watobo 0.9.21 → 0.9.23

Sign up to get free protection for your applications and to get access to all the features.
Files changed (283) hide show
  1. checksums.yaml +7 -0
  2. data/CHANGELOG.md +46 -1
  3. data/bin/nfq_server.rb +0 -9
  4. data/bin/watobo_gui.rb +3 -13
  5. data/custom-views/prettify-json.rb +9 -18
  6. data/icons/watobo.ico +0 -0
  7. data/icons/watobo.ico.old +0 -0
  8. data/lib/watobo.rb +10 -19
  9. data/lib/watobo/adapters.rb +5 -14
  10. data/lib/watobo/adapters/data_store.rb +50 -59
  11. data/lib/watobo/adapters/file/file_store.rb +287 -296
  12. data/lib/watobo/adapters/file/marshal_store.rb +293 -296
  13. data/lib/watobo/adapters/session_store.rb +5 -14
  14. data/lib/watobo/ca.rb +1 -10
  15. data/lib/watobo/config.rb +197 -206
  16. data/lib/watobo/constants.rb +0 -9
  17. data/lib/watobo/core.rb +3 -12
  18. data/lib/watobo/core/active_check.rb +72 -135
  19. data/lib/watobo/core/active_checks.rb +49 -58
  20. data/lib/watobo/core/ca.rb +369 -389
  21. data/lib/watobo/core/cert_store.rb +34 -43
  22. data/lib/watobo/core/chat.rb +92 -101
  23. data/lib/watobo/core/chats.rb +271 -280
  24. data/lib/watobo/core/client_cert_store.rb +106 -35
  25. data/lib/watobo/core/conversation.rb +48 -57
  26. data/lib/watobo/core/cookie.rb +23 -32
  27. data/lib/watobo/core/egress_handlers.rb +98 -0
  28. data/lib/watobo/core/finding.rb +66 -75
  29. data/lib/watobo/core/findings.rb +107 -114
  30. data/lib/watobo/core/forwarding_proxy.rb +13 -22
  31. data/lib/watobo/core/fuzz_gen.rb +0 -9
  32. data/lib/watobo/core/intercept_carver.rb +166 -177
  33. data/lib/watobo/core/intercept_filter.rb +235 -244
  34. data/lib/watobo/core/interceptor.rb +98 -107
  35. data/lib/watobo/core/min_class.rb +4 -13
  36. data/lib/watobo/core/netfilter_queue.rb +170 -179
  37. data/lib/watobo/core/ott_cache.rb +132 -141
  38. data/lib/watobo/core/parameter.rb +43 -52
  39. data/lib/watobo/core/passive_check.rb +103 -102
  40. data/lib/watobo/core/passive_checks.rb +48 -57
  41. data/lib/watobo/core/passive_scanner.rb +54 -55
  42. data/lib/watobo/core/plugin.rb +11 -20
  43. data/lib/watobo/core/project.rb +3 -9
  44. data/lib/watobo/core/proxy.rb +43 -52
  45. data/lib/watobo/core/request.rb +125 -123
  46. data/lib/watobo/core/response.rb +44 -53
  47. data/lib/watobo/core/scanner.rb +0 -9
  48. data/lib/watobo/core/scanner3.rb +405 -414
  49. data/lib/watobo/core/scope.rb +83 -92
  50. data/lib/watobo/core/session.rb +1043 -1026
  51. data/lib/watobo/core/sid_cache.rb +98 -107
  52. data/lib/watobo/core/subscriber.rb +25 -34
  53. data/lib/watobo/defaults.rb +21 -30
  54. data/lib/watobo/external/diff/lcs.rb +0 -9
  55. data/lib/watobo/external/diff/lcs/array.rb +0 -9
  56. data/lib/watobo/external/diff/lcs/block.rb +0 -9
  57. data/lib/watobo/external/diff/lcs/callbacks.rb +0 -9
  58. data/lib/watobo/external/diff/lcs/change.rb +0 -9
  59. data/lib/watobo/external/diff/lcs/hunk.rb +0 -9
  60. data/lib/watobo/external/diff/lcs/ldiff.rb +0 -9
  61. data/lib/watobo/external/diff/lcs/string.rb +0 -9
  62. data/lib/watobo/externals.rb +6 -15
  63. data/lib/watobo/framework.rb +4 -13
  64. data/lib/watobo/framework/create_project.rb +60 -69
  65. data/lib/watobo/framework/init.rb +0 -9
  66. data/lib/watobo/framework/init_modules.rb +0 -9
  67. data/lib/watobo/framework/license_text.rb +28 -37
  68. data/lib/watobo/framework/load_chat.rb +13 -22
  69. data/lib/watobo/gui.rb +132 -123
  70. data/lib/watobo/gui/about_watobo.rb +0 -9
  71. data/lib/watobo/gui/browser_preview.rb +0 -9
  72. data/lib/watobo/gui/certificate_dialog.rb +0 -9
  73. data/lib/watobo/gui/chat_diff.rb +0 -9
  74. data/lib/watobo/gui/chatviewer_frame.rb +73 -72
  75. data/lib/watobo/gui/checkboxtree.rb +0 -9
  76. data/lib/watobo/gui/checks_policy_frame.rb +0 -9
  77. data/lib/watobo/gui/client_cert_dialog.rb +96 -87
  78. data/lib/watobo/gui/confirm_scan_dialog.rb +0 -9
  79. data/lib/watobo/gui/conversation_table.rb +158 -164
  80. data/lib/watobo/gui/conversation_table_ctrl.rb +207 -216
  81. data/lib/watobo/gui/conversation_table_ctrl2.rb +373 -382
  82. data/lib/watobo/gui/csrf_token_dialog.rb +0 -9
  83. data/lib/watobo/gui/custom_viewer.rb +374 -383
  84. data/lib/watobo/gui/dashboard.rb +296 -303
  85. data/lib/watobo/gui/define_scope_frame.rb +0 -9
  86. data/lib/watobo/gui/differ_frame.rb +215 -224
  87. data/lib/watobo/gui/edit_comment.rb +0 -9
  88. data/lib/watobo/gui/edit_scope_dialog.rb +0 -9
  89. data/lib/watobo/gui/export_dialog.rb +104 -113
  90. data/lib/watobo/gui/finding_info.rb +0 -9
  91. data/lib/watobo/gui/findings_tree.rb +210 -217
  92. data/lib/watobo/gui/full_scan_dialog.rb +0 -9
  93. data/lib/watobo/gui/fuzzer_gui.rb +1295 -1313
  94. data/lib/watobo/gui/fxsave_thread.rb +14 -0
  95. data/lib/watobo/gui/goto_url_dialog.rb +70 -79
  96. data/lib/watobo/gui/hex_viewer.rb +0 -9
  97. data/lib/watobo/gui/html_viewer.rb +287 -296
  98. data/lib/watobo/gui/intercept_filter_dialog.rb +188 -197
  99. data/lib/watobo/gui/interceptor_gui.rb +1041 -1051
  100. data/lib/watobo/gui/interceptor_settings_dialog.rb +0 -9
  101. data/lib/watobo/gui/json_viewer.rb +287 -0
  102. data/lib/watobo/gui/list_box.rb +101 -110
  103. data/lib/watobo/gui/log_file_viewer.rb +32 -41
  104. data/lib/watobo/gui/log_viewer.rb +83 -88
  105. data/lib/watobo/gui/login_wizzard.rb +0 -9
  106. data/lib/watobo/gui/main_window.rb +587 -618
  107. data/lib/watobo/gui/manual_request_editor.rb +620 -565
  108. data/lib/watobo/gui/master_pw_dialog.rb +0 -9
  109. data/lib/watobo/gui/mixins/gui_settings.rb +29 -38
  110. data/lib/watobo/gui/page_tree.rb +217 -226
  111. data/lib/watobo/gui/password_policy_dialog.rb +0 -9
  112. data/lib/watobo/gui/plugin_board.rb +0 -9
  113. data/lib/watobo/gui/preferences_dialog.rb +0 -9
  114. data/lib/watobo/gui/progress_window.rb +17 -27
  115. data/lib/watobo/gui/project_wizzard.rb +0 -9
  116. data/lib/watobo/gui/proxy_dialog.rb +1 -10
  117. data/lib/watobo/gui/quick_scan_dialog.rb +0 -9
  118. data/lib/watobo/gui/request_builder_frame.rb +102 -111
  119. data/lib/watobo/gui/request_editor.rb +181 -137
  120. data/lib/watobo/gui/rewrite_filters_dialog.rb +394 -403
  121. data/lib/watobo/gui/rewrite_rules_dialog.rb +372 -381
  122. data/lib/watobo/gui/save_chat_dialog.rb +140 -149
  123. data/lib/watobo/gui/scanner_settings_dialog.rb +0 -9
  124. data/lib/watobo/gui/select_chat_dialog.rb +0 -9
  125. data/lib/watobo/gui/session_management_dialog.rb +0 -9
  126. data/lib/watobo/gui/sites_tree.rb +0 -9
  127. data/lib/watobo/gui/status_bar.rb +0 -9
  128. data/lib/watobo/gui/table_editor.rb +0 -9
  129. data/lib/watobo/gui/tagless_viewer.rb +0 -9
  130. data/lib/watobo/gui/templates/plugin.rb +0 -9
  131. data/lib/watobo/gui/templates/plugin2.rb +92 -100
  132. data/lib/watobo/gui/templates/plugin_base.rb +144 -153
  133. data/lib/watobo/gui/text_viewer.rb +0 -9
  134. data/lib/watobo/gui/transcoder_window.rb +0 -9
  135. data/lib/watobo/gui/utils/gui_utils.rb +0 -9
  136. data/lib/watobo/gui/utils/init_icons.rb +86 -95
  137. data/lib/watobo/gui/utils/load_icons.rb +33 -42
  138. data/lib/watobo/gui/utils/load_plugins.rb +116 -119
  139. data/lib/watobo/gui/utils/master_password.rb +68 -77
  140. data/lib/watobo/gui/utils/save_default_settings.rb +113 -122
  141. data/lib/watobo/gui/utils/save_project_settings.rb +0 -9
  142. data/lib/watobo/gui/utils/save_proxy_settings.rb +41 -50
  143. data/lib/watobo/gui/utils/save_scanner_settings.rb +18 -27
  144. data/lib/watobo/gui/utils/session_history.rb +112 -121
  145. data/lib/watobo/gui/workspace_dialog.rb +0 -9
  146. data/lib/watobo/gui/www_auth_dialog.rb +0 -9
  147. data/lib/watobo/gui/xml_viewer_frame.rb +0 -9
  148. data/lib/watobo/http.rb +4 -13
  149. data/lib/watobo/http/cookies/cookies.rb +26 -35
  150. data/lib/watobo/http/data/data.rb +45 -54
  151. data/lib/watobo/http/data/json.rb +47 -55
  152. data/lib/watobo/http/url/url.rb +38 -47
  153. data/lib/watobo/http/xml/xml.rb +124 -130
  154. data/lib/watobo/interceptor.rb +3 -12
  155. data/lib/watobo/interceptor/proxy.rb +742 -739
  156. data/lib/watobo/interceptor/transparent.rb +22 -24
  157. data/lib/watobo/mixins.rb +10 -19
  158. data/lib/watobo/mixins/check_info.rb +27 -36
  159. data/lib/watobo/mixins/httpparser.rb +613 -637
  160. data/lib/watobo/mixins/request_parser.rb +88 -97
  161. data/lib/watobo/mixins/shapers.rb +515 -529
  162. data/lib/watobo/mixins/transcoders.rb +3 -11
  163. data/lib/watobo/parser.rb +1 -10
  164. data/lib/watobo/parser/html.rb +83 -92
  165. data/lib/watobo/patch_fxruby_setfocus.rb +26 -0
  166. data/lib/watobo/sockets.rb +3 -12
  167. data/lib/watobo/sockets/agent.rb +828 -837
  168. data/lib/watobo/sockets/client_socket.rb +308 -312
  169. data/lib/watobo/sockets/connection.rb +401 -410
  170. data/lib/watobo/sockets/http_socket.rb +11 -13
  171. data/lib/watobo/sockets/ntlm_auth.rb +129 -138
  172. data/lib/watobo/utils.rb +10 -19
  173. data/lib/watobo/utils/check_regex.rb +0 -9
  174. data/lib/watobo/utils/copy_object.rb +0 -9
  175. data/lib/watobo/utils/crypto.rb +0 -9
  176. data/lib/watobo/utils/expand_range.rb +23 -32
  177. data/lib/watobo/utils/export_xml.rb +97 -106
  178. data/lib/watobo/utils/file_management.rb +9 -11
  179. data/lib/watobo/utils/hexprint.rb +9 -18
  180. data/lib/watobo/utils/load_chat.rb +0 -9
  181. data/lib/watobo/utils/load_icon.rb +0 -9
  182. data/lib/watobo/utils/ntlm.rb +866 -875
  183. data/lib/watobo/utils/print_debug.rb +12 -21
  184. data/lib/watobo/utils/response_builder.rb +90 -99
  185. data/lib/watobo/utils/response_hash.rb +0 -9
  186. data/lib/watobo/utils/secure_eval.rb +0 -9
  187. data/lib/watobo/utils/strings.rb +10 -19
  188. data/lib/watobo/utils/text2request.rb +0 -9
  189. data/lib/watobo/utils/url.rb +23 -32
  190. data/lib/watobo/utils/utf16.rb +11 -20
  191. data/modules/active/Apache/mod_status.rb +0 -9
  192. data/modules/active/Apache/multiview.rb +151 -160
  193. data/modules/active/Flash/crossdomain.rb +0 -9
  194. data/modules/active/JWT/jwt_oauth2_none.rb +111 -0
  195. data/modules/active/cq5/cq5_default_selectors.rb +106 -115
  196. data/modules/active/cq5/cqp_user_enumeration.rb +125 -134
  197. data/modules/active/directories/dirwalker.rb +0 -9
  198. data/modules/active/discovery/fileextensions.rb +0 -9
  199. data/modules/active/discovery/http_methods.rb +0 -9
  200. data/modules/active/discovery/jsmapfiles.rb +79 -0
  201. data/modules/active/domino/domino_db.rb +68 -76
  202. data/modules/active/dotNET/custom_errors.rb +102 -111
  203. data/modules/active/dotNET/dotnet_files.rb +90 -99
  204. data/modules/active/fileinclusion/lfi_simple.rb +0 -9
  205. data/modules/active/jboss/jboss_basic.rb +0 -9
  206. data/modules/active/sap/business_objects.rb +51 -60
  207. data/modules/active/sap/its_commands.rb +0 -9
  208. data/modules/active/sap/its_service_parameter.rb +0 -9
  209. data/modules/active/sap/its_services.rb +0 -9
  210. data/modules/active/sap/its_xss.rb +0 -9
  211. data/modules/active/shell_shock/shell_shock.rb +139 -148
  212. data/modules/active/siebel/siebel_apps.rb +160 -169
  213. data/modules/active/sqlinjection/sql_boolean.rb +0 -9
  214. data/modules/active/sqlinjection/sql_numerical.rb +198 -0
  215. data/modules/active/sqlinjection/sqli_error.rb +0 -9
  216. data/modules/active/sqlinjection/sqli_timing.rb +220 -229
  217. data/modules/active/struts2/default_handler_ognl.rb +106 -115
  218. data/modules/active/struts2/include_params_ognl.rb +105 -114
  219. data/modules/active/xml/xml_xxe.rb +112 -123
  220. data/modules/active/xss/xss_ng.rb +214 -223
  221. data/modules/active/xss/xss_simple.rb +0 -9
  222. data/modules/passive/ajax.rb +68 -77
  223. data/modules/passive/autocomplete.rb +56 -65
  224. data/modules/passive/cookie_options.rb +0 -9
  225. data/modules/passive/cookie_xss.rb +0 -9
  226. data/modules/passive/detect_code.rb +0 -9
  227. data/modules/passive/detect_fileupload.rb +0 -9
  228. data/modules/passive/detect_infrastructure.rb +0 -9
  229. data/modules/passive/detect_one_time_tokens.rb +0 -9
  230. data/modules/passive/dirindexing.rb +0 -9
  231. data/modules/passive/disclosure_domino.rb +55 -64
  232. data/modules/passive/disclosure_emails.rb +0 -9
  233. data/modules/passive/disclosure_ipaddr.rb +55 -53
  234. data/modules/passive/filename_as_parameter.rb +0 -9
  235. data/modules/passive/form_spotter.rb +0 -9
  236. data/modules/passive/hidden_fields.rb +50 -59
  237. data/modules/passive/hotspots.rb +0 -9
  238. data/modules/passive/in_script_parameter.rb +0 -9
  239. data/modules/passive/json_web_token.rb +93 -0
  240. data/modules/passive/multiple_server_headers.rb +0 -9
  241. data/modules/passive/possible_login.rb +0 -9
  242. data/modules/passive/redirect_url.rb +0 -9
  243. data/modules/passive/redirectionz.rb +0 -9
  244. data/modules/passive/sap-headers.rb +56 -65
  245. data/modules/passive/xss_dom.rb +0 -9
  246. data/plugins/aem/aem.rb +11 -20
  247. data/plugins/aem/gui/main.rb +118 -127
  248. data/plugins/aem/gui/tree_view.rb +171 -180
  249. data/plugins/aem/lib/agent.rb +130 -138
  250. data/plugins/aem/lib/dispatcher.rb +45 -51
  251. data/plugins/aem/lib/engine.rb +177 -186
  252. data/plugins/catalog/catalog.rb +345 -355
  253. data/plugins/crawler/crawler.rb +4 -13
  254. data/plugins/crawler/gui.rb +5 -14
  255. data/plugins/crawler/gui/auth_frame.rb +270 -279
  256. data/plugins/crawler/gui/crawler_gui.rb +271 -276
  257. data/plugins/crawler/gui/general_settings_frame.rb +96 -105
  258. data/plugins/crawler/gui/hooks_frame.rb +80 -89
  259. data/plugins/crawler/gui/scope_frame.rb +50 -59
  260. data/plugins/crawler/gui/settings_tabbook.rb +38 -47
  261. data/plugins/crawler/gui/status_frame.rb +59 -68
  262. data/plugins/crawler/lib/bags.rb +18 -27
  263. data/plugins/crawler/lib/constants.rb +11 -20
  264. data/plugins/crawler/lib/engine.rb +488 -497
  265. data/plugins/crawler/lib/grabber.rb +68 -77
  266. data/plugins/crawler/lib/status.rb +71 -80
  267. data/plugins/crawler/lib/uri_mp.rb +12 -21
  268. data/plugins/filefinder/filefinder.rb +326 -333
  269. data/plugins/sqlmap/bin/test.rb +78 -87
  270. data/plugins/sqlmap/gui.rb +4 -13
  271. data/plugins/sqlmap/gui/main.rb +218 -227
  272. data/plugins/sqlmap/gui/options_frame.rb +97 -106
  273. data/plugins/sqlmap/lib/sqlmap_ctrl.rb +90 -100
  274. data/plugins/sqlmap/sqlmap.rb +2 -11
  275. data/plugins/sslchecker/cli/sslchecker_cli.rb +0 -9
  276. data/plugins/sslchecker/gui/cipher_table.rb +246 -254
  277. data/plugins/sslchecker/gui/gui.rb +258 -264
  278. data/plugins/sslchecker/gui/sslchecker.rb +4 -13
  279. data/plugins/sslchecker/lib/check.rb +127 -133
  280. data/plugins/wshell/gui/main.rb +119 -117
  281. data/plugins/wshell/lib/core.rb +38 -88
  282. data/plugins/wshell/wshell.rb +11 -20
  283. metadata +170 -164
@@ -1,23 +1,14 @@
1
- #.
2
- # print_debug.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  # @private
11
- module Watobo#:nodoc: all
12
- def self.print_debug(*m)
13
- fl = m.shift
14
- puts "#"
15
- puts "# #{fl} #"
16
- if m.length > 0
17
- m.each do |l|
18
- puts l
19
- end
20
- puts "# " + "-"*fl.length + " #"
21
- end
22
- end
2
+ module Watobo#:nodoc: all
3
+ def self.print_debug(*m)
4
+ fl = m.shift
5
+ puts "#"
6
+ puts "# #{fl} #"
7
+ if m.length > 0
8
+ m.each do |l|
9
+ puts l
10
+ end
11
+ puts "# " + "-"*fl.length + " #"
12
+ end
13
+ end
23
14
  end
@@ -1,101 +1,92 @@
1
- #.
2
- # response_builder.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  # @private
11
- module Watobo#:nodoc: all
12
- module Utils
13
- def self.string2response( text, opts = {} )
14
- options = { :update_content_length => false }
15
- options.update opts
16
- begin
17
- hb_sep = "\r\n\r\n"
18
- eoh = text.index(hb_sep)
19
- if eoh.nil?
20
- hb_sep = "\n\n"
21
- eoh = text.index(hb_sep)
22
- end
23
- unless eoh.nil?
24
- raw_header = text[0..eoh-1]
25
- raw_body = text[eoh+hb_sep.length..-1]
26
- puts ">> RawBody: #{raw_body}"
27
- else
28
- raw_header = text
29
- raw_body = nil
30
- end
31
-
32
- response = raw_header.split("\n")
33
- response.map!{|r| "#{r.strip}\r\n" }
34
- # Watobo::Response.create response
35
- unless raw_body.nil?
36
- response << "\r\n"
37
- response << raw_body unless raw_body.strip.empty?
38
- end
39
- #return response
40
- return Watobo::Response.new(response)
41
-
42
- rescue => bang
43
- puts bang
44
- puts bang.backtrace
45
- end
46
- return nil
47
- end
48
- end
49
- end
50
-
51
- if $0 == __FILE__
52
- inc_path = File.expand_path(File.join(File.dirname(__FILE__), "..", ".."))
53
- $: << inc_path
54
-
55
- require 'watobo'
56
-
57
- text =<<'EOF'
58
- HTTP/1.1 200 OK
59
- Content-Type: text/html
60
- Vary: Accept-Encoding
61
- Expires: Thu, 19 Jul 2012 06:57:20 GMT
62
- Cache-Control: max-age=0, no-cache, no-store
63
- Pragma: no-cache
64
- Date: Thu, 19 Jul 2012 06:57:20 GMT
65
- Content-Length: 203
66
- Connection: close
67
-
68
- <html></html>
69
- EOF
70
-
71
- text2 ="HTTP/1.1 200 OK\r\n" +
72
- "Content-Type: text/html\r\n" +
73
- "Vary: Accept-Encoding\r\n" +
74
- "Expires: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
75
- "Cache-Control: max-age=0, no-cache, no-store\r\n" +
76
- "Pragma: no-cache\r\n" +
77
- "Date: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
78
- "Content-Length: 203\r\n" +
79
- "Connection: close\r\n\r\n" +
80
- "<html></html>\r\n"
81
-
82
- unless ARGV[0].nil?
83
- if File.exist? ARGV[0]
84
- text = File.open(ARGV[0],"rb").read
85
- end
86
- end
87
- r = Watobo::Utils.string2response text
88
- puts r.class
89
- puts r.status
90
- puts r.content_type
91
- puts r
92
- puts
93
- puts "="
94
- puts
95
- r = Watobo::Utils.string2response text2
96
- puts r.class
97
- puts r.status
98
- puts r.content_type
99
- puts r
100
-
2
+ module Watobo#:nodoc: all
3
+ module Utils
4
+ def self.string2response( text, opts = {} )
5
+ options = { :update_content_length => false }
6
+ options.update opts
7
+ begin
8
+ hb_sep = "\r\n\r\n"
9
+ eoh = text.index(hb_sep)
10
+ if eoh.nil?
11
+ hb_sep = "\n\n"
12
+ eoh = text.index(hb_sep)
13
+ end
14
+ unless eoh.nil?
15
+ raw_header = text[0..eoh-1]
16
+ raw_body = text[eoh+hb_sep.length..-1]
17
+ puts ">> RawBody: #{raw_body}"
18
+ else
19
+ raw_header = text
20
+ raw_body = nil
21
+ end
22
+
23
+ response = raw_header.split("\n")
24
+ response.map!{|r| "#{r.strip}\r\n" }
25
+ # Watobo::Response.create response
26
+ unless raw_body.nil?
27
+ response << "\r\n"
28
+ response << raw_body unless raw_body.strip.empty?
29
+ end
30
+ #return response
31
+ return Watobo::Response.new(response)
32
+
33
+ rescue => bang
34
+ puts bang
35
+ puts bang.backtrace
36
+ end
37
+ return nil
38
+ end
39
+ end
40
+ end
41
+
42
+ if $0 == __FILE__
43
+ inc_path = File.expand_path(File.join(File.dirname(__FILE__), "..", ".."))
44
+ $: << inc_path
45
+
46
+ require 'watobo'
47
+
48
+ text =<<'EOF'
49
+ HTTP/1.1 200 OK
50
+ Content-Type: text/html
51
+ Vary: Accept-Encoding
52
+ Expires: Thu, 19 Jul 2012 06:57:20 GMT
53
+ Cache-Control: max-age=0, no-cache, no-store
54
+ Pragma: no-cache
55
+ Date: Thu, 19 Jul 2012 06:57:20 GMT
56
+ Content-Length: 203
57
+ Connection: close
58
+
59
+ <html></html>
60
+ EOF
61
+
62
+ text2 ="HTTP/1.1 200 OK\r\n" +
63
+ "Content-Type: text/html\r\n" +
64
+ "Vary: Accept-Encoding\r\n" +
65
+ "Expires: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
66
+ "Cache-Control: max-age=0, no-cache, no-store\r\n" +
67
+ "Pragma: no-cache\r\n" +
68
+ "Date: Thu, 19 Jul 2012 06:57:20 GMT\r\n" +
69
+ "Content-Length: 203\r\n" +
70
+ "Connection: close\r\n\r\n" +
71
+ "<html></html>\r\n"
72
+
73
+ unless ARGV[0].nil?
74
+ if File.exist? ARGV[0]
75
+ text = File.open(ARGV[0],"rb").read
76
+ end
77
+ end
78
+ r = Watobo::Utils.string2response text
79
+ puts r.class
80
+ puts r.status
81
+ puts r.content_type
82
+ puts r
83
+ puts
84
+ puts "="
85
+ puts
86
+ r = Watobo::Utils.string2response text2
87
+ puts r.class
88
+ puts r.status
89
+ puts r.content_type
90
+ puts r
91
+
101
92
  end
@@ -1,12 +1,3 @@
1
- #.
2
- # response_hash.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  require 'digest/md5'
11
2
 
12
3
  # @private
@@ -1,12 +1,3 @@
1
- #.
2
- # secure_eval.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  # @private
11
2
  module Watobo#:nodoc: all
12
3
  module Utils
@@ -1,21 +1,12 @@
1
- #.
2
- # strings.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  # @private
11
- module Watobo#:nodoc: all
12
- module Utils
13
- def self.camelcase(string)
14
- string.strip.gsub(/[^[a-zA-Z\-_]]/,"").gsub( "-" , "_").split("_").map{ |s| s.downcase.capitalize }.join
15
- end
16
-
17
- def self.snakecase(string)
18
- string.gsub(/([A-Z])([A-Z][a-z])/, '\1_\2').gsub(/([a-z\d])([A-Z])/, '\1_\2').tr("-","_").downcase
19
- end
20
- end
2
+ module Watobo#:nodoc: all
3
+ module Utils
4
+ def self.camelcase(string)
5
+ string.strip.gsub(/[^[a-zA-Z\-_]]/,"").gsub( "-" , "_").split("_").map{ |s| s.downcase.capitalize }.join
6
+ end
7
+
8
+ def self.snakecase(string)
9
+ string.gsub(/([A-Z])([A-Z][a-z])/, '\1_\2').gsub(/([a-z\d])([A-Z])/, '\1_\2').tr("-","_").downcase
10
+ end
11
+ end
21
12
  end
@@ -1,12 +1,3 @@
1
- #.
2
- # text2request.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  # @private
11
2
  module Watobo#:nodoc: all
12
3
  module Utils
@@ -1,34 +1,25 @@
1
- #.
2
- # url.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  # @private
11
- module Watobo#:nodoc: all
12
- module Utils
13
- module URL
14
- def self.create_url(chat, path)
15
- url = path
16
- # only expand path if not url
17
- unless path =~ /^http/
18
- # check if path is absolute
19
- if path =~ /^\//
20
- url = File.join("#{chat.request.proto}://#{chat.request.host}", path)
21
- else
22
- # it's relative
23
- url = File.join(File.dirname(chat.request.url.to_s), path)
24
- end
25
- end
26
- # resolve path traversals
27
- while url =~ /(\/[^\.\/]*\/\.\.\/)/
28
- url.gsub!( $1,"/")
29
- end
30
- url
31
- end
32
- end
33
- end
2
+ module Watobo#:nodoc: all
3
+ module Utils
4
+ module URL
5
+ def self.create_url(chat, path)
6
+ url = path
7
+ # only expand path if not url
8
+ unless path =~ /^http/
9
+ # check if path is absolute
10
+ if path =~ /^\//
11
+ url = File.join("#{chat.request.proto}://#{chat.request.host}", path)
12
+ else
13
+ # it's relative
14
+ url = File.join(File.dirname(chat.request.url.to_s), path)
15
+ end
16
+ end
17
+ # resolve path traversals
18
+ while url =~ /(\/[^\.\/]*\/\.\.\/)/
19
+ url.gsub!( $1,"/")
20
+ end
21
+ url
22
+ end
23
+ end
24
+ end
34
25
  end
@@ -1,22 +1,13 @@
1
- #.
2
- # utf16.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
1
+ module Watobo
2
+ module UTF16
3
+ def self.decode_utf16le(str)
4
+ str.force_encoding(Encoding::UTF_16LE)
5
+ str.encode(Encoding::UTF_8, Encoding::UTF_16LE).force_encoding('UTF-8')
6
+ end
9
7
 
10
- module Watobo
11
- module UTF16
12
- def self.decode_utf16le(str)
13
- str.force_encoding(Encoding::UTF_16LE)
14
- str.encode(Encoding::UTF_8, Encoding::UTF_16LE).force_encoding('UTF-8')
15
- end
16
-
17
- def self.encode_utf16le(str)
18
- str = str.force_encoding('UTF-8') if [::Encoding::ASCII_8BIT,::Encoding::US_ASCII].include?(str.encoding)
19
- str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('UTF-8')
20
- end
21
- end
8
+ def self.encode_utf16le(str)
9
+ str = str.force_encoding('UTF-8') if [::Encoding::ASCII_8BIT,::Encoding::US_ASCII].include?(str.encoding)
10
+ str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('UTF-8')
11
+ end
12
+ end
22
13
  end
@@ -1,12 +1,3 @@
1
- #.
2
- # mod_status.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
9
-
10
1
  # .
11
2
  # mod_status.rb
12
3
  #
@@ -1,161 +1,152 @@
1
- #.
2
- # multiview.rb
3
- #.
4
- # Copyright 2014 by siberas, http://www.siberas.de
5
- # This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
6
- # WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
7
- # WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
8
- # You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
1
+ =begin
2
+ http://www.wisec.it/sectou.php?id=4698ebdc59d15
9
3
 
10
- =begin
11
- http://www.wisec.it/sectou.php?id=4698ebdc59d15
12
-
13
- $ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
14
- HTTP/1.1 406 Not Acceptable
15
- Date: Fri, 24 Jan 2014 08:46:35 GMT
16
- Server: Apache/2.2.22 (Debian)
17
- Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
18
- Vary: negotiate,accept,Accept-Encoding
19
- TCN: list
20
- Content-Length: 568
21
- Content-Type: text/html; charset=iso-8859-1
22
-
23
- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
24
- <html><head>
25
- <title>406 Not Acceptable</title>
26
- </head><body>
27
- <h1>Not Acceptable</h1>
28
- <p>An appropriate representation of the requested resource /index could not be found on this server.</p>
29
- Available variants:
30
- <ul>
31
- <li><a href="index.bak">index.bak</a> , type application/x-trash</li>
32
- <li><a href="index.html">index.html</a> , type text/html</li>
33
- <li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
34
- </ul>
35
- <hr>
36
- <address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
37
- </body></html>
38
-
39
- =end
40
-
41
- # @private
42
- module Watobo#:nodoc: all
43
- module Modules
44
- module Active
45
- module Apache
46
-
47
-
48
- class Multiview < Watobo::ActiveCheck
49
-
50
- @@tested_paths = []
51
-
52
- details =<<EOD
53
- $ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
54
- HTTP/1.1 406 Not Acceptable
55
- Date: Fri, 24 Jan 2014 08:46:35 GMT
56
- Server: Apache/2.2.22 (Debian)
57
- Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
58
- Vary: negotiate,accept,Accept-Encoding
59
- TCN: list
60
- Content-Length: 568
61
- Content-Type: text/html; charset=iso-8859-1
62
-
63
- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
64
- <html><head>
65
- <title>406 Not Acceptable</title>
66
- </head><body>
67
- <h1>Not Acceptable</h1>
68
- <p>An appropriate representation of the requested resource /index could not be found on this server.</p>
69
- Available variants:
70
- <ul>
71
- <li><a href="index.bak">index.bak</a> , type application/x-trash</li>
72
- <li><a href="index.html">index.html</a> , type text/html</li>
73
- <li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
74
- </ul>
75
- <hr>
76
- <address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
77
- </body></html>
78
- EOD
79
-
80
- @info.update(
81
- :check_name => 'MultiViews', # name of check which briefly describes functionality, will be used for tree and progress views
82
- :description => "Checks if MultiViews option is present in Apache. See http://www.wisec.it/sectou.php?id=4698ebdc59d15", # description of checkfunction
83
- :author => "Andreas Schmidt", # author of check
84
- :check_group => AC_GROUP_APACHE,
85
- :version => "1.0" # check version
86
- )
87
-
88
- @finding.update(
89
- :threat => 'Makes enumeration of backup or renamed files easier. see also http://www.wisec.it/sectou.php?id=4698ebdc59d15', # thread of vulnerability, e.g. loss of information
90
- :class => "MultiViews", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
91
- :rating => VULN_RATING_INFO,
92
- :measure => "Disable MultiViews in your Apache configuration.",
93
- :details => details,
94
- :type => FINDING_TYPE_VULN # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
95
- )
96
-
97
-
98
- def initialize(session_name=nil, prefs={})
99
- # @project = project
100
- super(session_name, prefs)
101
-
102
- # @tested_directories = Hash.new
103
- @fext = %w( php asp aspx jsp cfm shtm htm html shml )
104
-
105
- end
106
-
107
- def reset()
108
- @@tested_paths.clear
109
- end
110
-
111
-
112
- def generateChecks(chat)
113
-
114
- begin
115
- file = chat.request.file
116
- return nil if @@tested_paths.include? file
117
- @@tested_paths << file
118
-
119
- if file != "" and file =~ /\.(#{@fext.join("|")})$/ then
120
- checker = proc{
121
- test_request = nil
122
- test_response = nil
123
- new_file = file.gsub(/\.\w{1,4}$/, "")
124
- test_request = chat.copyRequest
125
- #test_request.addHeader("Vary","negotiate,accept")
126
- test_request.set_header("Accept","application/watobo; q=1.0")
127
-
128
- test_request.replaceFileExt(new_file)
129
- result_request, result_response = doRequest(test_request, :default => true)
130
-
131
- tcn_headers = result_response.headers("^TCN")
132
- unless tcn_headers.empty?
133
- puts "MULTIVIEW - #{self.class}!!!\n"
134
- #test_chat = Chat.new(test_request, test_response, chat.id)
135
- addFinding( result_request, result_response,
136
- :check_pattern => "#{new_file}",
137
- :test_item => file,
138
- :proof_pattern => "#{new_file}",
139
- :chat => chat,
140
- :title => "#{new_file}"
141
- #:debug => true
142
- )
143
- end
144
- [ test_request, test_response ]
145
- }
146
- yield checker
147
- end
148
- rescue => bang
149
-
150
- puts "ERROR!! #{Module.nesting[0].name} "
151
- puts "chatid: #{chat.id}"
152
- puts bang
153
- puts
154
-
155
- end
156
- end
157
- end
158
- end
159
- end
160
- end
161
- end
4
+ $ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
5
+ HTTP/1.1 406 Not Acceptable
6
+ Date: Fri, 24 Jan 2014 08:46:35 GMT
7
+ Server: Apache/2.2.22 (Debian)
8
+ Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
9
+ Vary: negotiate,accept,Accept-Encoding
10
+ TCN: list
11
+ Content-Length: 568
12
+ Content-Type: text/html; charset=iso-8859-1
13
+
14
+ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
15
+ <html><head>
16
+ <title>406 Not Acceptable</title>
17
+ </head><body>
18
+ <h1>Not Acceptable</h1>
19
+ <p>An appropriate representation of the requested resource /index could not be found on this server.</p>
20
+ Available variants:
21
+ <ul>
22
+ <li><a href="index.bak">index.bak</a> , type application/x-trash</li>
23
+ <li><a href="index.html">index.html</a> , type text/html</li>
24
+ <li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
25
+ </ul>
26
+ <hr>
27
+ <address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
28
+ </body></html>
29
+
30
+ =end
31
+
32
+ # @private
33
+ module Watobo#:nodoc: all
34
+ module Modules
35
+ module Active
36
+ module Apache
37
+
38
+
39
+ class Multiview < Watobo::ActiveCheck
40
+
41
+ @@tested_paths = []
42
+
43
+ details =<<EOD
44
+ $ curl -i -H "Negotiate: watobo" http://192.168.70.134/index
45
+ HTTP/1.1 406 Not Acceptable
46
+ Date: Fri, 24 Jan 2014 08:46:35 GMT
47
+ Server: Apache/2.2.22 (Debian)
48
+ Alternates: {"index.bak" 1 {type application/x-trash} {length 0}}, {"index.html" 1 {type text/html} {length 177}}, {"index.tgz" 1 {type application/x-gzip} {length 0}}
49
+ Vary: negotiate,accept,Accept-Encoding
50
+ TCN: list
51
+ Content-Length: 568
52
+ Content-Type: text/html; charset=iso-8859-1
53
+
54
+ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
55
+ <html><head>
56
+ <title>406 Not Acceptable</title>
57
+ </head><body>
58
+ <h1>Not Acceptable</h1>
59
+ <p>An appropriate representation of the requested resource /index could not be found on this server.</p>
60
+ Available variants:
61
+ <ul>
62
+ <li><a href="index.bak">index.bak</a> , type application/x-trash</li>
63
+ <li><a href="index.html">index.html</a> , type text/html</li>
64
+ <li><a href="index.tgz">index.tgz</a> , type application/x-gzip</li>
65
+ </ul>
66
+ <hr>
67
+ <address>Apache/2.2.22 (Debian) Server at 192.168.70.134 Port 80</address>
68
+ </body></html>
69
+ EOD
70
+
71
+ @info.update(
72
+ :check_name => 'MultiViews', # name of check which briefly describes functionality, will be used for tree and progress views
73
+ :description => "Checks if MultiViews option is present in Apache. See http://www.wisec.it/sectou.php?id=4698ebdc59d15", # description of checkfunction
74
+ :author => "Andreas Schmidt", # author of check
75
+ :check_group => AC_GROUP_APACHE,
76
+ :version => "1.0" # check version
77
+ )
78
+
79
+ @finding.update(
80
+ :threat => 'Makes enumeration of backup or renamed files easier. see also http://www.wisec.it/sectou.php?id=4698ebdc59d15', # thread of vulnerability, e.g. loss of information
81
+ :class => "MultiViews", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
82
+ :rating => VULN_RATING_INFO,
83
+ :measure => "Disable MultiViews in your Apache configuration.",
84
+ :details => details,
85
+ :type => FINDING_TYPE_VULN # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
86
+ )
87
+
88
+
89
+ def initialize(session_name=nil, prefs={})
90
+ # @project = project
91
+ super(session_name, prefs)
92
+
93
+ # @tested_directories = Hash.new
94
+ @fext = %w( php asp aspx jsp cfm shtm htm html shml )
95
+
96
+ end
97
+
98
+ def reset()
99
+ @@tested_paths.clear
100
+ end
101
+
102
+
103
+ def generateChecks(chat)
104
+
105
+ begin
106
+ file = chat.request.file
107
+ return nil if @@tested_paths.include? file
108
+ @@tested_paths << file
109
+
110
+ if file != "" and file =~ /\.(#{@fext.join("|")})$/ then
111
+ checker = proc{
112
+ test_request = nil
113
+ test_response = nil
114
+ new_file = file.gsub(/\.\w{1,4}$/, "")
115
+ test_request = chat.copyRequest
116
+ #test_request.addHeader("Vary","negotiate,accept")
117
+ test_request.set_header("Accept","application/watobo; q=1.0")
118
+
119
+ test_request.replaceFileExt(new_file)
120
+ result_request, result_response = doRequest(test_request, :default => true)
121
+
122
+ tcn_headers = result_response.headers("^TCN")
123
+ unless tcn_headers.empty?
124
+ puts "MULTIVIEW - #{self.class}!!!\n"
125
+ #test_chat = Chat.new(test_request, test_response, chat.id)
126
+ addFinding( result_request, result_response,
127
+ :check_pattern => "#{new_file}",
128
+ :test_item => file,
129
+ :proof_pattern => "#{new_file}",
130
+ :chat => chat,
131
+ :title => "#{new_file}"
132
+ #:debug => true
133
+ )
134
+ end
135
+ [ test_request, test_response ]
136
+ }
137
+ yield checker
138
+ end
139
+ rescue => bang
140
+
141
+ puts "ERROR!! #{Module.nesting[0].name} "
142
+ puts "chatid: #{chat.id}"
143
+ puts bang
144
+ puts
145
+
146
+ end
147
+ end
148
+ end
149
+ end
150
+ end
151
+ end
152
+ end