watobo 0.9.12 → 0.9.13

data/plugins/wshell/wshell.rb

@@ -0,0 +1,33 @@
+# .
+# wshell.rb
+# 
+# Copyright 2013 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+# @private 
+module Watobo#:nodoc: all::Plugin
+  module Plugin
+    class WShell < Watobo::PluginBase
+      plugin_name "WShell"
+      description "With WShell you can execute ruby commands in the context of WATOBO.\nVery useful for advanced analysis of conversations or debugging purposes - or simply to explore WATOBO."
+      load_libs
+      load_gui :main
+    end
+  end
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: watobo
 version: !ruby/object:Gem::Version
-  version: 0.9.12
+  version: 0.9.13
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-20 00:00:00.000000000 Z
+date: 2013-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mechanize
@@ -27,6 +27,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: fxruby
   requirement: !ruby/object:Gem::Requirement
@@ -53,6 +69,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- extras/private-hostspot.sh
+- extras/watobo-installer.sh
+- extras/watobo-transparent.sh
 - lib/watobo/adapters/data_store.rb
 - lib/watobo/adapters/file/file_store.rb
 - lib/watobo/adapters/session_store.rb
@@ -61,23 +80,38 @@ files:
 - lib/watobo/config.rb
 - lib/watobo/constants.rb
 - lib/watobo/core/active_check.rb
+- lib/watobo/core/active_checks.rb
 - lib/watobo/core/ca.rb
 - lib/watobo/core/cert_store.rb
+- lib/watobo/core/chat.rb
+- lib/watobo/core/chats.rb
+- lib/watobo/core/conversation.rb
 - lib/watobo/core/cookie.rb
+- lib/watobo/core/finding.rb
+- lib/watobo/core/findings.rb
 - lib/watobo/core/forwarding_proxy.rb
 - lib/watobo/core/fuzz_gen.rb
-- lib/watobo/core/http_socket.rb
 - lib/watobo/core/interceptor.rb
 - lib/watobo/core/intercept_carver.rb
 - lib/watobo/core/intercept_filter.rb
+- lib/watobo/core/min_class.rb
 - lib/watobo/core/netfilter_queue.rb
+- lib/watobo/core/ott_cache.rb
+- lib/watobo/core/parameter.rb
 - lib/watobo/core/passive_check.rb
+- lib/watobo/core/passive_checks.rb
+- lib/watobo/core/passive_scanner.rb
+- lib/watobo/core/plugin.rb
 - lib/watobo/core/project.rb
 - lib/watobo/core/proxy.rb
 - lib/watobo/core/request.rb
 - lib/watobo/core/response.rb
 - lib/watobo/core/scanner.rb
+- lib/watobo/core/scanner3.rb
+- lib/watobo/core/scope.rb
 - lib/watobo/core/session.rb
+- lib/watobo/core/sid_cache.rb
+- lib/watobo/core/subscriber.rb
 - lib/watobo/core.rb
 - lib/watobo/defaults.rb
 - lib/watobo/external/diff/lcs/array.rb
@@ -94,6 +128,7 @@ files:
 - lib/watobo/framework/init.rb
 - lib/watobo/framework/init_modules.rb
 - lib/watobo/framework/license_text.rb
+- lib/watobo/framework/load_chat.rb
 - lib/watobo/framework.rb
 - lib/watobo/gui/about_watobo.rb
 - lib/watobo/gui/browser_preview.rb
@@ -106,36 +141,40 @@ files:
 - lib/watobo/gui/confirm_scan_dialog.rb
 - lib/watobo/gui/conversation_table.rb
 - lib/watobo/gui/conversation_table_ctrl.rb
+- lib/watobo/gui/conversation_table_ctrl2.rb
 - lib/watobo/gui/csrf_token_dialog.rb
 - lib/watobo/gui/dashboard.rb
 - lib/watobo/gui/define_scope_frame.rb
+- lib/watobo/gui/differ_frame.rb
 - lib/watobo/gui/edit_comment.rb
 - lib/watobo/gui/edit_scope_dialog.rb
 - lib/watobo/gui/findings_tree.rb
 - lib/watobo/gui/finding_info.rb
 - lib/watobo/gui/full_scan_dialog.rb
 - lib/watobo/gui/fuzzer_gui.rb
+- lib/watobo/gui/goto_url_dialog.rb
 - lib/watobo/gui/hex_viewer.rb
+- lib/watobo/gui/html_viewer.rb
 - lib/watobo/gui/interceptor_gui.rb
 - lib/watobo/gui/interceptor_settings_dialog.rb
 - lib/watobo/gui/intercept_filter_dialog.rb
 - lib/watobo/gui/list_box.rb
 - lib/watobo/gui/login_wizzard.rb
+- lib/watobo/gui/log_file_viewer.rb
 - lib/watobo/gui/log_viewer.rb
 - lib/watobo/gui/main_window.rb
 - lib/watobo/gui/manual_request_editor.rb
 - lib/watobo/gui/master_pw_dialog.rb
 - lib/watobo/gui/mixins/gui_settings.rb
-- lib/watobo/gui/mixins/subscriber.rb
 - lib/watobo/gui/page_tree.rb
 - lib/watobo/gui/password_policy_dialog.rb
-- lib/watobo/gui/plugin/base.rb
 - lib/watobo/gui/plugin_board.rb
 - lib/watobo/gui/preferences_dialog.rb
 - lib/watobo/gui/progress_window.rb
 - lib/watobo/gui/project_wizzard.rb
 - lib/watobo/gui/proxy_dialog.rb
 - lib/watobo/gui/quick_scan_dialog.rb
+- lib/watobo/gui/request_builder_frame.rb
 - lib/watobo/gui/request_editor.rb
 - lib/watobo/gui/rewrite_filters_dialog.rb
 - lib/watobo/gui/rewrite_rules_dialog.rb
@@ -149,6 +188,7 @@ files:
 - lib/watobo/gui/tagless_viewer.rb
 - lib/watobo/gui/templates/plugin.rb
 - lib/watobo/gui/templates/plugin2.rb
+- lib/watobo/gui/templates/plugin_base.rb
 - lib/watobo/gui/text_viewer.rb
 - lib/watobo/gui/transcoder_window.rb
 - lib/watobo/gui/utils/gui_utils.rb
@@ -165,11 +205,27 @@ files:
 - lib/watobo/gui/www_auth_dialog.rb
 - lib/watobo/gui/xml_viewer_frame.rb
 - lib/watobo/gui.rb
+- lib/watobo/http/cookies/cookies.rb
+- lib/watobo/http/data/data.rb
+- lib/watobo/http/url/url.rb
+- lib/watobo/http_socket/agent.rb
+- lib/watobo/http_socket/client_socket.rb
+- lib/watobo/http_socket/connection.rb
+- lib/watobo/http_socket/http_socket.rb
+- lib/watobo/http_socket/ntlm_auth.rb
+- lib/watobo/http_socket/proxy.rb
+- lib/watobo/http_socket.rb
+- lib/watobo/interceptor/proxy.rb
+- lib/watobo/interceptor/transparent.rb
+- lib/watobo/interceptor.rb
+- lib/watobo/mixins/check_info.rb
 - lib/watobo/mixins/httpparser.rb
 - lib/watobo/mixins/request_parser.rb
 - lib/watobo/mixins/shapers.rb
 - lib/watobo/mixins/transcoders.rb
 - lib/watobo/mixins.rb
+- lib/watobo/parser/html.rb
+- lib/watobo/parser.rb
 - lib/watobo/utils/check_regex.rb
 - lib/watobo/utils/copy_object.rb
 - lib/watobo/utils/crypto.rb
@@ -184,6 +240,7 @@ files:
 - lib/watobo/utils/secure_eval.rb
 - lib/watobo/utils/strings.rb
 - lib/watobo/utils/text2request.rb
+- lib/watobo/utils/url.rb
 - lib/watobo/utils.rb
 - lib/watobo.rb
 - config/datastore.yml
@@ -191,17 +248,22 @@ files:
 - config/general.yml
 - config/gui.yml
 - config/interceptor.yml
+- config/ott_cache.yml
 - config/scanner.yml
 - config/scan_policy.yml
+- config/sid_cache.yml
 - modules/active/Apache/mod_status.rb
 - modules/active/directories/dirwalker.rb
 - modules/active/discovery/fileextensions.rb
 - modules/active/discovery/http_methods.rb
 - modules/active/domino/domino_db.lst
 - modules/active/domino/domino_db.rb
+- modules/active/dotNET/custom_errors.rb
+- modules/active/dotNET/dotnet_files.rb
 - modules/active/fileinclusion/lfi_simple.rb
 - modules/active/Flash/crossdomain.rb
 - modules/active/jboss/jboss_basic.rb
+- modules/active/RoR/cve_2013_015x.rb
 - modules/active/sap/its_commands.rb
 - modules/active/sap/its_services.rb
 - modules/active/sap/its_service_parameter.rb
@@ -210,8 +272,11 @@ files:
 - modules/active/sqlinjection/sqli_error.rb
 - modules/active/sqlinjection/sqli_timing.rb
 - modules/active/sqlinjection/sql_boolean.rb
-- modules/active/xss/xss_rated.rb
+- modules/active/xml/xml_xxe.rb
+- modules/active/xss/xss_ng.rb
 - modules/active/xss/xss_simple.rb
+- modules/passive/ajax.rb
+- modules/passive/autocomplete.rb
 - modules/passive/cookie_options.rb
 - modules/passive/cookie_xss.rb
 - modules/passive/detect_code.rb
@@ -224,6 +289,7 @@ files:
 - modules/passive/disclosure_ipaddr.rb
 - modules/passive/filename_as_parameter.rb
 - modules/passive/form_spotter.rb
+- modules/passive/hidden_fields.rb
 - modules/passive/hotspots.rb
 - modules/passive/in_script_parameter.rb
 - modules/passive/multiple_server_headers.rb
@@ -269,6 +335,10 @@ files:
 - plugins/sslchecker/icons/red_16x16.ico
 - plugins/sslchecker/icons/sslchecker.ico
 - plugins/sslchecker/lib/check.rb
+- plugins/wshell/gui/main.rb
+- plugins/wshell/icons/wsh.ico
+- plugins/wshell/lib/core.rb
+- plugins/wshell/wshell.rb
 - icons/Add.ico
 - icons/Add_24x24.ico
 - icons/advanced.ico
@@ -279,6 +349,8 @@ files:
 - icons/applications_24x24.ico
 - icons/Bandwidth.ico
 - icons/Bandwidth_24x24.ico
+- icons/BestPractice_16x16.ico
+- icons/BestPractice_24x24.ico
 - icons/browser_16x16.ico
 - icons/browser_24x24.ico
 - icons/burn.ico
@@ -353,8 +425,8 @@ files:
 - icons/Yellow Ball.ico
 - icons/Yellow Ball_16x16.ico
 - icons/Yellow Ball_24x24.ico
-- README
-- CHANGELOG
+- README.md
+- CHANGELOG.md
 - .yardopts
 - bin/watobo_gui.rb
 - bin/watobo

data/README

@@ -1,26 +0,0 @@
-
-= WATOBO - THE Web Application Toolbox
-WATOBO is a security tool for web applications. WATOBO is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
-
-Most important features:
-* WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
-* WATOB can act as an transparent proxy
-* WATOBO has anti-CSRF features 
-* WATOBO can perform vulnerability checks out of the box. 
-* WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click. 
-* WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily. 
-* WATOBO is written in (FX)Ruby and enables you to easiely define your own checks 
-* WATOBO is free software ( licensed under the GNU General Public License Version 2) 
-* It’s by siberas ;) 
-
-== Documentation
-Check out the online documentation and video tutorials at http://watobo.sourceforge.net
-
-== Tips & Tricks
-* On Linux you should use RVM to install Ruby (http://beginrescueend.com/rvm/install/)
-* Use FoxyProxy or SwitchProxy to easily change your proxy settings
-
-	
-
-
-

data/lib/watobo/core/http_socket.rb

@@ -1,161 +0,0 @@
-# .
-# http_socket.rb
-# 
-# Copyright 2012 by siberas, http://www.siberas.de
-# 
-# This file is part of WATOBO (Web Application Tool Box)
-#        http://watobo.sourceforge.com
-# 
-# WATOBO is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation version 2 of the License.
-# 
-# WATOBO is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 
-# You should have received a copy of the GNU General Public License
-# along with WATOBO; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-# .
-module Watobo
-    module HTTP
-      
-      def self.get_peer_subject(socket)
-        begin
-        ctx = OpenSSL::SSL::SSLContext.new()
-        ctx.tmp_dh_callback = proc { |*args|
-          OpenSSL::PKey::DH.new(128)
-          }
-        ssl_sock = OpenSSL::SSL::SSLSocket.new(socket, ctx)
-        subject = ssl_sock.peer_cert.subject
-        return subject
-        rescue => bang
-          puts bang
-          puts bang.backtrace
-        end
-        return nil
-      end
-      
-      
-      def HTTP.read_body(socket, prefs=nil)
-        buf = nil
-        max_bytes = -1
-        unless prefs.nil?
-          max_bytes = prefs[:max_bytes] unless prefs[:max_bytes].nil?
-        end
-        bytes_to_read = max_bytes >= 0 ? max_bytes : 1024
-        
-        bytes_read = 0
-        while max_bytes < 0 or bytes_to_read > 0 
-          begin
-         #   timeout(5) do
-             # puts "<#{bytes_to_read} / #{bytes_read} / #{max_bytes}"
-              buf = socket.readpartial(bytes_to_read)
-              bytes_read += buf.length
-         #   end
-          rescue EOFError
-            return
-          rescue Timeout::Error
-            puts "!!! Timeout: read_body (max_bytes=#{max_bytes})"
-            #puts "* last data seen on socket:"
-            # puts buf
-            puts $!.backtrace if $DEBUG
-            return
-          rescue => bang
-            print "E!"
-            puts bang.backtrace if $DEBUG
-            return
-          end
-          # puts bytes_read.to_s
-          yield buf if block_given?
-          return if max_bytes >= 0 and bytes_read >= max_bytes
-          bytes_to_read -= bytes_read if max_bytes >= 0 && bytes_to_read >= bytes_read
-        end
-        #  end
-      end
-
-      def HTTP.readChunkedBody(socket)
-        buf = nil
-        while (chunk_size = socket.gets)
-          next if chunk_size.strip.empty?
-          yield "#{chunk_size}" if block_given?
-          bytes_to_read = num_bytes = chunk_size.strip.hex
-          # puts "> chunk-length: 0x#{chunk_size.strip}(#{num_bytes})"
-          return if num_bytes == 0
-          bytes_read = 0
-          while bytes_read < num_bytes
-            begin
-             # timeout(5) do
-                bytes_to_read = num_bytes - bytes_read
-                # puts bytes_to_read.to_s
-                buf = socket.readpartial(bytes_to_read)
-                bytes_read += buf.length
-                # puts bytes_read.to_s
-             # end
-            rescue EOFError
-              # yield buf if buf
-              return
-            rescue Timeout::Error
-              puts "!!! Timeout: readChunkedBody (bytes_to_read=#{bytes_to_read}"
-              #puts "* last data seen on socket:"
-              # puts buf
-              return
-            rescue => bang
-              # puts "!!! Error (???) reading body:"
-              # puts bang
-              # puts bang.class
-              # puts bang.backtrace.join("\n")
-              # puts "* last data seen on socket:"
-              # puts buf
-              print "E!"
-              return
-            end
-            # puts bytes_read.to_s
-            yield buf if block_given?
-            #return if max_bytes > 0 and bytes_read >= max_bytes
-          end
-          yield "\r\n" if block_given?
-        end
-        #  end
-      end
-
-      def HTTP.read_header(socket)
-        buf = ''
-
-        while true
-          begin
-            buf = socket.gets
-          rescue EOFError
-            puts "!!! EOF: reading header"
-            # buf = nil
-            return
-          rescue Errno::ECONNRESET
-            #puts "!!! CONNECTION RESET: reading header"
-            #buf = nil
-            #return
-            raise
-          rescue Errno::ECONNABORTED
-            raise
-          rescue Timeout::Error
-            #puts "!!! TIMEOUT: reading header"
-            #return
-            raise
-          rescue => bang
-            puts "!!! READING HEADER:"
-           # puts buf
-            puts bang
-            puts bang.backtrace if $DEBUG
-          end
-
-          return if buf.nil?
-
-          yield buf if block_given?
-          return if buf.strip.empty?
-        end
-      end
-
-    end
-end
-

data/lib/watobo/gui/plugin/base.rb

@@ -1,82 +0,0 @@
-# .
-# base.rb
-# 
-# Copyright 2012 by siberas, http://www.siberas.de
-# 
-# This file is part of WATOBO (Web Application Tool Box)
-#        http://watobo.sourceforge.com
-# 
-# WATOBO is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation version 2 of the License.
-# 
-# WATOBO is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 
-# You should have received a copy of the GNU General Public License
-# along with WATOBO; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-# .
-module Watobo
-  module Gui
-    module Plugin
-      class Plugin_UNUSED < FXDialogBox
-        attr :plugin_name
-        attr :icon
-
-        include Watobo::Gui
-        include Watobo::Gui::Icons
-        def subscribe(event, &callback)
-          (@event_dispatcher_listeners[event] ||= []) << callback
-        end
-
-        def clearEvents(event)
-          @event_dispatcher_listener[event].clear
-        end
-
-        def notify(event, *args)
-          if @event_dispatcher_listeners[event]
-            @event_dispatcher_listeners[event].each do |m|
-              m.call(*args) if m.respond_to? :call
-            end
-          end
-        end
-
-        def updateView()
-          raise "!!! updateView not defined"
-        end
-
-        def icon=(file=__FILE__)
-          begin
-            @icon = ICON_PLUGIN
-            path = File.dirname(file)
-            #  puts "... searching for icons in #{path}"
-            file = Dir.glob("#{path}/*.ico").first
-
-            #    puts "* load icon: #{file}"
-            @icon = Watobo::Gui.load_icon(file) unless file.nil?
-
-            self.icon = @icon
-          rescue => bang
-          puts "!!!Error: could not init icon"
-          puts bang
-          puts bang.backtrace if $DEBUG
-          end
-        end
-
-        def initialize(owner, title, project, opts)
-          super(owner, title, :opts => DECOR_ALL,:width=>800, :height=>600)
-          # Implement Sender
-          # Implement Scanner
-          @icon = nil
-          #        load_icon()
-          @plugin_name = "undefined"
-          @event_dispatcher_listeners = Hash.new
-
-        end
-      end
-    end
-  end
-end