RubyGems - watobo - Versions diffs - 0.9.13 → 0.9.14 - Mend

watobo 0.9.13 → 0.9.14

Files changed (34) hide show

data/CHANGELOG.md +12 -0
data/README.md +1 -1
data/lib/watobo/constants.rb +1 -0
data/lib/watobo/core/chat.rb +4 -2
data/lib/watobo/core/cookie.rb +30 -16
data/lib/watobo/core/passive_scanner.rb +2 -2
data/lib/watobo/core/request.rb +1 -1
data/lib/watobo/core/response.rb +1 -1
data/lib/watobo/core/session.rb +15 -9
data/lib/watobo/gui/conversation_table.rb +6 -1
data/lib/watobo/gui/csrf_token_dialog.rb +1 -1
data/lib/watobo/gui/main_window.rb +20 -1
data/lib/watobo/gui/templates/plugin_base.rb +4 -5
data/lib/watobo/gui/utils/gui_utils.rb +5 -2
data/lib/watobo/gui/utils/load_plugins.rb +3 -3
data/lib/watobo/http_socket/client_socket.rb +24 -11
data/lib/watobo/http_socket/http_socket.rb +67 -0
data/lib/watobo/interceptor/proxy.rb +102 -104
data/lib/watobo/mixins/httpparser.rb +16 -17
data/lib/watobo/mixins/shapers.rb +6 -4
data/lib/watobo.rb +5 -1
data/modules/passive/possible_login.rb +2 -5
data/plugins/crawler/crawler.rb +1 -56
data/plugins/crawler/gui/crawler_gui.rb +4 -5
data/plugins/crawler/gui.rb +2 -90
data/plugins/crawler/lib/engine.rb +6 -3
data/plugins/crawler/lib/grabber.rb +4 -1
data/plugins/sqlmap/bin/test.rb +2 -1
data/plugins/sqlmap/gui.rb +2 -3
data/plugins/sqlmap/sqlmap.rb +1 -3
data/plugins/sslchecker/gui/sslchecker.rb +4 -4
metadata +2 -4
data/lib/watobo/http_socket/proxy.rb +0 -31
data/modules/active/RoR/cve_2013_015x.rb +0 -21

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,15 @@
+Version 0.9.14
+===
+Fixes
+---
+**Manual Request Editor**
+ * fixed crash when clicking OTT-Settings
+**Crawler**
+ * watobo stopped working when crawler was started (Linux only) - workaround
 Version 0.9.13
 ===
 News

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 WATOBO - THE Web Application Toolbox
 ===
-WATOBO is a security tool for web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
+WATOBO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
 Most important features:

data/lib/watobo/constants.rb CHANGED Viewed

@@ -83,6 +83,7 @@ module Watobo#:nodoc: all
     AUTH_TYPE_BASIC =  0x01
     AUTH_TYPE_DIGEST = 0x02
     AUTH_TYPE_NTLM =   0x04
+    AUTH_TYPE_UNKNOWN = 0x10
     GUI_SMALL_FONT_SIZE = 7
     GUI_REGULAR_FONT_SIZE = 9

data/lib/watobo/core/chat.rb CHANGED Viewed

@@ -85,8 +85,6 @@ module Watobo#:nodoc: all
     def initialize(request, response, prefs = {})
       begin
-        super(request, response)
         @settings = {
           :source => CHAT_SOURCE_UNDEF,
           :id => -1,
@@ -95,6 +93,10 @@ module Watobo#:nodoc: all
           :comment => '',
           :tested => false
         }
+        super(request, response)
         @settings.update prefs
         #  puts @settings[:id].to_s

data/lib/watobo/core/cookie.rb CHANGED Viewed

@@ -19,35 +19,49 @@
 # along with WATOBO; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 # .
-# @private
+# @private
 module Watobo#:nodoc: all
-#Set-Cookie: mycookie=b41dc9e55d6163f78321996b10c940edcec1b4e55a76464c4e9d25e160ac0ec5b769806b; path=/; secure
+  #Set-Cookie: mycookie=b41dc9e55d6163f78321996b10c940edcec1b4e55a76464c4e9d25e160ac0ec5b769806b; path=/; secure
   class Cookie < Parameter
     attr :name
     attr :value
     attr :path
     attr :secure
     attr :http_only
     def name_value
-    "#{@name}=#{@value}"
+      "#{@name}=#{@value}"
     end
-    def initialize(prefs)
-      @secure = prefs.has_key?(:secure) ? prefs[:secure] : false
-      @http_only = prefs.has_key?(:http_only) ? prefs[:http_only] : false
-      @location = :cookie
+    def initialize(cookie_prefs)
+      @secure = false
+      @http_only = false
-      if prefs.is_a? Hash
-        #TODO: create cookie with hash-settings
+      if cookie_prefs.respond_to? :has_key?
+        @secure = prefs.has_key?(:secure) ? prefs[:secure] : false
+        @http_only = prefs.has_key?(:http_only) ? prefs[:http_only] : false
+        @location = :cookie
+        @path = prefs[:path]
+        @name = prefs[:name]
+        @value = prefs[:value]
       else
-        raise ArgumentError, "Need hash (:name, :value, ...) or string (Set-Cookie:...)"
+        chunks = cookie_prefs.split(";")
+        # first chunk
+        @name, @value = chunks.first.split(":").last.split("=")
+        m = cookie_prefs.match(/path=([^;]*)/)
+        @path = m.nil? ? "" : m[1].strip
+        @secure = true if chunks.select{|c| c =~ /Secure/i }
+        @http_only = true if chunks.select{|c| c =~ /HttpOnly/i }
       end
+      #if prefs.is_a? Hash
+      #  #TODO: create cookie with hash-settings
+      #  else
+      #  raise ArgumentError, "Need hash (:name, :value, ...) or string (Set-Cookie:...)"
+      #end
     end
   end
 end

data/lib/watobo/core/passive_scanner.rb CHANGED Viewed

@@ -40,8 +40,8 @@ module Watobo#:nodoc: all
                   test_module.do_test(chat)
                 rescue => bang
                   puts bang
-                  puts bang.backtrace if $DEBUG
-                  return false
+                  puts bang.backtrace #if $DEBUG
+                  #return false
                 end
               end
             end

data/lib/watobo/core/request.rb CHANGED Viewed

@@ -51,7 +51,7 @@ module Watobo#:nodoc: all
     end
     def copy
-      c = YAML.load(YAML.dump(self))
+      c = Watobo::Utils.copyObject self
       Watobo::Request.new c
     end

data/lib/watobo/core/response.rb CHANGED Viewed

@@ -46,7 +46,7 @@ module Watobo#:nodoc: all
     end
     def copy
-      c = YAML.load(YAML.dump(self))
+      c = Watobo::Utils.copyObject self
       Watobo::Request.new c
     end

data/lib/watobo/core/session.rb CHANGED Viewed

@@ -170,7 +170,11 @@ module Watobo#:nodoc: all
             #  timeout(6) do
             #puts "* no proxy - direct connection"
             tcp_socket = TCPSocket.new( host, port )
-            tcp_socket.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1)
+            optval = [1, 5000].pack("I_2")
+            tcp_socket.setsockopt Socket::SOL_SOCKET, Socket::SO_RCVTIMEO, optval
+            tcp_socket.setsockopt Socket::SOL_SOCKET, Socket::SO_SNDTIMEO, optval
+            tcp_socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+            tcp_socket.setsockopt Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1
             tcp_socket.sync = true
             socket =  tcp_socket
@@ -214,17 +218,19 @@ module Watobo#:nodoc: all
               unless request.has_body?
                 data << "\r\n" unless data =~ /\r\n\r\n$/
               end
-             # puts "= SESSION ="
-             # puts data
-             # puts data.unpack("H*")[0].gsub(/0d0a/,"0d0a\n")
+           #  puts "= SESSION ="
+           #  puts data
+           #  puts data.unpack("H*")[0]#.gsub(/0d0a/,"0d0a\n")
               unless socket.nil?
                 socket.print data
-               # if socket.is_a? OpenSSL::SSL::SSLSocket
-               #   socket.io.shutdown(Socket::SHUT_WR)
-               # else
-               #   socket.shutdown(Socket::SHUT_WR)
-               # end
+                socket.flush
+                # tell finished sending data
+                if socket.is_a? OpenSSL::SSL::SSLSocket
+                  socket.io.shutdown(Socket::SHUT_WR)
+                else
+                  socket.shutdown(Socket::SHUT_WR)
+                end
                 response_header = readHTTPHeader(socket, current_prefs)
               end
               # RESTORE URI FOR HISTORY/LOG

data/lib/watobo/gui/conversation_table.rb CHANGED Viewed

@@ -211,12 +211,13 @@ module Watobo#:nodoc: all
       end
       def addChat(chat, *prefs)
+        return false if chat.nil?
         if self.getNumRows <= 0 then
           clearConversation()
         # initColumns()
         end
-        @current_chat_list.push chat unless chat.nil?
+        @current_chat_list.push chat
         if prefs.include? :ignore_filter
           add_chat_row(chat)
         return true
@@ -379,6 +380,10 @@ module Watobo#:nodoc: all
       def add_chat_row(chat)
         return false unless chat.respond_to? :request
+        return false unless chat.respond_to? :response
+        return false if chat.request.nil?
+        return false if chat.response.nil?
         lastRowIndex = self.getNumRows
         self.appendRows(1)

data/lib/watobo/gui/csrf_token_dialog.rb CHANGED Viewed

@@ -240,7 +240,7 @@ module Watobo#:nodoc: all
         sunken = FXVerticalFrame.new(frame, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|FRAME_SUNKEN, :padding => 0)
         @response_viewer = SidPreview.new(sunken, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
-        Watobo::Conf::Scanner.csrf_patterns.each do |p|
+        Watobo::Conf::OttCache.patterns.each do |p|
             item = @pattern_list.appendItem("#{p}")
             @pattern_list.setItemData(item, p)
           end

data/lib/watobo/gui/main_window.rb CHANGED Viewed

@@ -93,6 +93,18 @@ module Watobo#:nodoc: all
     end
+    @msg_lock.synchronize do
+      while @msg_queue.length > 0
+        msg = @msg_queue.shift
+        case msg
+        when :modal_finished
+          puts "stopping modal ..."
+          getApp.stopModal
+          puts "modal stopped"
+        end
+      end
+    end
   }
  end
@@ -766,7 +778,9 @@ module Watobo#:nodoc: all
             Watobo::Gui.clear_plugins
+            print "* load plugins ..."
             Watobo::Gui::Utils.load_plugins(@project)
+            print "[OK]\n"
             @sites_tree.project = @project
             @findings_tree.project = @project
@@ -780,7 +794,10 @@ module Watobo#:nodoc: all
             puts "!!! Could not create project :("
           ensure
           puts "* stop modal mode" if $DEBUG
-          getApp.stopModal
+          @msg_lock.synchronize do
+          #getApp.stopModal
+          @msg_queue << :modal_finished
+          end
           end
@@ -1165,9 +1182,11 @@ module Watobo#:nodoc: all
         @finding_lock = Mutex.new
         @chat_lock = Mutex.new
         @status_lock = Mutex.new
+        @msg_lock = Mutex.new
         @finding_queue = []
         @chat_queue = []
+        @msg_queue = []
         # setup clipboard
         @clipboard_text = ""

data/lib/watobo/gui/templates/plugin_base.rb CHANGED Viewed

@@ -42,11 +42,10 @@ module Watobo#:nodoc: all
       if order.empty?
         libs = Dir.glob("#{lpath}/*")
       else
-        libs = order
+        libs = order.map{|l| l.to_s + ".rb" }
       end
       libs.each do |lib|
-        puts "> #{lib.to_s}"
-      require File.join(lib.to_s)
+        load File.join(lib)
       end
     end
@@ -74,11 +73,11 @@ module Watobo#:nodoc: all
       if order.empty?
         libs = Dir.glob("#{gui_path}/*")
       else
-        libs = order
+        libs = order.map{|l| l.to_s + ".rb" }
       end
       libs.each do |lib|
         puts "loading gui-lib #{lib} ..."
-      require File.join(gui_path, lib.to_s)
+        load File.join(gui_path, lib)
       end
       else
         puts "WATOBO NOT IN GUI MODE!"

data/lib/watobo/gui/utils/gui_utils.rb CHANGED Viewed

@@ -44,8 +44,11 @@ module Watobo#:nodoc: all
         if text.is_a?(Request) or text.is_a?(Response)
           dummy = []
           text.each do |line|
-            chunk = line.gsub(/\r/,'').strip
-            dummy.push chunk.gsub("\x00","")
+             clean = line.unpack("C*").pack("C*")
+             clean.gsub!(/\r/,'')
+             clean.strip!
+             clean.gsub!("\x00","")
+            dummy << clean
           end
           return dummy.join("\n")
         elsif text.is_a? String

data/lib/watobo/gui/utils/load_plugins.rb CHANGED Viewed

@@ -55,7 +55,7 @@ module Watobo#:nodoc: all
               puts
               puts ">> ClassName: #{class_name}"
               puts
-              require pgf
+              load pgf
               class_constant = Watobo.class_eval(class_name)
               Watobo::Gui.add_plugin class_constant.new(Watobo::Gui.application, project)
@@ -64,7 +64,7 @@ module Watobo#:nodoc: all
               Dir["#{sub}/#{File.basename(sub)}.rb"].each do |plugin_file|
                 begin
                   puts "* processing plugin file #{plugin_file}" if $DEBUG
-                  require plugin_file
+                  load plugin_file
                   group = File.basename(sub)
                   plugin = File.basename(plugin_file).sub(/\.rb/,'')
                   # load "#{@settings[:module_path]}/#{modules}/#{check}"
@@ -86,7 +86,7 @@ module Watobo#:nodoc: all
               Dir["#{sub}/gui/#{File.basename(sub)}.rb"].each do |plugin_file|
                 begin
                   puts "* processing plugin file #{plugin_file}" if $DEBUG
-                  require plugin_file
+                  load plugin_file
                   group = File.basename(sub)
                   plugin = File.basename(plugin_file).sub(/\.rb/,'')
                   # load "#{@settings[:module_path]}/#{modules}/#{check}"

data/lib/watobo/http_socket/client_socket.rb CHANGED Viewed

@@ -32,6 +32,11 @@ module Watobo#:nodoc: all
       def write(data)
         @socket.write data
+        @socket.flush
+      end
+      def flush
+        @socket.flush
       end
       def close
@@ -39,11 +44,13 @@ module Watobo#:nodoc: all
         #if socket.class.to_s =~ /SSLSocket/
           if @socket.respond_to? :sysclose
           #socket.io.shutdown(2)
-          @socket.sysclose
-          elsif @socket.respond_to? :shutdown
-          @socket.shutdown(2)
-          elsif @socket.respond_to? :close
-          @socket.close
+            @socket.sysclose
+          elsif @socket.respond_to? :shutdown
+            @socket.shutdown(Socket::SHUT_RDWR)
+          end
+          # finally close it
+          if @socket.respond_to? :close
+            @socket.close
           end
           return true
         rescue => bang
@@ -55,7 +62,7 @@ module Watobo#:nodoc: all
       def read_header
         request = []
-        Watobo::HTTPSocket.read_header(@socket) do |line|
+        Watobo::HTTPSocket.read_client_header(@socket) do |line|
           request << line
         end
@@ -75,13 +82,12 @@ module Watobo#:nodoc: all
         begin
         unless @initial_request.nil?
           request = @initial_request.copy
-          puts request
           @initial_request = nil
         return request
         end
         request = read_header
-        puts request
         return nil if request.nil?
         clen = request.content_length
@@ -121,6 +127,13 @@ module Watobo#:nodoc: all
         ra = socket.remote_address
         cport = ra.ip_port
         caddr = ra.ip_address
+        optval = [1, 500_000].pack("I_2")
+        socket.setsockopt Socket::SOL_SOCKET, Socket::SO_RCVTIMEO, optval
+        socket.setsockopt Socket::SOL_SOCKET, Socket::SO_SNDTIMEO, optval
+        socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+        socket.setsockopt Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1
+        socket.sync = true
         session = socket
@@ -134,7 +147,7 @@ module Watobo#:nodoc: all
           begin
             ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ctx)
-            ssl_socket.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1)
+            #ssl_socket.setsockopt( Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1)
             # ssl_socket.sync_close = true
             ssl_socket.sync = true
             # puts ssl_socket.methods.sort
@@ -245,7 +258,7 @@ module Watobo#:nodoc: all
           session = ssl_session
           request = nil
         else
-           puts "* create request object"
+          # puts "* create request object"
            request = Watobo::Request.new(request)
            site = request.site
            #puts request

data/lib/watobo/http_socket/http_socket.rb CHANGED Viewed

@@ -22,6 +22,31 @@
 # @private
 module Watobo#:nodoc: all
   module HTTPSocket
+    def self.close(socket)
+      def close
+        begin
+        #if socket.class.to_s =~ /SSLSocket/
+          if socket.respond_to? :sysclose
+          #socket.io.shutdown(2)
+          socket.sysclose
+          elsif @socket.respond_to? :shutdown
+            puts "SHUTDOWN"
+          socket.shutdown(Socket::SHUT_RDWR)
+          end
+          # finally close it
+          if socket.respond_to? :close
+            socket.close
+          end
+          return true
+        rescue => bang
+          puts bang
+          puts bang.backtrace if $DEBUG
+        end
+        false
+      end
+    end
     def self.siteAlive?(chat)
       #puts chat.class
       site = nil
@@ -267,6 +292,48 @@ module Watobo#:nodoc: all
         return if buf.strip.empty?
       end
     end
+    def self.read_client_header(socket)
+      buf = ''
+      while true
+        begin
+          #Timeout::timeout(1.5) do
+             buf = socket.gets
+          #end
+        rescue EOFError => e
+          puts "EOFError: #{e}"
+          #puts "!!! EOF: reading header"
+          # buf = nil
+          return true
+        rescue Errno::ECONNRESET => e
+          puts "ECONNRESET: #{e}"
+        #puts "!!! CONNECTION RESET: reading header"
+        #buf = nil
+        #return
+          #raise
+          return false
+        rescue Errno::ECONNABORTED => e
+          puts "ECONNABORTED: #{e}"
+          #raise
+          return false
+        rescue Timeout::Error => e
+          puts "TIMEOUT: #{e}"
+          return false
+        rescue => bang
+         # puts "!!! READING HEADER:"
+          # puts buf
+          puts bang
+          puts bang.backtrace
+          raise
+        end
+        return false if buf.nil?
+        yield buf if block_given?
+        return if buf.strip.empty?
+      end
+    end
   end
 end