watobo 0.9.20 → 0.9.21

data/lib/watobo/gui/edit_scope_dialog.rb

@@ -26,7 +26,7 @@ module Watobo#:nodoc: all
 
       def initialize(owner, prefs)
         #super(owner, "Edit Target Scope", DECOR_TITLE|DECOR_BORDER, :width => 300, :height => 425)
-        super(owner, "Edit Target Scope", DECOR_ALL, :width => 300, :height => 425)
+        super(owner, "Edit Target Scope", DECOR_ALL, :width => 350, :height => 425)
         
         @scope = Hash.new
 

data/lib/watobo/gui/fuzzer_gui.rb

@@ -62,6 +62,8 @@ module Watobo#:nodoc: all
                      fuzz_request.extend Watobo::Mixin::Parser::Url
 
                      test_request, test_response = doRequest(fuzz_request, @prefs)
+                     
+                     notify(:stats, test_response)
 
                      notify(:fuzzer_match, test_fuzzle, test_request, test_response, test_response.join) if @filter_list.empty?
 
@@ -359,10 +361,36 @@ module Watobo#:nodoc: all
          end
 
          def addResponse(response)
+           
+           @log_queue << response
+
+         end
+
+         def clearResponseCodeTable()
+            @response_code_tbl.clearItems()
+            @response_code_tbl.setTableSize(0, 2)
+
+            @response_code_tbl.setColumnText( 0, "STATUS" )
+            @response_code_tbl.setColumnText( 1, "COUNT" )
+
+            @response_code_tbl.rowHeader.width = 0
+            @response_code_tbl.setColumnWidth(0, 70)
+
+            @response_code_tbl.setColumnWidth(1, 70)
 
-            return nil unless response.respond_to? :status
 
-            @lock.synchronize {
+         end
+         
+         def start_update_timer
+        @timer = FXApp.instance.addTimeout( 1000, :repeat => true) {
+          #print @log_queue.length
+          while @log_queue.length > 0
+            response = @log_queue.deq
+            
+            if response.respond_to? :status
+              @count_total += 1
+              @count_text.text = "Total: #{@count_total}"
+
                cstatus = response.status
                count_item = nil
                @response_code_tbl.getNumRows.times do |i|
@@ -381,24 +409,13 @@ module Watobo#:nodoc: all
                   c = count_item.text.to_i
                   count_item.text = ( c + 1 ).to_s
                end
-            }
-
-         end
-
-         def clearResponseCodeTable()
-            @response_code_tbl.clearItems()
-            @response_code_tbl.setTableSize(0, 2)
-
-            @response_code_tbl.setColumnText( 0, "STATUS" )
-            @response_code_tbl.setColumnText( 1, "COUNT" )
-
-            @response_code_tbl.rowHeader.width = 0
-            @response_code_tbl.setColumnWidth(0, 70)
-
-            @response_code_tbl.setColumnWidth(1, 70)
-
+               @count_text.handle(self, FXSEL(SEL_UPDATE, 0), nil)
+            end
+        
+          end
+          }
 
-         end
+      end
 
          def clearResponseLengthTable()
             @response_length_tbl.clearItems()
@@ -419,13 +436,18 @@ module Watobo#:nodoc: all
                @response_length_tbl.getItem(lastRowIndex, 1).justify = FXTableItem::LEFT
             end
          end
-
+         
+         
          def initialize(parent, opts)
             super(parent, opts)
 
-            @lock = Mutex.new
+            @log_queue = Queue.new
 
             @count_total = 0
+            
+            @count_text = FXLabel.new(self, "Total: 0")
+            @count_text.setFont(FXFont.new(getApp(), "helvetica", 11, FONTWEIGHT_BOLD, FONTENCODING_DEFAULT))
+            
             counter_frame = FXHorizontalFrame.new(self, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y)
             response_code_gb = FXGroupBox.new(counter_frame, "Response Codes", LAYOUT_SIDE_BOTTOM|FRAME_GROOVE|LAYOUT_FILL_X|LAYOUT_FILL_Y, 0, 0, 0, 0)
             frame = FXVerticalFrame.new(response_code_gb, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y )
@@ -439,7 +461,11 @@ module Watobo#:nodoc: all
             sunken = FXVerticalFrame.new(frame, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|FRAME_SUNKEN|FRAME_THICK, :padding => 0)
             @response_length_tbl = FXTable.new(sunken, :opts => FRAME_SUNKEN|TABLE_COL_SIZABLE|TABLE_ROW_SIZABLE|LAYOUT_FILL_X|LAYOUT_FILL_Y|TABLE_READONLY|LAYOUT_SIDE_TOP, :padding => 2)
             @response_length_tbl.columnHeader.connect(SEL_COMMAND) { }
+            
+            
             clearResponseLengthTable()
+            
+            start_update_timer
          end
       end
 
@@ -909,12 +935,17 @@ module Watobo#:nodoc: all
                      return 0 if response != MBOX_CLICKED_YES
 
                   end
-                  fh = File.new(filename, "w")
+                  r = []
                   @matchTable.numRows.times do |i|
                      #puts items[1].to_s
+                     tv = @matchTable.getItemData(i,0)
                      data = @matchTable.getItemData(i,1)
-                     fh.puts data.strip if data
+                      if data
+                        r << { :tag => tv, :data => data.strip }
+                      end
                   end
+                  fh = File.new(filename, "w")
+                  fh.puts YAML.dump(r)
                   fh.close
                end
             rescue => bang
@@ -954,6 +985,7 @@ module Watobo#:nodoc: all
             lastRowIndex = @matchTable.getNumRows
             @matchTable.appendRows(1)
             @matchTable.setItemText(lastRowIndex, 0, s.join("\n"))
+            @matchTable.setItemData(lastRowIndex, 0, fuzzle )
             @matchTable.getItem(lastRowIndex, 0).justify = FXTableItem::LEFT
             @matchTable.fitRowsToContents(lastRowIndex)
             cell_text = match.gsub(/(\n+|\r+)/, " ")
@@ -999,6 +1031,12 @@ module Watobo#:nodoc: all
                @pbar.increment(1)
             }
 
+            @stat_viewer.clearView
+            
+            check_list.first.subscribe(:stats) { |response|
+               @stat_viewer.addResponse(response)
+            }
+            
             check_list.first.subscribe(:fuzzer_match) { |fuzzle, request, response, match|
                @stat_viewer.addResponse(response)
                addMatch(fuzzle, match)

data/lib/watobo/gui/main_window.rb

@@ -1418,7 +1418,7 @@ module Watobo#:nodoc: all
 
         # C H A T   T A B L E
         @chatTable = ConversationTable.new(@conversation_table_ctrl )
-        @conversation_table_ctrl.table= @chatTable
+        @conversation_table_ctrl.table = @chatTable
 
         @chatTable.autoscroll =  true
 =begin

data/lib/watobo/gui/scanner_settings_dialog.rb

@@ -18,6 +18,7 @@ module Watobo#:nodoc: all
         settings[:max_parallel_checks] = @max_par_checks.value
         settings[:smart_scan] = @enable_smart_scan.checked?
         settings[:run_passive_checks] = @enable_passive_checks.checked?
+        settings[:ignore_server_errors] = @ignore_server_errors.checked?
         
         settings[:scanlog_dir] = ''
         if @log_scan_cb.checked? then
@@ -104,6 +105,20 @@ module Watobo#:nodoc: all
         text = "If Smart Scan is enabled the scanner will reduce the number of checks."
         fxtext.setText(text)
         
+        gbox = FXGroupBox.new(scroll_area, "Response Codes", LAYOUT_SIDE_LEFT|FRAME_GROOVE|LAYOUT_FILL_X, 0, 0, 0, 50)
+        gbframe = FXVerticalFrame.new(gbox, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y, :padding => 0)
+        frame = FXHorizontalFrame.new(gbframe, :opts => LAYOUT_FILL_X, :padding => 0)
+        @ignore_server_errors = FXCheckButton.new(frame, "Ignore Server Errors ", nil, 0, JUSTIFY_LEFT|JUSTIFY_TOP|ICON_BEFORE_TEXT)
+        @ignore_server_errors.checkState = @settings[:ignore_server_errors]
+        
+        #@edit_uniq_parms_btn = FXButton.new(frame, "Non-Unique Parms", :opts => LAYOUT_RIGHT|FRAME_RAISED)
+        
+        fxtext = FXText.new(gbframe, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y|TEXT_WORDWRAP)
+        fxtext.backColor = fxtext.parent.backColor
+        fxtext.disable
+        text = "Handle error codes (5xx) as file does not exist"
+        fxtext.setText(text)
+        
         
         gbox = FXGroupBox.new(scroll_area, "Passive Checks", LAYOUT_SIDE_LEFT|FRAME_GROOVE|LAYOUT_FILL_X, 0, 0, 0, 150)
         gbframe = FXVerticalFrame.new(gbox, :opts => LAYOUT_FILL_X|LAYOUT_FILL_Y, :padding => 0)

data/lib/watobo/http/data/json.rb

@@ -33,10 +33,16 @@ module Watobo#:nodoc: all
         parms = []
         json_str = @root.body.to_s
         
+        begin
         JSON.parse(json_str).each do |k,v|
           val = v.is_a?(String) ? v : v.to_s
           parms << Watobo::JSONParameter.new( :name => k, :value => val )
         end
+        rescue => bang
+          puts "! could not parse JSON parameters !"
+          puts @root.headers
+          puts json_str.gsub(/[^[:print:]]/, '.')
+        end
         parms
       end
 

data/lib/watobo/interceptor/html/index.html

@@ -0,0 +1,13 @@
+<html>
+	<head>
+		<title>WATOBO - Interceptor</title>
+	</head>
+	<body>
+		<h1>Thank you for using WATOBO - The Webapplication Toolbox</h1>
+		Info:<br>
+		Version: WATOBO_VERSION<br />
+		Home dir: WATOBO_HOME<br />
+		<br /><br />
+		<a href="watobo.pem">Download Certificate</a>
+	</body>
+</html>

data/lib/watobo/interceptor/proxy.rb

@@ -27,6 +27,50 @@ module Watobo#:nodoc: all
       def self.transparent?
         return true if ( Watobo::Conf::Interceptor.proxy_mode & Watobo::Interceptor::MODE_TRANSPARENT ) > 0
         return false
+      end
+      
+      
+      
+      def watobo_srv_get(file)
+          srv_file = file.empty? ? File.join(@srv_path, 'index.html') : File.join(@srv_path, file)
+          if File.exist? srv_file
+            ct = case srv_file
+            when /\.ico/
+              "image/vnd.microsoft.icon"
+            when /\.htm/
+              'text/html; charset=iso-8859-1'
+            else
+              'text/plain'
+            end
+            headers = [ "HTTP/1.0 200 OK", "Server: Watobo-Interceptor", "Connection: close", "Content-Type: #{ct}"]
+            content = File.open(srv_file,"rb").read
+            content.gsub!('WATOBO_VERSION', Watobo::VERSION )
+            content.gsub!('WATOBO_HOME', Watobo.working_directory )
+            headers << "Content-Length: #{content.length}"
+            r = headers.join("\r\n")
+            r << "\r\n\r\n"
+            r << content
+            return r
+          end
+          
+          headers = [ "HTTP/1.0 404 Not Found", "Server: Watobo-Interceptor", "Connection: close", "Content-Type: text/plain; charset=iso-8859-1"]
+          content = "The requested file (#{file}) does not exist in the interceptor web folder."
+          headers << "Content-Length: #{content.length}"
+          r = headers.join("\r\n")
+          r << "\r\n\r\n"
+          r << content
+          return r
+            
+      end
+      
+      def cert_response
+          crt_file = File.join(Watobo.working_directory, "CA", "cacert.pem")
+          headers = [ "HTTP/1.0 200 OK", "Server: Watobo-Interceptor", "Connection: close", "Content-Type: application/x-pem-file"]
+          content = File.read(crt_file)
+          headers << "Content-Length: #{content.length}"
+          r = headers.join("\r\n")
+          r << "\r\n\r\n"
+          r << content
       end
 
       def server
@@ -183,6 +227,19 @@ module Watobo#:nodoc: all
               end
             #next
             Thread.exit
+            end
+            
+            # check for watobo info page
+            if request.host =~ /^watobo$/
+              if request.path =~ /watobo\.pem/
+                response = cert_response
+              else
+                response = watobo_srv_get(request.path)
+              end
+              
+              c_sock.write response
+              c_sock.close
+              Thread.exit
             end
 
             request_intercepted = false
@@ -231,17 +288,16 @@ module Watobo#:nodoc: all
               Thread.exit
             end
            
-            # check if response should be passed throug
+            # check if response should be passed through
             #Thread.current.exit if isPassThrough?(req, resp, s_sock, c_sock)
             if isPassThrough?(req, resp, s_sock, c_sock)
+              #puts "[Interceptor] PassThrough >> #{req.url}"
               Watobo::HTTPSocket.close s_sock
               c_sock.close                
               Thread.exit
             end
-            #p "no pass-through"
-
+           
             begin
-            # puts "* got response status: #{resp.status}"
               missing_credentials = false
               rs = resp.status
               auth_type = AUTH_TYPE_NONE
@@ -271,18 +327,11 @@ module Watobo#:nodoc: all
                       resp.unshift "HTTP/1.1 200 OK\r\n"
                     end
                   end
-                #else
-
-                #resp.push "WATOBO: Unknown authorization type.<br><br>\r\n" + resp.join("<br>\r\n")
-                #resp.shift
-                #resp.unshift "HTTP/1.1 200 OK\r\n"
-                #resp.fix_content_length
-
                 end
               end
-              
-              unless auth_type == AUTH_TYPE_UNKNOWN or req.method =~ /^head/i
-                # don't try to read body if request method is HEAD
+           
+              # don't try to read body if request method is HEAD
+              unless auth_type == AUTH_TYPE_UNKNOWN or req.method =~ /^head/i           
                 sender.readHTTPBody(s_sock, resp, req, :update_sids => true)
                 Watobo::HTTPSocket.close s_sock
               end
@@ -319,8 +368,8 @@ module Watobo#:nodoc: all
               end
 
              # puts ">> SEND TO CLIENT"
-         #    puts ">>C<< - Close: #{request.connection_close?}"
-             #request.headers("Connection"){ |h| puts h }
+             # puts ">>C<< - Close: #{request.connection_close?}"
+             # request.headers("Connection"){ |h| puts h }
              
              if missing_credentials
                resp.set_header("Connection", "close")
@@ -388,7 +437,9 @@ module Watobo#:nodoc: all
 
           #Watobo::Interceptor.proxy_mode = INTERCEPT_NONE
 
-          init_instance_vars
+          init_instance_vars
+          
+          @srv_path = File.join(File.dirname(__FILE__),'html')
 
           @awaiting_requests = 0
           @awaiting_responses = 0
@@ -658,7 +709,8 @@ module Watobo#:nodoc: all
         begin
          # return false if true
           reason = nil
-          clen = response.content_length
+          clen = response.content_length
+         
           # no pass-through necessary if request method is HEAD
           return false if request.method =~ /^head/i
 

data/lib/watobo/mixins/httpparser.rb

@@ -215,6 +215,7 @@ module Watobo#:nodoc: all
         end
         url
       end
+    #  alias :url :url_string
 
       def site
         #@site ||= nil
@@ -422,10 +423,10 @@ module Watobo#:nodoc: all
         self.headers.each do |header|
           begin
           if header =~ /^#{header_name}/i then
-            dummy = header.split(/:/)
-            value=dummy[1]
-            value.gsub!(/^[ ]*/,"")
-            header_values.push value
+            vstart = header.index ':'
+            unless vstart.nil?
+              header_values.push header[vstart+1..-1].strip
+            end
           end
           rescue => bang
             puts bang
@@ -438,11 +439,21 @@ module Watobo#:nodoc: all
       def content_type(default_ct='undefined')
         ct = default_ct
         self.each do |line|
+          begin
           break if line.strip.empty?
-          if line =~ /^Content-Type:([^;]*);?/i then
+          #cl = line.encode('ASCII', :invalid => :replace, :undef => :replace)
+          cl = line.force_encoding('ASCII-8BIT')
+          if cl =~ /^Content-Type:([^;]*);?/i then
             ct = $1
             break
           end
+          rescue => bang
+            puts "! could not parse content_type !"
+            puts bang
+            puts cl
+#            puts cl.gsub(/[^[:print:]]/, '.')
+
+          end
         end
         return ct.strip
       end
@@ -451,7 +462,9 @@ module Watobo#:nodoc: all
         ct = default_ct
         self.each do |line|
           break if line.strip.empty?
-          if line =~ /^Content-Type:(.*)/i then
+          # cl = line.encode('ASCII', :invalid => :replace, :undef => :replace)
+          cl = line.force_encoding('ASCII-8BIT')
+          if cl =~ /^Content-Type:(.*)/i then
             ct = $1.strip
             break
           end
@@ -654,13 +667,15 @@ def content_encoding
         return b.unpack("C*").pack("C*")
       end
 
-      def responseCode
+      def status_code
         if self.first =~ /^HTTP\/... (\d+) /
           return $1
         else
           return nil
         end
       end
+      
+      alias :responseCode :status_code
 
 # returns array of new cookies 
 # Set-Cookie: mycookie=b41dc9e55d6163f78321996b10c940edcec1b4e55a76464c4e9d25e160ac0ec5b769806b; Path=/
@@ -708,23 +723,18 @@ end
 
       def headers(filter=nil, &b)
         begin
+          filter = '.*' if filter.nil?
         header_list=[]
         self.each do |line|
-          cl = line.unpack("C*").pack("C*")
+          cl = line.force_encoding('ASCII-8BIT')
           return header_list if cl.strip.empty?
-          unless filter.nil?
-            if cl =~ /#{filter}/
-              yield line if block_given?
-              header_list.push line
-            end
-          else
+          if cl =~ /#{filter}/
             yield line if block_given?
             header_list.push line
-          end
+          end          
         end
         return header_list
         rescue => bang
-          puts "! no headers available !".upcase
           puts bang
           puts bang.backtrace
           if $DEBUG