watobo 0.9.21 → 0.9.23
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +46 -1
- data/bin/nfq_server.rb +0 -9
- data/bin/watobo_gui.rb +3 -13
- data/custom-views/prettify-json.rb +9 -18
- data/icons/watobo.ico +0 -0
- data/icons/watobo.ico.old +0 -0
- data/lib/watobo.rb +10 -19
- data/lib/watobo/adapters.rb +5 -14
- data/lib/watobo/adapters/data_store.rb +50 -59
- data/lib/watobo/adapters/file/file_store.rb +287 -296
- data/lib/watobo/adapters/file/marshal_store.rb +293 -296
- data/lib/watobo/adapters/session_store.rb +5 -14
- data/lib/watobo/ca.rb +1 -10
- data/lib/watobo/config.rb +197 -206
- data/lib/watobo/constants.rb +0 -9
- data/lib/watobo/core.rb +3 -12
- data/lib/watobo/core/active_check.rb +72 -135
- data/lib/watobo/core/active_checks.rb +49 -58
- data/lib/watobo/core/ca.rb +369 -389
- data/lib/watobo/core/cert_store.rb +34 -43
- data/lib/watobo/core/chat.rb +92 -101
- data/lib/watobo/core/chats.rb +271 -280
- data/lib/watobo/core/client_cert_store.rb +106 -35
- data/lib/watobo/core/conversation.rb +48 -57
- data/lib/watobo/core/cookie.rb +23 -32
- data/lib/watobo/core/egress_handlers.rb +98 -0
- data/lib/watobo/core/finding.rb +66 -75
- data/lib/watobo/core/findings.rb +107 -114
- data/lib/watobo/core/forwarding_proxy.rb +13 -22
- data/lib/watobo/core/fuzz_gen.rb +0 -9
- data/lib/watobo/core/intercept_carver.rb +166 -177
- data/lib/watobo/core/intercept_filter.rb +235 -244
- data/lib/watobo/core/interceptor.rb +98 -107
- data/lib/watobo/core/min_class.rb +4 -13
- data/lib/watobo/core/netfilter_queue.rb +170 -179
- data/lib/watobo/core/ott_cache.rb +132 -141
- data/lib/watobo/core/parameter.rb +43 -52
- data/lib/watobo/core/passive_check.rb +103 -102
- data/lib/watobo/core/passive_checks.rb +48 -57
- data/lib/watobo/core/passive_scanner.rb +54 -55
- data/lib/watobo/core/plugin.rb +11 -20
- data/lib/watobo/core/project.rb +3 -9
- data/lib/watobo/core/proxy.rb +43 -52
- data/lib/watobo/core/request.rb +125 -123
- data/lib/watobo/core/response.rb +44 -53
- data/lib/watobo/core/scanner.rb +0 -9
- data/lib/watobo/core/scanner3.rb +405 -414
- data/lib/watobo/core/scope.rb +83 -92
- data/lib/watobo/core/session.rb +1043 -1026
- data/lib/watobo/core/sid_cache.rb +98 -107
- data/lib/watobo/core/subscriber.rb +25 -34
- data/lib/watobo/defaults.rb +21 -30
- data/lib/watobo/external/diff/lcs.rb +0 -9
- data/lib/watobo/external/diff/lcs/array.rb +0 -9
- data/lib/watobo/external/diff/lcs/block.rb +0 -9
- data/lib/watobo/external/diff/lcs/callbacks.rb +0 -9
- data/lib/watobo/external/diff/lcs/change.rb +0 -9
- data/lib/watobo/external/diff/lcs/hunk.rb +0 -9
- data/lib/watobo/external/diff/lcs/ldiff.rb +0 -9
- data/lib/watobo/external/diff/lcs/string.rb +0 -9
- data/lib/watobo/externals.rb +6 -15
- data/lib/watobo/framework.rb +4 -13
- data/lib/watobo/framework/create_project.rb +60 -69
- data/lib/watobo/framework/init.rb +0 -9
- data/lib/watobo/framework/init_modules.rb +0 -9
- data/lib/watobo/framework/license_text.rb +28 -37
- data/lib/watobo/framework/load_chat.rb +13 -22
- data/lib/watobo/gui.rb +132 -123
- data/lib/watobo/gui/about_watobo.rb +0 -9
- data/lib/watobo/gui/browser_preview.rb +0 -9
- data/lib/watobo/gui/certificate_dialog.rb +0 -9
- data/lib/watobo/gui/chat_diff.rb +0 -9
- data/lib/watobo/gui/chatviewer_frame.rb +73 -72
- data/lib/watobo/gui/checkboxtree.rb +0 -9
- data/lib/watobo/gui/checks_policy_frame.rb +0 -9
- data/lib/watobo/gui/client_cert_dialog.rb +96 -87
- data/lib/watobo/gui/confirm_scan_dialog.rb +0 -9
- data/lib/watobo/gui/conversation_table.rb +158 -164
- data/lib/watobo/gui/conversation_table_ctrl.rb +207 -216
- data/lib/watobo/gui/conversation_table_ctrl2.rb +373 -382
- data/lib/watobo/gui/csrf_token_dialog.rb +0 -9
- data/lib/watobo/gui/custom_viewer.rb +374 -383
- data/lib/watobo/gui/dashboard.rb +296 -303
- data/lib/watobo/gui/define_scope_frame.rb +0 -9
- data/lib/watobo/gui/differ_frame.rb +215 -224
- data/lib/watobo/gui/edit_comment.rb +0 -9
- data/lib/watobo/gui/edit_scope_dialog.rb +0 -9
- data/lib/watobo/gui/export_dialog.rb +104 -113
- data/lib/watobo/gui/finding_info.rb +0 -9
- data/lib/watobo/gui/findings_tree.rb +210 -217
- data/lib/watobo/gui/full_scan_dialog.rb +0 -9
- data/lib/watobo/gui/fuzzer_gui.rb +1295 -1313
- data/lib/watobo/gui/fxsave_thread.rb +14 -0
- data/lib/watobo/gui/goto_url_dialog.rb +70 -79
- data/lib/watobo/gui/hex_viewer.rb +0 -9
- data/lib/watobo/gui/html_viewer.rb +287 -296
- data/lib/watobo/gui/intercept_filter_dialog.rb +188 -197
- data/lib/watobo/gui/interceptor_gui.rb +1041 -1051
- data/lib/watobo/gui/interceptor_settings_dialog.rb +0 -9
- data/lib/watobo/gui/json_viewer.rb +287 -0
- data/lib/watobo/gui/list_box.rb +101 -110
- data/lib/watobo/gui/log_file_viewer.rb +32 -41
- data/lib/watobo/gui/log_viewer.rb +83 -88
- data/lib/watobo/gui/login_wizzard.rb +0 -9
- data/lib/watobo/gui/main_window.rb +587 -618
- data/lib/watobo/gui/manual_request_editor.rb +620 -565
- data/lib/watobo/gui/master_pw_dialog.rb +0 -9
- data/lib/watobo/gui/mixins/gui_settings.rb +29 -38
- data/lib/watobo/gui/page_tree.rb +217 -226
- data/lib/watobo/gui/password_policy_dialog.rb +0 -9
- data/lib/watobo/gui/plugin_board.rb +0 -9
- data/lib/watobo/gui/preferences_dialog.rb +0 -9
- data/lib/watobo/gui/progress_window.rb +17 -27
- data/lib/watobo/gui/project_wizzard.rb +0 -9
- data/lib/watobo/gui/proxy_dialog.rb +1 -10
- data/lib/watobo/gui/quick_scan_dialog.rb +0 -9
- data/lib/watobo/gui/request_builder_frame.rb +102 -111
- data/lib/watobo/gui/request_editor.rb +181 -137
- data/lib/watobo/gui/rewrite_filters_dialog.rb +394 -403
- data/lib/watobo/gui/rewrite_rules_dialog.rb +372 -381
- data/lib/watobo/gui/save_chat_dialog.rb +140 -149
- data/lib/watobo/gui/scanner_settings_dialog.rb +0 -9
- data/lib/watobo/gui/select_chat_dialog.rb +0 -9
- data/lib/watobo/gui/session_management_dialog.rb +0 -9
- data/lib/watobo/gui/sites_tree.rb +0 -9
- data/lib/watobo/gui/status_bar.rb +0 -9
- data/lib/watobo/gui/table_editor.rb +0 -9
- data/lib/watobo/gui/tagless_viewer.rb +0 -9
- data/lib/watobo/gui/templates/plugin.rb +0 -9
- data/lib/watobo/gui/templates/plugin2.rb +92 -100
- data/lib/watobo/gui/templates/plugin_base.rb +144 -153
- data/lib/watobo/gui/text_viewer.rb +0 -9
- data/lib/watobo/gui/transcoder_window.rb +0 -9
- data/lib/watobo/gui/utils/gui_utils.rb +0 -9
- data/lib/watobo/gui/utils/init_icons.rb +86 -95
- data/lib/watobo/gui/utils/load_icons.rb +33 -42
- data/lib/watobo/gui/utils/load_plugins.rb +116 -119
- data/lib/watobo/gui/utils/master_password.rb +68 -77
- data/lib/watobo/gui/utils/save_default_settings.rb +113 -122
- data/lib/watobo/gui/utils/save_project_settings.rb +0 -9
- data/lib/watobo/gui/utils/save_proxy_settings.rb +41 -50
- data/lib/watobo/gui/utils/save_scanner_settings.rb +18 -27
- data/lib/watobo/gui/utils/session_history.rb +112 -121
- data/lib/watobo/gui/workspace_dialog.rb +0 -9
- data/lib/watobo/gui/www_auth_dialog.rb +0 -9
- data/lib/watobo/gui/xml_viewer_frame.rb +0 -9
- data/lib/watobo/http.rb +4 -13
- data/lib/watobo/http/cookies/cookies.rb +26 -35
- data/lib/watobo/http/data/data.rb +45 -54
- data/lib/watobo/http/data/json.rb +47 -55
- data/lib/watobo/http/url/url.rb +38 -47
- data/lib/watobo/http/xml/xml.rb +124 -130
- data/lib/watobo/interceptor.rb +3 -12
- data/lib/watobo/interceptor/proxy.rb +742 -739
- data/lib/watobo/interceptor/transparent.rb +22 -24
- data/lib/watobo/mixins.rb +10 -19
- data/lib/watobo/mixins/check_info.rb +27 -36
- data/lib/watobo/mixins/httpparser.rb +613 -637
- data/lib/watobo/mixins/request_parser.rb +88 -97
- data/lib/watobo/mixins/shapers.rb +515 -529
- data/lib/watobo/mixins/transcoders.rb +3 -11
- data/lib/watobo/parser.rb +1 -10
- data/lib/watobo/parser/html.rb +83 -92
- data/lib/watobo/patch_fxruby_setfocus.rb +26 -0
- data/lib/watobo/sockets.rb +3 -12
- data/lib/watobo/sockets/agent.rb +828 -837
- data/lib/watobo/sockets/client_socket.rb +308 -312
- data/lib/watobo/sockets/connection.rb +401 -410
- data/lib/watobo/sockets/http_socket.rb +11 -13
- data/lib/watobo/sockets/ntlm_auth.rb +129 -138
- data/lib/watobo/utils.rb +10 -19
- data/lib/watobo/utils/check_regex.rb +0 -9
- data/lib/watobo/utils/copy_object.rb +0 -9
- data/lib/watobo/utils/crypto.rb +0 -9
- data/lib/watobo/utils/expand_range.rb +23 -32
- data/lib/watobo/utils/export_xml.rb +97 -106
- data/lib/watobo/utils/file_management.rb +9 -11
- data/lib/watobo/utils/hexprint.rb +9 -18
- data/lib/watobo/utils/load_chat.rb +0 -9
- data/lib/watobo/utils/load_icon.rb +0 -9
- data/lib/watobo/utils/ntlm.rb +866 -875
- data/lib/watobo/utils/print_debug.rb +12 -21
- data/lib/watobo/utils/response_builder.rb +90 -99
- data/lib/watobo/utils/response_hash.rb +0 -9
- data/lib/watobo/utils/secure_eval.rb +0 -9
- data/lib/watobo/utils/strings.rb +10 -19
- data/lib/watobo/utils/text2request.rb +0 -9
- data/lib/watobo/utils/url.rb +23 -32
- data/lib/watobo/utils/utf16.rb +11 -20
- data/modules/active/Apache/mod_status.rb +0 -9
- data/modules/active/Apache/multiview.rb +151 -160
- data/modules/active/Flash/crossdomain.rb +0 -9
- data/modules/active/JWT/jwt_oauth2_none.rb +111 -0
- data/modules/active/cq5/cq5_default_selectors.rb +106 -115
- data/modules/active/cq5/cqp_user_enumeration.rb +125 -134
- data/modules/active/directories/dirwalker.rb +0 -9
- data/modules/active/discovery/fileextensions.rb +0 -9
- data/modules/active/discovery/http_methods.rb +0 -9
- data/modules/active/discovery/jsmapfiles.rb +79 -0
- data/modules/active/domino/domino_db.rb +68 -76
- data/modules/active/dotNET/custom_errors.rb +102 -111
- data/modules/active/dotNET/dotnet_files.rb +90 -99
- data/modules/active/fileinclusion/lfi_simple.rb +0 -9
- data/modules/active/jboss/jboss_basic.rb +0 -9
- data/modules/active/sap/business_objects.rb +51 -60
- data/modules/active/sap/its_commands.rb +0 -9
- data/modules/active/sap/its_service_parameter.rb +0 -9
- data/modules/active/sap/its_services.rb +0 -9
- data/modules/active/sap/its_xss.rb +0 -9
- data/modules/active/shell_shock/shell_shock.rb +139 -148
- data/modules/active/siebel/siebel_apps.rb +160 -169
- data/modules/active/sqlinjection/sql_boolean.rb +0 -9
- data/modules/active/sqlinjection/sql_numerical.rb +198 -0
- data/modules/active/sqlinjection/sqli_error.rb +0 -9
- data/modules/active/sqlinjection/sqli_timing.rb +220 -229
- data/modules/active/struts2/default_handler_ognl.rb +106 -115
- data/modules/active/struts2/include_params_ognl.rb +105 -114
- data/modules/active/xml/xml_xxe.rb +112 -123
- data/modules/active/xss/xss_ng.rb +214 -223
- data/modules/active/xss/xss_simple.rb +0 -9
- data/modules/passive/ajax.rb +68 -77
- data/modules/passive/autocomplete.rb +56 -65
- data/modules/passive/cookie_options.rb +0 -9
- data/modules/passive/cookie_xss.rb +0 -9
- data/modules/passive/detect_code.rb +0 -9
- data/modules/passive/detect_fileupload.rb +0 -9
- data/modules/passive/detect_infrastructure.rb +0 -9
- data/modules/passive/detect_one_time_tokens.rb +0 -9
- data/modules/passive/dirindexing.rb +0 -9
- data/modules/passive/disclosure_domino.rb +55 -64
- data/modules/passive/disclosure_emails.rb +0 -9
- data/modules/passive/disclosure_ipaddr.rb +55 -53
- data/modules/passive/filename_as_parameter.rb +0 -9
- data/modules/passive/form_spotter.rb +0 -9
- data/modules/passive/hidden_fields.rb +50 -59
- data/modules/passive/hotspots.rb +0 -9
- data/modules/passive/in_script_parameter.rb +0 -9
- data/modules/passive/json_web_token.rb +93 -0
- data/modules/passive/multiple_server_headers.rb +0 -9
- data/modules/passive/possible_login.rb +0 -9
- data/modules/passive/redirect_url.rb +0 -9
- data/modules/passive/redirectionz.rb +0 -9
- data/modules/passive/sap-headers.rb +56 -65
- data/modules/passive/xss_dom.rb +0 -9
- data/plugins/aem/aem.rb +11 -20
- data/plugins/aem/gui/main.rb +118 -127
- data/plugins/aem/gui/tree_view.rb +171 -180
- data/plugins/aem/lib/agent.rb +130 -138
- data/plugins/aem/lib/dispatcher.rb +45 -51
- data/plugins/aem/lib/engine.rb +177 -186
- data/plugins/catalog/catalog.rb +345 -355
- data/plugins/crawler/crawler.rb +4 -13
- data/plugins/crawler/gui.rb +5 -14
- data/plugins/crawler/gui/auth_frame.rb +270 -279
- data/plugins/crawler/gui/crawler_gui.rb +271 -276
- data/plugins/crawler/gui/general_settings_frame.rb +96 -105
- data/plugins/crawler/gui/hooks_frame.rb +80 -89
- data/plugins/crawler/gui/scope_frame.rb +50 -59
- data/plugins/crawler/gui/settings_tabbook.rb +38 -47
- data/plugins/crawler/gui/status_frame.rb +59 -68
- data/plugins/crawler/lib/bags.rb +18 -27
- data/plugins/crawler/lib/constants.rb +11 -20
- data/plugins/crawler/lib/engine.rb +488 -497
- data/plugins/crawler/lib/grabber.rb +68 -77
- data/plugins/crawler/lib/status.rb +71 -80
- data/plugins/crawler/lib/uri_mp.rb +12 -21
- data/plugins/filefinder/filefinder.rb +326 -333
- data/plugins/sqlmap/bin/test.rb +78 -87
- data/plugins/sqlmap/gui.rb +4 -13
- data/plugins/sqlmap/gui/main.rb +218 -227
- data/plugins/sqlmap/gui/options_frame.rb +97 -106
- data/plugins/sqlmap/lib/sqlmap_ctrl.rb +90 -100
- data/plugins/sqlmap/sqlmap.rb +2 -11
- data/plugins/sslchecker/cli/sslchecker_cli.rb +0 -9
- data/plugins/sslchecker/gui/cipher_table.rb +246 -254
- data/plugins/sslchecker/gui/gui.rb +258 -264
- data/plugins/sslchecker/gui/sslchecker.rb +4 -13
- data/plugins/sslchecker/lib/check.rb +127 -133
- data/plugins/wshell/gui/main.rb +119 -117
- data/plugins/wshell/lib/core.rb +38 -88
- data/plugins/wshell/wshell.rb +11 -20
- metadata +170 -164
data/lib/watobo/core.rb
CHANGED
@@ -1,12 +1,3 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
|
-
%w( subscriber client_cert_store sid_cache ott_cache parameter conversation chat findings chats active_checks passive_checks scope passive_scanner scanner3 finding project scanner proxy session fuzz_gen interceptor passive_check active_check cookie request response intercept_filter intercept_carver plugin forwarding_proxy cert_store netfilter_queue ).each do |lib|
|
11
|
-
require File.join( "watobo", "core", lib)
|
12
|
-
end
|
1
|
+
%w( subscriber client_cert_store sid_cache ott_cache parameter conversation chat findings chats active_checks passive_checks scope passive_scanner scanner3 finding project scanner proxy session fuzz_gen interceptor passive_check active_check cookie request response intercept_filter intercept_carver plugin forwarding_proxy cert_store netfilter_queue egress_handlers).each do |lib|
|
2
|
+
require File.join( "watobo", "core", lib)
|
3
|
+
end
|
@@ -1,15 +1,6 @@
|
|
1
|
-
#.
|
2
|
-
# active_check.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
# @private
|
11
|
-
module Watobo#:nodoc: all
|
12
|
-
class ActiveCheck
|
2
|
+
module Watobo #:nodoc: all
|
3
|
+
class ActiveCheck < Watobo::Session # Base Class for Passive Checks
|
13
4
|
include Watobo::CheckInfoMixin
|
14
5
|
|
15
6
|
attr :info
|
@@ -24,38 +15,38 @@ module Watobo#:nodoc: all
|
|
24
15
|
|
25
16
|
@@status = :running # :running, :paused, :canceled
|
26
17
|
@@lock = Mutex.new
|
27
|
-
|
28
|
-
@info = {
|
29
|
-
:check_name => '', # name of check which briefly describes functionality, will be used for tree and progress views
|
30
|
-
:check_group => 'Misc', # groupname of check, will be used to group checks, e.g. :Generic, SAP, :Enumeration
|
31
|
-
:description => '', # description of checkfunction
|
32
|
-
:author => "not modified", # author of check
|
33
|
-
:version => "unversioned", # check version
|
34
|
-
:target => nil # reserved
|
35
18
|
|
36
|
-
|
19
|
+
@info = {
|
20
|
+
:check_name => '', # name of check which briefly describes functionality, will be used for tree and progress views
|
21
|
+
:check_group => 'Misc', # groupname of check, will be used to group checks, e.g. :Generic, SAP, :Enumeration
|
22
|
+
:description => '', # description of checkfunction
|
23
|
+
:author => "not modified", # author of check
|
24
|
+
:version => "unversioned", # check version
|
25
|
+
:target => nil # reserved
|
26
|
+
|
27
|
+
}
|
28
|
+
|
29
|
+
@finding = {
|
30
|
+
:title => 'untitled', # [String] title name, used for finding tree
|
31
|
+
:check_pattern => nil, # [String] regex of vulnerability check if possible, will be used for highlighting
|
32
|
+
:proof_pattern => nil, # [String] regex of finding proof if possible, will be used for highlighting
|
33
|
+
:threat => '', # threat of vulnerability, e.g. loss of information
|
34
|
+
:measure => '', # measure
|
35
|
+
:class => "undefined", # [String] vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
36
|
+
:subclass => nil, # reserved
|
37
|
+
:type => FINDING_TYPE_UNDEFINED, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
38
|
+
:chat => nil, # related chat must be linked
|
39
|
+
:rating => VULN_RATING_UNDEFINED, #
|
40
|
+
:cvss => "n/a", # CVSS Base Vector
|
41
|
+
:icon => nil, # Icon Type
|
42
|
+
:timestamp => nil # timestamp
|
43
|
+
}
|
37
44
|
|
38
|
-
@finding = {
|
39
|
-
:title => 'untitled', # [String] title name, used for finding tree
|
40
|
-
:check_pattern => nil, # [String] regex of vulnerability check if possible, will be used for highlighting
|
41
|
-
:proof_pattern => nil, # [String] regex of finding proof if possible, will be used for highlighting
|
42
|
-
:threat => '', # threat of vulnerability, e.g. loss of information
|
43
|
-
:measure => '', # measure
|
44
|
-
:class => "undefined",# [String] vulnerability class, e.g. Stored XSS, SQL-Injection, ...
|
45
|
-
:subclass => nil, # reserved
|
46
|
-
:type => FINDING_TYPE_UNDEFINED, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
|
47
|
-
:chat => nil, # related chat must be linked
|
48
|
-
:rating=> VULN_RATING_UNDEFINED, #
|
49
|
-
:cvss => "n/a", # CVSS Base Vector
|
50
|
-
:icon => nil, # Icon Type
|
51
|
-
:timestamp => nil # timestamp
|
52
|
-
}
|
53
|
-
|
54
45
|
def self.inherited(subclass)
|
55
|
-
|
56
|
-
|
46
|
+
subclass.instance_variable_set("@info", YAML.load(YAML.dump(@info)))
|
47
|
+
subclass.instance_variable_set("@finding", YAML.load(YAML.dump(@finding)))
|
57
48
|
end
|
58
|
-
|
49
|
+
|
59
50
|
def addFinding(request, response, details)
|
60
51
|
@@lock.synchronize {
|
61
52
|
|
@@ -75,16 +66,16 @@ module Watobo#:nodoc: all
|
|
75
66
|
id_string << request.path
|
76
67
|
id_string << new_details[:test_item] if new_details[:test_item]
|
77
68
|
id_string << new_details[:class] if new_details[:class]
|
78
|
-
id_string << new_details[:title]
|
69
|
+
id_string << new_details[:title] if new_details[:title]
|
79
70
|
|
80
71
|
if id_string == '' then
|
81
|
-
|
72
|
+
id_string = (Time.now.to_i + rand(10000)).to_s
|
82
73
|
end
|
83
74
|
#
|
84
75
|
unless new_details.has_key? :fid
|
85
|
-
|
76
|
+
new_details[:fid] = Digest::MD5.hexdigest(id_string)
|
86
77
|
end
|
87
|
-
|
78
|
+
|
88
79
|
puts new_details[:fid] if $DEBUG
|
89
80
|
|
90
81
|
new_details[:module] = self.class.to_s
|
@@ -94,9 +85,9 @@ module Watobo#:nodoc: all
|
|
94
85
|
new_details.delete(:chat)
|
95
86
|
|
96
87
|
new_finding = Watobo::Finding.new(request, response, new_details)
|
97
|
-
|
88
|
+
# puts new_finding
|
98
89
|
Watobo::Findings.add new_finding
|
99
|
-
|
90
|
+
# notify(:new_finding, new_finding)
|
100
91
|
}
|
101
92
|
end
|
102
93
|
|
@@ -130,10 +121,10 @@ module Watobo#:nodoc: all
|
|
130
121
|
end
|
131
122
|
end
|
132
123
|
rescue => bang
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
124
|
+
puts "! settings 'excluded_parms' missing !"
|
125
|
+
# puts @project.settings.to_yaml
|
126
|
+
puts bang
|
127
|
+
puts bang.backtrace if $DEBUG
|
137
128
|
end
|
138
129
|
return pnames
|
139
130
|
end
|
@@ -143,12 +134,12 @@ module Watobo#:nodoc: all
|
|
143
134
|
return pnames unless @settings.has_key? :excluded_parms
|
144
135
|
return pnames unless @settings[:excluded_parms].is_a? Array
|
145
136
|
begin
|
146
|
-
|
137
|
+
pnames.select! { |p| !@settings[:excluded_parms].include? p }
|
147
138
|
rescue => bang
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
139
|
+
#puts "! settings 'excluded_parms' missing !"
|
140
|
+
# puts @project.settings.to_yaml
|
141
|
+
puts bang
|
142
|
+
puts bang.backtrace if $DEBUG
|
152
143
|
end
|
153
144
|
return pnames
|
154
145
|
end
|
@@ -187,8 +178,8 @@ module Watobo#:nodoc: all
|
|
187
178
|
return true if @inner_pool.size > 0
|
188
179
|
return false
|
189
180
|
rescue => bang
|
190
|
-
|
191
|
-
|
181
|
+
p bang
|
182
|
+
p bang.backtrace
|
192
183
|
end
|
193
184
|
end
|
194
185
|
|
@@ -207,11 +198,11 @@ module Watobo#:nodoc: all
|
|
207
198
|
|
208
199
|
def continue_UNUSED()
|
209
200
|
@@pool.each do |thr|
|
210
|
-
|
201
|
+
# puts "Stopping #{thr}"
|
211
202
|
begin
|
212
203
|
thr.run if not thr.run?
|
213
204
|
rescue
|
214
|
-
|
205
|
+
puts "could not continue thread #{thr}"
|
215
206
|
end
|
216
207
|
end
|
217
208
|
end
|
@@ -221,16 +212,16 @@ module Watobo#:nodoc: all
|
|
221
212
|
@inner_pool.each do |thr|
|
222
213
|
begin
|
223
214
|
if thr.alive?
|
224
|
-
|
215
|
+
puts "Stopping #{thr}" if $DEBUG
|
225
216
|
|
226
|
-
|
217
|
+
Thread.kill(thr) #.kill if not thr.kill?
|
227
218
|
|
228
219
|
end
|
229
220
|
@inner_pool.delete(thr)
|
230
221
|
rescue => bang
|
231
|
-
|
232
|
-
|
233
|
-
|
222
|
+
puts "could not kill thread #{thr}"
|
223
|
+
puts bang
|
224
|
+
puts bang.backtrace if $DEBUG
|
234
225
|
end
|
235
226
|
end
|
236
227
|
@inner_pool_cv.signal
|
@@ -247,11 +238,11 @@ module Watobo#:nodoc: all
|
|
247
238
|
t_request, t_response = doRequest(request, prefs)
|
248
239
|
#puts t_response.status
|
249
240
|
status = t_response.status
|
250
|
-
return false if status.empty?
|
241
|
+
return false, t_request, t_response if status.empty?
|
251
242
|
return true, t_request, t_response if status =~ /^403/
|
252
243
|
return false, t_request, t_response if status =~ /^40\d/
|
253
244
|
if status =~ /^50\d/
|
254
|
-
|
245
|
+
# puts "* ignore server errors #{Watobo::Conf::Scanner.ignore_server_errors.class}"
|
255
246
|
return false, t_request, t_response if Watobo::Conf::Scanner.ignore_server_errors
|
256
247
|
end
|
257
248
|
|
@@ -259,28 +250,22 @@ module Watobo#:nodoc: all
|
|
259
250
|
|
260
251
|
if @settings.has_key? :custom_error_patterns
|
261
252
|
@settings[:custom_error_patterns].each do |pat|
|
262
|
-
# puts pat
|
263
253
|
t_response.headers.each do |hl|
|
264
|
-
return false if hl =~ /#{pat}/
|
254
|
+
return false, t_request, t_response if hl =~ /#{pat}/
|
265
255
|
end
|
266
|
-
|
256
|
+
|
267
257
|
unless t_response.body.nil?
|
268
|
-
|
269
|
-
# puts t_response.body
|
270
|
-
return false if t_response.body =~ /#{pat}/
|
258
|
+
return false, t_request, t_response if t_response.body =~ /#{pat}/
|
271
259
|
end
|
272
260
|
end
|
273
261
|
end
|
274
|
-
# if t_request.path_ext != ""
|
275
|
-
#TODO: Check for custom error pages
|
276
|
-
# end
|
277
262
|
|
278
263
|
return true, t_request, t_response
|
279
264
|
rescue => bang
|
280
265
|
end
|
281
266
|
return false, nil, nil
|
282
267
|
end
|
283
|
-
|
268
|
+
|
284
269
|
def log_console(msg)
|
285
270
|
puts "[#{self}] #{msg}"
|
286
271
|
end
|
@@ -293,9 +278,9 @@ module Watobo#:nodoc: all
|
|
293
278
|
|
294
279
|
def run_checks_UNUSED(chat, opts={})
|
295
280
|
begin
|
296
|
-
|
281
|
+
# reset() # reset variables first
|
297
282
|
@@status = :running
|
298
|
-
check_opts = {
|
283
|
+
check_opts = {:run_passive_checks => false}
|
299
284
|
check_opts.update opts
|
300
285
|
@settings.update opts
|
301
286
|
|
@@ -303,83 +288,36 @@ module Watobo#:nodoc: all
|
|
303
288
|
# puts @session.to_yaml
|
304
289
|
|
305
290
|
@@proxy = opts[:proxy] if opts[:proxy]
|
306
|
-
|
307
|
-
|
291
|
+
# @@max_checks = opts[:max_parallel_checks] if opts.has_key? :max_parallel_checks
|
292
|
+
@@max_checks = Watobo::Conf::Scanner.max_parallel_checks
|
308
293
|
|
309
294
|
do_test(chat) { |request, response|
|
310
295
|
begin
|
311
|
-
|
296
|
+
|
312
297
|
if request and response then
|
313
298
|
if check_opts[:run_passive_checks] then
|
314
299
|
|
315
|
-
|
316
|
-
|
300
|
+
nc = Watobo::Chat.new(request, response, :id => 0)
|
301
|
+
# @project.runPassiveModules(nc)
|
317
302
|
|
318
303
|
end
|
319
304
|
|
320
305
|
end
|
321
306
|
rescue => bang
|
322
|
-
|
323
|
-
|
307
|
+
puts bang
|
308
|
+
puts bang.backtrace if $DEBUG
|
324
309
|
end
|
325
310
|
|
326
311
|
}
|
327
312
|
|
328
313
|
rescue => bang
|
329
|
-
|
330
|
-
|
314
|
+
puts bang
|
315
|
+
puts bang.backtrace if $DEBUG
|
331
316
|
|
332
317
|
end
|
333
318
|
|
334
319
|
end
|
335
|
-
|
336
|
-
|
337
|
-
def do_test_UNUSED(chat, &block)
|
338
|
-
# puts chat.request.site
|
339
|
-
tlist = []
|
340
|
-
@inner_pool = []
|
341
|
-
generateChecks(chat) do |check|
|
342
|
-
unless @@status == :stopped
|
343
|
-
@@pool_mutex.synchronize do
|
344
|
-
while @@check_count > @@max_checks or @@login_in_progress
|
345
|
-
puts "[#{self.class.to_s.gsub(/Watobo::Modules::Active::/,'')}] do_test on chat [#{chat.id}]: waiting .. #{@@check_count}/#{@@max_checks}" if $DEBUG
|
346
|
-
@@pool_cv.wait(@@pool_mutex)
|
347
|
-
end
|
348
|
-
@@check_count += 1
|
349
|
-
end
|
350
|
-
|
351
|
-
@inner_pool << Thread.new(check) { |c|
|
352
|
-
begin
|
353
320
|
|
354
|
-
if c.respond_to? :call
|
355
|
-
request, response = c.call
|
356
|
-
yield request, response if block_given?
|
357
|
-
|
358
|
-
end
|
359
|
-
rescue => bang
|
360
|
-
# puts "!!!ERROR: running check in #{self.class}"
|
361
|
-
puts bang
|
362
|
-
puts bang.backtrace if $DEBUG
|
363
|
-
# raise
|
364
|
-
ensure
|
365
|
-
|
366
|
-
@@pool_mutex.synchronize do
|
367
|
-
@@check_count -= 1
|
368
|
-
notify(:check_finished, self, request, response)
|
369
|
-
#@inner_pool.delete Thread.current
|
370
|
-
end
|
371
|
-
@@pool_cv.signal
|
372
|
-
|
373
|
-
end
|
374
|
-
}
|
375
|
-
# puts "[#{self.class.to_s.gsub(/Watobo::Modules::Active::/,'')}] [#{chat.id}]: INNER POOL - #{@inner_pool.length} "
|
376
|
-
end
|
377
|
-
end
|
378
|
-
|
379
|
-
@inner_pool.each {|t| t.join }
|
380
|
-
puts ">>>> #{self.class} on chat[#{chat.id}] ... finished!\n"
|
381
|
-
end
|
382
|
-
|
383
321
|
def check_name
|
384
322
|
info = self.class.instance_variable_get("@info")
|
385
323
|
return nil if info.nil?
|
@@ -389,7 +327,7 @@ module Watobo#:nodoc: all
|
|
389
327
|
def initialize(session_name=nil, prefs={})
|
390
328
|
#@project = project
|
391
329
|
super(session_name, prefs)
|
392
|
-
|
330
|
+
|
393
331
|
@enabled = true
|
394
332
|
# @status = "ready"
|
395
333
|
@counters = Hash.new
|
@@ -415,7 +353,6 @@ module Watobo#:nodoc: all
|
|
415
353
|
@checks_cv = ConditionVariable.new
|
416
354
|
@checks_mutex = Mutex.new
|
417
355
|
|
418
|
-
|
419
356
|
|
420
357
|
end
|
421
358
|
end
|
@@ -1,61 +1,52 @@
|
|
1
|
-
#.
|
2
|
-
# active_checks.rb
|
3
|
-
#.
|
4
|
-
# Copyright 2014 by siberas, http://www.siberas.de
|
5
|
-
# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
|
6
|
-
# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
|
7
|
-
# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
8
|
-
# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
9
|
-
|
10
1
|
# @private
|
11
|
-
module Watobo#:nodoc: all
|
12
|
-
class ActiveModules
|
13
|
-
@checks = []
|
14
|
-
def self.each(&block)
|
15
|
-
if block_given?
|
16
|
-
@checks.map{|c| yield c }
|
17
|
-
end
|
18
|
-
|
19
|
-
end
|
20
|
-
|
21
|
-
def self.to_a
|
22
|
-
@checks
|
23
|
-
end
|
24
|
-
|
25
|
-
def self.length
|
26
|
-
@checks.length
|
27
|
-
end
|
28
|
-
|
29
|
-
def self.init
|
30
|
-
@checks = []
|
31
|
-
active_path = Watobo.active_module_path
|
32
|
-
Dir["#{active_path}/**"].each do |group|
|
33
|
-
if File.ftype(group) == "directory"
|
34
|
-
Dir["#{group}/*.rb"].each do |mod_file|
|
35
|
-
begin
|
36
|
-
# module_file = File.join(active_path, group, modules)
|
37
|
-
mod = File.basename(mod_file)
|
38
|
-
group_name = File.basename(group)# notify(:logger, LOG_DEBUG, "loading module: #{module_file}")
|
39
|
-
|
40
|
-
require mod_file
|
41
|
-
|
42
|
-
group_class = group_name.slice(0..0).upcase + group_name.slice(1..-1).downcase
|
43
|
-
#
|
44
|
-
module_class = mod.slice(0..0).upcase + mod.slice(1..-1).downcase
|
45
|
-
module_class.sub!(".rb","")
|
46
|
-
|
2
|
+
module Watobo#:nodoc: all
|
3
|
+
class ActiveModules
|
4
|
+
@checks = []
|
5
|
+
def self.each(&block)
|
6
|
+
if block_given?
|
7
|
+
@checks.map{|c| yield c }
|
8
|
+
end
|
9
|
+
|
10
|
+
end
|
11
|
+
|
12
|
+
def self.to_a
|
13
|
+
@checks
|
14
|
+
end
|
15
|
+
|
16
|
+
def self.length
|
17
|
+
@checks.length
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.init
|
21
|
+
@checks = []
|
22
|
+
active_path = Watobo.active_module_path
|
23
|
+
Dir["#{active_path}/**"].each do |group|
|
24
|
+
if File.ftype(group) == "directory"
|
25
|
+
Dir["#{group}/*.rb"].each do |mod_file|
|
26
|
+
begin
|
27
|
+
# module_file = File.join(active_path, group, modules)
|
28
|
+
mod = File.basename(mod_file)
|
29
|
+
group_name = File.basename(group)# notify(:logger, LOG_DEBUG, "loading module: #{module_file}")
|
30
|
+
|
31
|
+
require mod_file
|
32
|
+
|
33
|
+
group_class = group_name.slice(0..0).upcase + group_name.slice(1..-1).downcase
|
34
|
+
#
|
35
|
+
module_class = mod.slice(0..0).upcase + mod.slice(1..-1).downcase
|
36
|
+
module_class.sub!(".rb","")
|
37
|
+
|
47
38
|
ac = Watobo::Modules::Active.const_get(group_class).const_get(module_class)
|
48
|
-
print "."
|
49
|
-
|
50
|
-
@checks << ac
|
51
|
-
rescue => bang
|
52
|
-
puts bang
|
53
|
-
end
|
54
|
-
end
|
55
|
-
end
|
56
|
-
end
|
57
|
-
@checks
|
58
|
-
end
|
59
|
-
end
|
60
|
-
|
39
|
+
print "."
|
40
|
+
|
41
|
+
@checks << ac
|
42
|
+
rescue => bang
|
43
|
+
puts bang
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
@checks
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
61
52
|
end
|