watobo 0.9.20 → 0.9.21

data/lib/watobo/mixins/shapers.rb

@@ -43,7 +43,7 @@ module Watobo#:nodoc: all
         end
 
         def replaceURL(new_url)
-          self.first.gsub!(/(^[^[:space:]]{1,})(.*) (HTTP.*)/i,"\\1 #{new_url} \\3")
+          self.first.gsub!(/(^[^[:space:]]{1,}) (.*) (HTTP.*)/i,"\\1 #{new_url} \\3")                              
         end
 
         def replaceQuery(new_query)
@@ -63,6 +63,53 @@ module Watobo#:nodoc: all
           self.first.gsub!(/(^[^[:space:]]{1,} https?:\/\/[\-0-9a-zA-Z.]*[:0-9]{0,6}\/)(.*)( HTTP\/.*)/, "\\1#{dir}\\3")
         end
 
+        #
+        # set a new file extension, e.g. mysite.html to mysite.php
+        # if no extension nor a file is given, the new extension will only be appended
+        # note: the first leading dot will be removed 
+        # possible preferences are:
+        #   :keep_query    =>  keeps query parameters
+        #   default-set is empty
+        def set_file_extension(nxt, *prefs)
+          return self.first if nxt.nil?
+          nxt.gsub!(/^\./,'')
+          s = "#{self.first}"
+          fend = nil
+          pend = nil
+          
+          pstart = s.index('?')
+          pend = s.rindex(/ HTTP\//)
+          
+          fend = (pstart - 1) unless pstart.nil?
+          fend = ( pend - 1 ) if fend.nil?            
+            
+          return self.first if fend.nil?
+          
+          fstart = s.rindex('/', fend)
+          unless s[fstart-1] == '/'
+            fstart += 1 unless fstart.nil?
+          else
+            fstart = fend
+          end
+
+          fname = s[fstart..fend]
+          fname.gsub!(/\..*/,'')
+          fname << ".#{nxt}"
+
+          ns = s[0..fstart-1]
+          ns << fname
+          
+          if prefs.include? :keep_query
+            unless pstart.nil?
+              ns << s[pstart..pend]
+            end
+          end
+          
+          ns << s[pend..-1]
+          
+          self.first.replace ns
+        end
+
         def appendDir(dir)
           dir.strip!
           dir.gsub!(/^\//,"")
@@ -245,10 +292,7 @@ module Watobo#:nodoc: all
 
         def fix_content_length
           return false if self.body.nil?
-          #TODO: had trouble with length calculation of binary data in multipart request
-          # Workaround: toHex and then calculate length ... very time consuming :(
-          # 
-          #blen = self.body.unpack("H*")[0].length / 2
+          # had trouble with length calculation of binary data in multipart request          
           blen = self.body.force_encoding("ASCII-8BIT").length
           set_header("Content-Length" , blen)
         end

data/lib/watobo/mixins/transcoders.rb

@@ -20,23 +20,23 @@ module Watobo#:nodoc: all
       end
 
       def b64decode
-        err_count = 0
-          b64string = self
+        err_count = 0          
         begin
+          b64string = self.force_encoding('ASCII-8BIT')
           rs = Base64.strict_decode64(b64string)
           #rs = Base64.decode64(b64string)
           return rs
         rescue
-          b64string.gsub!(/.$/,'')
-          err_count += 1
-          retry if err_count < 4
-          return ""
+          #b64string.gsub!(/.$/,'')
+          #err_count += 1
+          #retry if err_count < 4
+          return self.to_s
         end
       end
 
       def b64encode
         begin
-          plain = self
+          plain = self.force_encoding('ASCII-8BIT')
           #rs = Base64.strict_encode64(plain)
           rs = Base64.strict_encode64(plain)
           # we only need a simple string without linebreaks
@@ -44,7 +44,7 @@ module Watobo#:nodoc: all
           #rs.strip!
           return rs
         rescue
-          return ""
+          return self.to_s
         end
       end
 

data/lib/watobo/sockets/connection.rb

@@ -95,7 +95,7 @@ module Watobo#:nodoc: all
           return nil
         end
          
-         header = [ "HTTP/1.1 200 OK\r\n", "Server: WATOBO\r\n", "Content-Length: #{msg.length.to_i}\r\n", "Content-Type: text/html\r\n", "\r\n", "#{msg}" ] unless msg.nil?
+         header = [ "HTTP/1.1 502 Bad Gateway\r\n", "Server: WATOBO\r\n", "Content-Length: #{msg.length.to_i}\r\n", "Content-Type: text/html\r\n", "\r\n", "#{msg}" ] unless msg.nil?
 
         response = Watobo::Response.new header
         #  update_sids(header)

data/lib/watobo/utils/load_chat.rb

@@ -11,6 +11,44 @@
 module Watobo#:nodoc: all
   module Utils
     
+    def Utils.loadChatMarshal(file)
+      begin
+        request = []
+        response = []
+        if File.exists?(file) then
+          puts "LoadChatMarshal: #{file}" if $DEBUG 
+          settings = {}
+          File.open(file,"rb") { |fh|
+             settings = Marshal::load(fh.read)
+             request = settings[:request]
+             response = settings[:response]
+             settings.delete(:response)
+             settings.delete(:request)
+             
+            }
+          
+          
+          chat = Watobo::Chat.new(request, response, settings)
+          chat.file = file
+          
+          return chat
+          
+        else
+          puts "* file #{file} not found"
+          return nil
+        end
+      rescue Psych::SyntaxError
+        puts "!!! Malformed File #{file}"
+      rescue => bang
+        puts "! could not load chat from file #{file}"
+        puts bang
+        puts bang.backtrace
+        #puts cdata
+        #puts bang
+        #puts bang.backtrace if $DEBUG
+      end
+    end
+    
     # loadChat returns a chat object imported from a yaml file
     def Utils.loadChatYAML(file)
       begin
@@ -68,6 +106,30 @@ module Watobo#:nodoc: all
     end
     
     
+    def Utils.loadFindingMarshal(file)
+      puts "LoadFindingMarshal: #{file}" if $DEBUG 
+      if File.exists?(file) then
+        begin
+        fdata  = nil
+        
+        File.open(file,"rb") {|f|
+          fdata = Marshal::load(f.read)        
+        }
+        
+        finding = Watobo::Finding.new(fdata[:request], fdata[:response], fdata[:details])
+        
+        return finding
+      rescue => bang
+        puts bang
+        puts "could not load finding #{file}"
+        return nil
+        end
+      else
+        #   puts "* file #{file} not found"
+        return nil
+      end
+    end
+    
     def Utils.loadFindingYAML(file)
       puts "LoadFindingYAML: #{file}" if $DEBUG 
       if File.exists?(file) then

data/lib/watobo/utils/response_hash.rb

@@ -138,11 +138,11 @@ module Watobo#:nodoc: all
         end
       rescue => bang
        # puts "VAL_CGI_Q: #{val_cgi_q}"
-      puts bang
-     
+       # return some random hash in case of an error
+      puts bang if $DEBUG     
       puts bang.backtrace if $DEBUG
       
-      return body, Digest::MD5.hexdigest(body||="")
+      return body, Digest::MD5.hexdigest(Time.now.to_f.to_s + rand(10000).to_s )
       end
     end
   end

data/lib/watobo.rb

@@ -52,7 +52,7 @@ dont_know_why_REQUIRE_hangs = Mechanize.new
 # @private 
 module Watobo#:nodoc: all #:nodoc: all
 
-  VERSION = "0.9.20"
+  VERSION = "0.9.21"
 
   def self.base_directory
     @base_directory ||= ""

data/modules/active/cq5/cq5_default_selectors.rb

@@ -0,0 +1,116 @@
+#.
+# cq5_default_selectors.rb
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+# @private
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Cq5
+        #class Dir_indexing < Watobo::Mixin::Session
+        class Cq5_default_selectors < Watobo::ActiveCheck
+
+          @info.update(
+          :check_name => 'CQ5 Selectors',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "This module checks for default selectors.",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "1.0",   # check version
+          :check_group => "CQ5"
+          )
+
+          @finding.update(
+          :threat => 'Selectors can reveal sensitive information about the application, e.g. password hashes (jackrabbit). Also, the query selector enables you to perform XPATH queries on the entire repository, which could slow your system down considerably, or even cause a denial of service if run multiple times',        # thread of vulnerability, e.g. loss of information
+          :class => "CQ5: Selectors",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          :rating => VULN_RATING_INFO
+          )
+          
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+            @checked_locations = []
+            @selectors = %w( query assets infinity children s7catalog pages feed feedentry tidy sysview docview permissions overlay 1 2 3 4 5 6 7 )
+            @extensions = %w( json html csv zip xml )
+            # specials are combinations which need one or more parameters to produce a valid result
+            @specials = %w( query.json?statement=%2F%2F%2A cqactions.json?path=/&depth=1&authorizableId=* permissions.overlay.json?path=/ )
+            
+            @mixed = @selectors.map{|s| @extensions.map{|e| s + '.' + e } }.flatten
+
+          end
+
+          def reset()
+            @checked_locations = []
+          end
+
+          def generateChecks(chat)
+             path = chat.request.path
+             return false if @checked_locations.include? path
+             @checked_locations << path
+             
+             test_extensions = @extensions
+             test_extensions.concat @specials
+             test_extensions.concat @mixed
+             
+             test_extensions.each do |ext|
+              checker = proc {
+                begin
+                  test_request = nil
+                  test_response = nil
+                  
+                  test = chat.copyRequest    
+                  
+                  # replace file extension only              
+
+                  test.set_file_extension(ext)
+
+                  status, test_request, test_response = fileExists?(test)
+
+                  if status == true and test_response.content_type != chat.response.content_type and test_response.status_code < 300
+                    
+                    addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "#{test_response.status}",
+                      :chat => chat,
+                      :title => "[#{ext}]"
+                      )
+
+                  end
+                  
+                  # also test extensions on the path
+                  test = chat.copyRequest                 
+
+                  test.replaceFileExt(".#{ext}")
+
+                  status, test_request, test_response = fileExists?(test)
+
+                  if status == true and test_response.content_type != chat.response.content_type and test_response.status_code < 300
+                    
+                    addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "#{test_response.status}",
+                      :chat => chat,
+                      :title => "[#{ext}]"
+                      )
+
+                  end
+                rescue => bang
+                  puts bang
+                  puts bang.backtrace if $DEBUG
+                end
+                [ test_request, test_response ]
+
+              }
+              yield checker
+            end
+
+          end
+        end
+      end
+    end
+  end
+end

data/modules/active/cq5/cqp_user_enumeration.rb

@@ -0,0 +1,134 @@
+#.
+# cqp_user_enumeration.rb
+#.
+# Copyright 2014 by siberas, http://www.siberas.de
+# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
+# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
+# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+# @private
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Cq5
+        #class Dir_indexing < Watobo::Mixin::Session
+        class Cqp_user_enumeration < Watobo::ActiveCheck
+
+          @info.update(
+          :check_name => 'CQ5 CQP User Enumeration',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "This module checks if CQ JSON extension is aktive and enumerates all usernames.",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "1.0",   # check version
+          :check_group => "CQ5"
+          )
+
+          @finding.update(
+          :threat => 'Information Disclosure.',        # thread of vulnerability, e.g. loss of information
+          :class => "CQ5: Users",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          :rating => VULN_RATING_INFO
+          )
+          def initialize(project, prefs={})
+            super(project, prefs)
+
+          end
+
+          def reset()
+            @checked_locations = []
+          end
+
+          def generateChecks(chat)
+
+            path = chat.request.path
+            return false if @checked_locations.include? path
+            @checked_locations << path
+            #
+            # via JSON Extension
+
+            checker = proc {
+              begin
+                test_request = nil
+                test_response = nil
+
+                test = chat.copyRequest
+
+                test.set_file_extension('.json')
+
+                status, test_request, test_response = fileExists?(test)
+
+                if status == true and test_response.has_body?
+                  if test_response.content_type =~ /json/
+                    j = JSON.parse test_response.body.to_s
+                    username = j['jcr:createdBy']
+                    puts "\nCQ5 User: #{username}"
+                    addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "jcr:createdBy.*#{username}",
+                      :chat => chat,
+                      :threat => "Usernames may help an attacker to perform authorization attacks, e.g. brute-force attacks.",
+                      :title => "[#{username}]"
+                      )
+                  end
+
+                end
+              rescue => bang
+                puts bang
+                puts bang.backtrace if $DEBUG
+              end
+              [ test_request, test_response ]
+
+            }
+            yield checker
+
+            #
+            # via XML Extension
+            
+            checker = proc {
+              begin
+                test_request = nil
+                test_response = nil
+
+                test = chat.copyRequest
+
+                test.set_file_extension('.xml')
+
+                status, test_request, test_response = fileExists?(test)
+
+                if status == true and test_response.has_body?
+                  if test_response.content_type =~ /xml/
+                    xml = Nokogiri::XML(test_response.body.to_s)
+                    xml.traverse do |node|
+                      next unless node.respond_to? :attributes
+                      node.attributes.each do |attr|
+                        if attr[0] =~ /By$/i
+                          username = attr[1]  
+                          addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "#{attr[0]}.*#{username}",
+                      :chat => chat,
+                      :threat => "Usernames may help an attacker to perform authorization attacks, e.g. brute-force attacks.",
+                      :title => "[#{username}]"
+                      )
+                        end
+                      end
+                    end
+
+                  end
+
+                end
+              rescue => bang
+                puts bang
+                puts bang.backtrace if $DEBUG
+              end
+              [ test_request, test_response ]
+
+            }
+            yield checker
+
+          end
+        end
+      end
+    end
+  end
+end