watobo 0.9.21 → 0.9.23

data/lib/watobo/core/ott_cache.rb

@@ -1,88 +1,79 @@
-#.
-# ott_cache.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  class OTTCache
-    @otts = {}
-    @otts_lock = Mutex.new
-    
-    attr :tokens
-    
-    def initialize()
-      @tokens = {}
-      @tokens_lock = Mutex.new
-    end
-    
-    def self.acquire(request)
-      urh = request.uniq_hash
-      unless @otts.has_key? urh
-        @otts[urh] = OTTCache.new()
-      end
-      @otts[urh]
-    end
-    
-    
-    def self.patterns(&block)
-   
-        Watobo::Conf::OttCache.patterns.each do |p|
-          yield p if block_given?
-        end
-        YAML.load(YAML.dump(Watobo::Conf::OttCache.patterns))
-   
-    end
-    
-      
-    def update_tokens(response)
-        
-        begin
-          #   site = request.site
-          @tokens_lock.synchronize do
-            response.each do |line|
-              # puts line
-              self.class.patterns do |pat|
-                puts pat if $DEBUG
-                if line =~ /#{pat}/i then
-                  token_key = Regexp.quote($1.upcase)
-                  token_value = $2
-                  #print "U"
-                    puts "GOT NEW TOKEN (#{token_key}): #{token_value}" if $DEBUG
-                  #   @session[:valid_csrf_tokens][site] = Hash.new if @session[:valid_csrf_tokens][site].nil?
-                  #   @session[:valid_csrf_tokens][site][token_key] = token_value
-                  @tokens[token_key] = token_value
-                end
-              end
-
-            end
-          end
-        rescue => bang
-          puts bang
-          if $DEBUG
-          puts bang.backtrace 
-          puts "= Request"
-          puts request 
-          puts "= Response"
-          puts response
-          puts "==="
-          end
-
-        end
-        # }
-      end
-    
-    # target could be a Watobo::Chat or a Watobo::Request object
-    def self.set_chat_ids(target, ott_chat_ids)
-      r = target
-      r = target.request if target.respond_to? :request
-      @otts_lock.synchronize do
-        Watobo::Conf::OttCache.request_ids[r.uniq_hash] = ott_chat_ids
-      end
+module Watobo#:nodoc: all
+  class OTTCache
+    @otts = {}
+    @otts_lock = Mutex.new
+    
+    attr :tokens
+    
+    def initialize()
+      @tokens = {}
+      @tokens_lock = Mutex.new
+    end
+    
+    def self.acquire(request)
+      urh = request.uniq_hash
+      unless @otts.has_key? urh
+        @otts[urh] = OTTCache.new()
+      end
+      @otts[urh]
+    end
+    
+    
+    def self.patterns(&block)
+   
+        Watobo::Conf::OttCache.patterns.each do |p|
+          yield p if block_given?
+        end
+        YAML.load(YAML.dump(Watobo::Conf::OttCache.patterns))
+   
+    end
+    
+      
+    def update_tokens(response)
+        
+        begin
+          #   site = request.site
+          @tokens_lock.synchronize do
+            response.each do |line|
+              # puts line
+              self.class.patterns do |pat|
+                puts pat if $DEBUG
+                if line =~ /#{pat}/i then
+                  token_key = Regexp.quote($1.upcase)
+                  token_value = $2
+                  #print "U"
+                    puts "GOT NEW TOKEN (#{token_key}): #{token_value}" if $DEBUG
+                  #   @session[:valid_csrf_tokens][site] = Hash.new if @session[:valid_csrf_tokens][site].nil?
+                  #   @session[:valid_csrf_tokens][site][token_key] = token_value
+                  @tokens[token_key] = token_value
+                end
+              end
+
+            end
+          end
+        rescue => bang
+          puts bang
+          if $DEBUG
+          puts bang.backtrace 
+          puts "= Request"
+          puts request 
+          puts "= Response"
+          puts response
+          puts "==="
+          end
+
+        end
+        # }
+      end
+    
+    # target could be a Watobo::Chat or a Watobo::Request object
+    def self.set_chat_ids(target, ott_chat_ids)
+      r = target
+      r = target.request if target.respond_to? :request
+      @otts_lock.synchronize do
+        Watobo::Conf::OttCache.request_ids[r.uniq_hash] = ott_chat_ids
+      end
     end
     
     def self.requests(target, &block)
@@ -93,68 +84,68 @@ module Watobo#:nodoc: all
         ott_requests << ott_request
       end
       ott_requests
-    end
-    
-    # returns an array of Watobo::Requests which are necessary 
-    # to update the token
-    def self.chats(target, &block)
+    end
+    
+    # returns an array of Watobo::Requests which are necessary 
+    # to update the token
+    def self.chats(target, &block)
       ott_chats = []
-      return ott_chats if target.nil?
+      return ott_chats if target.nil?
       request = target.respond_to?(:request) ? target.request : target
       urh = request.uniq_hash
-      
-      @otts_lock.synchronize do
-        return ott_chats unless Watobo::Conf::OttCache.request_ids.has_key? urh
-        Watobo::Conf::OttCache.request_ids[urh].each do |id|
-         #puts "* [OTT] get chat for id #{id}"
+      
+      @otts_lock.synchronize do
+        return ott_chats unless Watobo::Conf::OttCache.request_ids.has_key? urh
+        Watobo::Conf::OttCache.request_ids[urh].each do |id|
+         #puts "* [OTT] get chat for id #{id}"
           chat = Watobo::Chats.get_by_id(id)
           unless chat.nil?  
-          #ottr = chat.copyRequest
+          #ottr = chat.copyRequest
           ott_chats << chat 
           yield chat if block_given?
-          end
-        end
-      end
-      ott_chats
-    end
-    
-    
-    # update tokens for a specific request
-    def update_request(request)     
-      #urh = target_request.uniq_hash 
-      #return false unless @tokens.has_key? urh       
-        @tokens_lock.synchronize do       
-          request.map!{ |line|
-            res = line
-            self.class.patterns do |pat|
-              begin
-                if line =~ /#{pat}/i then
-                  key = Regexp.quote($1.upcase)
-                  old_value = $2
-                  if @tokens.has_key?(key) then
-                    res = line.gsub!(/#{Regexp.quote(old_value)}/, @tokens[key])
-                    if res.nil? then
-                      res = line
-                      puts "!!!could not update token (#{key})"
-                    end
-                  else
-                    if $DEBUG
-                      puts "[OTT] nothing to update?"
-                      puts @tokens.to_yaml
-                      puts request
-                    end 
-                  end
-                end
-              rescue => bang
-                puts bang
-                puts bang.backtrace if $DEBUG
-                # puts @session.to_yaml
-              end
-            end
-            res
-          }
-        end
-        # end
-      end
-  end
+          end
+        end
+      end
+      ott_chats
+    end
+    
+    
+    # update tokens for a specific request
+    def update_request(request)     
+      #urh = target_request.uniq_hash 
+      #return false unless @tokens.has_key? urh       
+        @tokens_lock.synchronize do       
+          request.map!{ |line|
+            res = line
+            self.class.patterns do |pat|
+              begin
+                if line =~ /#{pat}/i then
+                  key = Regexp.quote($1.upcase)
+                  old_value = $2
+                  if @tokens.has_key?(key) then
+                    res = line.gsub!(/#{Regexp.quote(old_value)}/, @tokens[key])
+                    if res.nil? then
+                      res = line
+                      puts "!!!could not update token (#{key})"
+                    end
+                  else
+                    if $DEBUG
+                      puts "[OTT] nothing to update?"
+                      puts @tokens.to_yaml
+                      puts request
+                    end 
+                  end
+                end
+              rescue => bang
+                puts bang
+                puts bang.backtrace if $DEBUG
+                # puts @session.to_yaml
+              end
+            end
+            res
+          }
+        end
+        # end
+      end
+  end
 end

data/lib/watobo/core/parameter.rb

@@ -1,56 +1,47 @@
-#.
-# parameter.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-=begin 
-  
- possible locations
- - url
- - header
- - cookie
- - data (body)
-
-=end
-  class Parameter
-    attr :location
-    attr :name
-    attr_accessor :value
-    
-    def initialize(prefs)
-      @location = nil
-      @name = prefs[:name]
+module Watobo#:nodoc: all
+=begin 
+  
+ possible locations
+ - url
+ - header
+ - cookie
+ - data (body)
+
+=end
+  class Parameter
+    attr :location
+    attr :name
+    attr_accessor :value
+    
+    def initialize(prefs)
+      @location = nil
+      @name = prefs[:name]
       @value = prefs[:value]
-      @prefs = prefs      
-    end
-  end
-  
-  class WWWFormParameter < Parameter
-    def initialize(prefs)
-      super prefs
-      @location = :data
-    end
-  end
-  
-  
-  class UrlParameter < Parameter
-    def initialize(prefs)
-      super prefs
-      @location = :url
-    end
-  end
-  
-  class CookieParameter < Parameter
-    def initialize(prefs)
-      super prefs
-      @location = :cookie
-    end
+      @prefs = prefs      
+    end
+  end
+  
+  class WWWFormParameter < Parameter
+    def initialize(prefs)
+      super prefs
+      @location = :data
+    end
+  end
+  
+  
+  class UrlParameter < Parameter
+    def initialize(prefs)
+      super prefs
+      @location = :url
+    end
+  end
+  
+  class CookieParameter < Parameter
+    def initialize(prefs)
+      super prefs
+      @location = :cookie
+    end
   end
   
   class JSONParameter < Parameter
@@ -69,5 +60,5 @@ module Watobo#:nodoc: all
       @parent = prefs.has_key?(:parent) ? prefs[:parent] : ""
       @namespace = prefs.has_key?(:namespace) ? prefs[:namespace] : nil
     end
-  end
+  end
 end

data/lib/watobo/core/passive_check.rb

@@ -1,122 +1,123 @@
-#.
-# passive_check.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-    class PassiveCheck
-      include Watobo::Constants
-      extend Watobo::Subscriber
-      
-      @@lock = Mutex.new
-      attr :info
-     
-           
-      def addFinding(details)
-        t = Time.now
-
-        now = t.strftime("%m/%d/%Y@%H:%M:%S")
-        @@lock.synchronize{
-
-          new_details = Hash.new
-          new_details.update(@finding)
-          new_details.update(details)
-
-          new_details[:tstamp] = now
-          
-          unless new_details.has_key?(:fid)
+module Watobo #:nodoc: all
+  class PassiveCheck
+    include Watobo::Constants
+    extend Watobo::Subscriber
+
+    @@lock = Mutex.new
+    attr :info
+
+
+    def addFinding(details)
+      t = Time.now
+
+      now = t.strftime("%m/%d/%Y@%H:%M:%S")
+      @@lock.synchronize {
+
+        new_details = Hash.new
+        new_details.update(@finding)
+        new_details.update(details)
+
+        new_details[:tstamp] = now
+
+        unless new_details.has_key?(:fid)
 
           id_string = ''
 
           id_string << new_details[:chat].request.url.to_s if new_details[:chat]
           id_string << new_details[:class] if new_details[:class]
-          id_string << new_details[:title]  if new_details[:title]
-          id_string << new_details[:unique]  if new_details[:unique]
+          id_string << new_details[:title] if new_details[:title]
+          id_string << new_details[:unique] if new_details[:unique]
 
           if id_string.empty? then
             id_string = rand(10000)
           end
           #puts "Finding #{id_string}"
           new_details[:fid] = Digest::MD5.hexdigest(id_string)
-          end 
+        end
 
-          new_details[:module] = self.class.to_s
+        new_details[:module] = self.class.to_s
 
-          if details[:debug] == true then
-            puts "---"
-            puts new_details[:class]
-            puts new_details[:title]
-            puts "---"
-          end
-          request = new_details[:chat].request
-          response = new_details[:chat].response
-          new_details[:chat_id] = new_details[:chat].id
-          new_details.delete(:chat)
-
-          new_finding = Watobo::Finding.new(request, response, new_details)
-          
-          Watobo::Findings.add new_finding
-
-          #@project.addFinding(new_finding)
-         # notify(:new_finding, new_finding)
-        }
-      end
-
-      def enabled?
-        @enabled
-      end
-
-      def enabled=(status)
-        @enabled = status
-      end
-
-      def enable
-        @enabled = true
-      end
-
-      def disable
-        @enable = false
-      end
-
- def do_test(chat)
-   raise "function do_test not defined"
- end
-      def initialize(project)
-        @project = project
-        @enabled = true
+        if details[:debug] == true then
+          puts "---"
+          puts new_details[:class]
+          puts new_details[:title]
+          puts "---"
+        end
+        request = new_details[:chat].request
+        response = new_details[:chat].response
+        new_details[:chat_id] = new_details[:chat].id
+
+        # shorten pattern here because of crash in FXRex:match with large patterns
+        unless new_details[:proof_pattern].nil?
+          new_details[:proof_pattern] = new_details[:proof_pattern].length > 128 ? new_details[:proof_pattern][0..127] : new_details[:proof_pattern]
+        end
+        unless new_details[:check_pattern].nil?
+          new_details[:check_pattern] = new_details[:check_pattern].length > 128 ? new_details[:check_pattern][0..127] : new_details[:check_pattern]
+        end
+
+        new_details.delete(:chat)
+
+        new_finding = Watobo::Finding.new(request, response, new_details)
+
+        Watobo::Findings.add new_finding
+
+        #@project.addFinding(new_finding)
+        # notify(:new_finding, new_finding)
+      }
+    end
+
+    def enabled?
+      @enabled
+    end
+
+    def enabled=(status)
+      @enabled = status
+    end
+
+    def enable
+      @enabled = true
+    end
+
+    def disable
+      @enable = false
+    end
+
+    def do_test(chat)
+      raise "function do_test not defined"
+    end
+
+    def initialize(project)
+      @project = project
+      @enabled = true
 
 #@event_dispatcher_listeners = Hash.new
 
-        @info = {
-          :check_name => '',    # name of check which briefly describes functionality, will be used for tree and progress views
-          :check_group => '',   # groupname of check, will be used to group checks, e.g. :Generic, SAP, :Enumeration
-          :description => '',   # description of checkfunction
+      @info = {
+          :check_name => '', # name of check which briefly describes functionality, will be used for tree and progress views
+          :check_group => '', # groupname of check, will be used to group checks, e.g. :Generic, SAP, :Enumeration
+          :description => '', # description of checkfunction
           :author => "not modified", # author of check
-          :version => "unversioned",   # check version
-          :target => nil               # reserved
-        }
-
-        @finding = {
-          :title => 'untitled',          # [String] title name, used for finding tree
-          :check_pattern => nil,         # [String] regex of vulnerability check if possible, will be used for highlighting
-          :proof_pattern => nil,         # [String] regex of finding proof if possible, will be used for highlighting
-          :threat => '',        # thread of vulnerability, e.g. loss of information
-          :measure => '',       # measure
-          :class => "undefined",# [String] vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-          :subclass => nil,     # reserved
-          :type => FINDING_TYPE_UNDEFINED,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-          :chat => nil,         # related chat must be linked
-          :rating=> VULN_RATING_UNDEFINED,  #
-          :cvss => "n/a",       # CVSS Base Vector
-          :icon => nil,     # Icon Type
-          :timestamp => nil         # timestamp
-        }
-
-      end
+          :version => "unversioned", # check version
+          :target => nil # reserved
+      }
+
+      @finding = {
+          :title => 'untitled', # [String] title name, used for finding tree
+          :check_pattern => nil, # [String] regex of vulnerability check if possible, will be used for highlighting
+          :proof_pattern => nil, # [String] regex of finding proof if possible, will be used for highlighting
+          :threat => '', # threat of vulnerability, e.g. loss of information
+          :measure => '', # measure
+          :class => "undefined", # [String] vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :subclass => nil, # reserved
+          :type => FINDING_TYPE_UNDEFINED, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          :chat => nil, # related chat must be linked
+          :rating => VULN_RATING_UNDEFINED, #
+          :cvss => "n/a", # CVSS Base Vector
+          :icon => nil, # Icon Type
+          :timestamp => nil # timestamp
+      }
+
     end
+  end
 end