerability, e.g. loss of information
45
+ :class => "Ajax Framework", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
46
+ :type => FINDING_TYPE_INFO # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
47
+ )
48
+
49
+ @fw_patterns = []
50
+ @fw_patterns << { :name => 'jQuery', :pattern => 'jQuery v([0-9\.]*) jquery.com'}
51
+ end
52
+
53
+ def showError(chatid, message)
54
+ puts "!!! Error"
55
+ puts "Chat: [#{chatid}]"
56
+ puts message
57
+ end
58
+
59
+ def do_test(chat)
60
+ begin
61
+
62
+ return true unless chat.response.content_type =~ /(text|script)/
63
+
64
+ @fw_patterns.each do |pattern|
65
+ if chat.response.body =~ /#{pattern[:pattern]}/i then
66
+ version = $1.strip
67
+ addFinding(
68
+ :check_pattern => "#{pattern[:pattern]}",
69
+ :proof_pattern => "#{pattern}",
70
+ :chat=>chat,
71
+ :title =>"[ #{pattern[:name]} #{version} ] - #{chat.request.path}",
72
+ )
73
+
74
+ end
75
+ end
76
+ rescue => bang
77
+ # raise
78
+ showError(chat.id, bang)
79
+ end
80
+ end
81
+
82
+ end
83
+ end
84
+ end
85
+ end
data/modules/passive/autocomplete.rb ADDED
@@ -0,0 +1,78 @@
1
+ # .
2
+ # autocomplete.rb
3
+ #
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
+ #
6
+ # This file is part of WATOBO (Web Application Tool Box)
7
+ # http://watobo.sourceforge.com
8
+ #
9
+ # WATOBO is free software; you can redistribute it and/or modify
10
+ # it under the terms of the GNU General Public License as published by
11
+ # the Free Software Foundation version 2 of the License.
12
+ #
13
+ # WATOBO is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with WATOBO; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ # .
22
+ # @private
23
+ module Watobo#:nodoc: all
24
+ module Modules
25
+ module Passive
26
+
27
+
28
+ class Autocomplete < Watobo::PassiveCheck
29
+ def initialize(project)
30
+ @project = project
31
+ super(project)
32
+
33
+ @info.update(
34
+ :check_name => 'Password AutoComplete', # name of check which briefly describes functionality, will be used for tree and progress views
35
+ :description => "Checks Password Fields For AutoCompletion", # description of checkfunction
36
+ :author => "Andreas Schmidt", # author of check
37
+ :version => "0.9" # check version
38
+ )
39
+
40
+ @finding.update(
41
+ :threat => 'Password values may be stored on the local filesystem.', # thread of vulnerability, e.g. loss of information
42
+ :class => "Password Autocompletion", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
43
+ :type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
44
+ :rating => VULN_RATING_LOW,
45
+ :measure => "The form field should have an attribute autocomplete=\"off\""
46
+ )
47
+ end
48
+
49
+ def do_test(chat)
50
+ begin
51
+
52
+ if chat.response.respond_to? :input_fields
53
+ chat.response.input_fields do |f|
54
+
55
+ ac = f.autocomplete.nil? ? "" : f.autocomplete
56
+
57
+ if f.type =~ /password/i and ( ac =~ /off/i or ac.empty? )
58
+ addFinding(
59
+ :proof_pattern => "input[^>]*type=[^>=]*password.*>{1}",
60
+ :title => "#{chat.request.file}",
61
+ :chat => chat
62
+ )
63
+ end
64
+ end
65
+ end
66
+ rescue => bang
67
+ # raise
68
+ puts "ERROR!! #{Module.nesting[0].name}"
69
+ puts bang
70
+ puts bang.backtrace if $DEBUG
71
+ end
72
+ return false
73
+ end
74
+ end
75
+
76
+ end
77
+ end
78
+ end
data/modules/passive/cookie_options.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # cookie_options.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -40,7 +40,8 @@
40
40
  # along with WATOBO; if not, write to the Free Software
41
41
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
42
42
  # .
43
- module Watobo
43
+ # @private
44
+ module Watobo#:nodoc: all
44
45
  module Modules
45
46
  module Passive
46
47
 
data/modules/passive/cookie_xss.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # cookie_xss.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -20,7 +20,8 @@
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
22
 
23
- module Watobo
23
+ # @private
24
+ module Watobo#:nodoc: all
24
25
  module Modules
25
26
  module Passive
26
27
 
data/modules/passive/detect_code.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # detect_code.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -19,7 +19,8 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- module Watobo
22
+ # @private
23
+ module Watobo#:nodoc: all
23
24
  module Modules
24
25
  module Passive
25
26
 
@@ -46,7 +47,9 @@ module Watobo
46
47
 
47
48
  @pattern_list = []
48
49
  @pattern_list << ['<\?php', "PHP" ]
49
- @pattern_list << [ '<!--.*select ', "COMMENT" ]
50
+ @pattern_list << [ '<!--[^>]*select ', "COMMENT" ]
51
+ @pattern_list << [ '\/\*[^(\*\/)]*select ', "COMMENT" ]
52
+ @pattern_list << [ '\/\/[^(\*\/\n)]*select ', "COMMENT" ]
50
53
  @pattern_list << [ 'sample code', "COMMENT" ]
51
54
  @pattern_list << [ '<%[^<%]*%>', "ASP" ]
52
55
 
@@ -68,7 +71,7 @@ module Watobo
68
71
  match = $1
69
72
  path = "/" + chat.request.path
70
73
  addFinding(
71
- :proof_pattern => "#{match}",
74
+ :proof_pattern => "#{Regexp.quote(match)}",
72
75
  :chat => chat,
73
76
  :title => "[#{type}] - #{path}"
74
77
  )
data/modules/passive/detect_fileupload.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # detect_fileupload.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -19,7 +19,8 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- module Watobo
22
+ # @private
23
+ module Watobo#:nodoc: all
23
24
  module Modules
24
25
  module Passive
25
26
  class Detect_fileupload < Watobo::PassiveCheck
data/modules/passive/detect_infrastructure.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # detect_infrastructure.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -19,7 +19,8 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- module Watobo
22
+ # @private
23
+ module Watobo#:nodoc: all
23
24
  module Modules
24
25
  module Passive
25
26
  class Detect_infrastructure < Watobo::PassiveCheck
@@ -55,7 +56,9 @@ module Watobo
55
56
  @pattern_list << [ 'SharePoint 2010', Regexp.new('MicrosoftSharePointTeamServices.*14.0.0.6106')]
56
57
  # And in SharePoint 2007 site, the result is like this: MicrosoftSharePointTeamServices:12.0.0.4518
57
58
  @pattern_list << [ 'SharePoint 2007', Regexp.new('MicrosoftSharePointTeamServices.*12.0.0.4518')]
58
-
59
+ # "vaadinVersion":"7.0.4"
60
+ @pattern_list << [ 'VAADIN }>', Regexp.new('vaadinVersion":"(\d+\.\d+\.\d+)')]
61
+ @pattern_list << [ 'JBoss' ,Regexp.new('JBoss Web.(\d+\.\d+\.\d+)')]
59
62
 
60
63
  #@pattern_list << 'sample code'
61
64
 
@@ -76,7 +79,7 @@ module Watobo
76
79
  addFinding(
77
80
  :proof_pattern => "#{match}",
78
81
  :chat => chat,
79
- :title => "[#{pat[0]}] - #{match.slice(0..15)}"
82
+ :title => "[#{pat[0]}] - #{match.slice(0..21)}"
80
83
  )
81
84
  break
82
85
  end
data/modules/passive/detect_one_time_tokens.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # detect_one_time_tokens.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -19,7 +19,8 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- module Watobo
22
+ # @private
23
+ module Watobo#:nodoc: all
23
24
  module Modules
24
25
  module Passive
25
26
 
data/modules/passive/dirindexing.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # dirindexing.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -20,7 +20,8 @@
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
22
 
23
- module Watobo
23
+ # @private
24
+ module Watobo#:nodoc: all
24
25
  module Modules
25
26
  module Passive
26
27
 
data/modules/passive/disclosure_domino.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # .
2
2
  # disclosure_domino.rb
3
3
  #
4
- # Copyright 2012 by siberas, http://www.siberas.de
4
+ # Copyright 2013 by siberas, http://www.siberas.de
5
5
  #
6
6
  # This file is part of WATOBO (Web Application Tool Box)
7
7
  # http://watobo.sourceforge.com
@@ -19,7 +19,8 @@
19
19
  # along with WATOBO; if not, write to the Free Software
20
20
  # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
21
  # .
22
- module Watobo
22
+ # @private
23
+ module Watobo#:nodoc: all
23
24
  module Modules
24
25
  module Passive
25
26