watobo 0.9.21 → 0.9.23

data/modules/active/Flash/crossdomain.rb

@@ -1,12 +1,3 @@
-#.
-# crossdomain.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # .
 # crossdomain.rb
 #   

data/modules/active/JWT/jwt_oauth2_none.rb

@@ -0,0 +1,111 @@
+# @private
+module Watobo #:nodoc: all
+  module Modules
+    module Active
+      module Jwt
+
+        class Jwt_oauth2_none < Watobo::ActiveCheck
+          @@tested_directories = Hash.new
+
+          threat =<<'EOF'
+Privilege Escalation
+EOF
+
+#
+          details =<<'EOD'
+
+EOD
+
+
+          measure = 'Only accept secure algorithms.'
+
+          @info.update(
+              :check_name => 'OAuth2 Anonymous JWT', # name of check which briefly describes functionality, will be used for tree and progress views
+              :check_group => 'JWT',
+              :description => 'Checks if anonymous token (without signature) is supported by the application.', # description of checkfunction
+              :author => 'Andreas Schmidt', # author of check
+              :version => '1.0' # check version
+          )
+
+          @finding.update(
+              :threat => threat, # thread of vulnerability, e.g. loss of information
+              :class => "JWT - None", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+              :type => FINDING_TYPE_VULN, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+              :rating => VULN_RATING_CRITICAL,
+              :measure => measure,
+              :details => details
+          )
+
+          def initialize(project, prefs={})
+            super(project, prefs)
+
+            def reset
+
+            end
+
+
+          end
+
+
+          def generateChecks(chat)
+            begin
+              # Check for JWT Bearer Header, e.g.
+              # Authorization: Bearer asdfasdfasdf.alksjdflkjsdlfjkweoriuwoejosjfoijowemrjosjajjojpj.Xm7q8hzlXlooWPyZPayq ...
+              bearer = chat.request.headers(' Bearer ')[0]
+              return true if bearer.nil?
+
+              jwt = bearer.match(/Bearer (.*)/)[1]
+              jh, jp, js = jwt.split('.')
+              jh = JSON.parse(Base64.decode64(jh))
+              jp = JSON.parse(Base64.decode64(jp))
+
+              # remove 'alg' from original header
+              jh.delete 'alg'
+
+              # TODO: improve check to also compare responses which don't have a body
+              body_orig = chat.response.body.to_s
+              return true if body_orig.empty?
+
+              checker = proc {
+                request = nil
+                response = nil
+                test_request = chat.copyRequest
+
+                # create new token with original header fields - except 'alg'
+                token = JWT.encode jp, nil, 'none', jh
+
+                new_auth_header = "Bearer #{token}"
+
+                test_request.set_header 'Authorization', new_auth_header
+
+                request, response = doRequest(test_request)
+
+                if response.body.to_s.strip == body_orig.strip
+
+                  addFinding(request, response,
+                             :check_pattern => token,
+                             :proof_pattern => body_orig.strip,
+                             #:test_item => '',
+                             :chat => chat,
+                             :title => "[#{request.file}]"
+                  )
+                end
+
+                [request, response]
+              }
+              yield checker
+
+            rescue => bang
+              puts bang
+              puts bang.backtrace if $DEBUG
+              puts "ERROR!! #{Module.nesting[0].name}"
+              raise
+            end
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/modules/active/cq5/cq5_default_selectors.rb

@@ -1,116 +1,107 @@
-#.
-# cq5_default_selectors.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# @private
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Cq5
+        #class Dir_indexing < Watobo::Mixin::Session
+        class Cq5_default_selectors < Watobo::ActiveCheck
 
-# @private
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Cq5
-        #class Dir_indexing < Watobo::Mixin::Session
-        class Cq5_default_selectors < Watobo::ActiveCheck
-
-          @info.update(
-          :check_name => 'CQ5 Selectors',    # name of check which briefly describes functionality, will be used for tree and progress views
-          :description => "This module checks for default selectors.",   # description of checkfunction
-          :author => "Andreas Schmidt", # author of check
-          :version => "1.0",   # check version
-          :check_group => "CQ5"
-          )
-
-          @finding.update(
-          :threat => 'Selectors can reveal sensitive information about the application, e.g. password hashes (jackrabbit). Also, the query selector enables you to perform XPATH queries on the entire repository, which could slow your system down considerably, or even cause a denial of service if run multiple times',        # thread of vulnerability, e.g. loss of information
-          :class => "CQ5: Selectors",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-          :rating => VULN_RATING_INFO
-          )
-          
-          def initialize(project, prefs={})
-            super(project, prefs)
-            
-            @checked_locations = []
-            @selectors = %w( query assets infinity children s7catalog pages feed feedentry tidy sysview docview permissions overlay 1 2 3 4 5 6 7 )
-            @extensions = %w( json html csv zip xml )
-            # specials are combinations which need one or more parameters to produce a valid result
-            @specials = %w( query.json?statement=%2F%2F%2A cqactions.json?path=/&depth=1&authorizableId=* permissions.overlay.json?path=/ )
-            
-            @mixed = @selectors.map{|s| @extensions.map{|e| s + '.' + e } }.flatten
-
-          end
-
-          def reset()
-            @checked_locations = []
-          end
-
-          def generateChecks(chat)
-             path = chat.request.path
-             return false if @checked_locations.include? path
-             @checked_locations << path
-             
-             test_extensions = @extensions
-             test_extensions.concat @specials
-             test_extensions.concat @mixed
-             
-             test_extensions.each do |ext|
-              checker = proc {
-                begin
-                  test_request = nil
-                  test_response = nil
-                  
-                  test = chat.copyRequest    
-                  
-                  # replace file extension only              
-
-                  test.set_file_extension(ext)
-
-                  status, test_request, test_response = fileExists?(test)
-
-                  if status == true and test_response.content_type != chat.response.content_type and test_response.status_code < 300
-                    
-                    addFinding(  test_request, test_response,
-                      :test_item => "#{test_request.url}",
-                      :proof_pattern => "#{test_response.status}",
-                      :chat => chat,
-                      :title => "[#{ext}]"
-                      )
-
-                  end
-                  
-                  # also test extensions on the path
-                  test = chat.copyRequest                 
-
-                  test.replaceFileExt(".#{ext}")
-
-                  status, test_request, test_response = fileExists?(test)
-
-                  if status == true and test_response.content_type != chat.response.content_type and test_response.status_code < 300
-                    
-                    addFinding(  test_request, test_response,
-                      :test_item => "#{test_request.url}",
-                      :proof_pattern => "#{test_response.status}",
-                      :chat => chat,
-                      :title => "[#{ext}]"
-                      )
-
-                  end
-                rescue => bang
-                  puts bang
-                  puts bang.backtrace if $DEBUG
-                end
-                [ test_request, test_response ]
-
-              }
-              yield checker
-            end
-
-          end
-        end
-      end
-    end
-  end
-end
+          @info.update(
+          :check_name => 'CQ5 Selectors',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "This module checks for default selectors.",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "1.0",   # check version
+          :check_group => "CQ5"
+          )
+
+          @finding.update(
+          :threat => 'Selectors can reveal sensitive information about the application, e.g. password hashes (jackrabbit). Also, the query selector enables you to perform XPATH queries on the entire repository, which could slow your system down considerably, or even cause a denial of service if run multiple times',        # thread of vulnerability, e.g. loss of information
+          :class => "CQ5: Selectors",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          :rating => VULN_RATING_INFO
+          )
+          
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+            @checked_locations = []
+            @selectors = %w( query assets infinity children s7catalog pages feed feedentry tidy sysview docview permissions overlay 1 2 3 4 5 6 7 )
+            @extensions = %w( json html csv zip xml )
+            # specials are combinations which need one or more parameters to produce a valid result
+            @specials = %w( query.json?statement=%2F%2F%2A cqactions.json?path=/&depth=1&authorizableId=* permissions.overlay.json?path=/ )
+            
+            @mixed = @selectors.map{|s| @extensions.map{|e| s + '.' + e } }.flatten
+
+          end
+
+          def reset()
+            @checked_locations = []
+          end
+
+          def generateChecks(chat)
+             path = chat.request.path
+             return false if @checked_locations.include? path
+             @checked_locations << path
+             
+             test_extensions = @extensions
+             test_extensions.concat @specials
+             test_extensions.concat @mixed
+             
+             test_extensions.each do |ext|
+              checker = proc {
+                begin
+                  test_request = nil
+                  test_response = nil
+                  
+                  test = chat.copyRequest    
+                  
+                  # replace file extension only              
+
+                  test.set_file_extension(ext)
+
+                  status, test_request, test_response = fileExists?(test)
+
+                  if status == true and test_response.content_type != chat.response.content_type and test_response.status_code.to_i < 300
+                    
+                    addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "#{test_response.status}",
+                      :chat => chat,
+                      :title => "[#{ext}]"
+                      )
+
+                  end
+                  
+                  # also test extensions on the path
+                  test = chat.copyRequest                 
+
+                  test.replaceFileExt(".#{ext}")
+
+                  status, test_request, test_response = fileExists?(test)
+
+                  if status == true and test_response.content_type != chat.response.content_type and test_response.status_code.to_i < 300
+                    
+                    addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "#{test_response.status}",
+                      :chat => chat,
+                      :title => "[#{ext}]"
+                      )
+
+                  end
+                rescue => bang
+                  puts bang
+                  puts bang.backtrace if $DEBUG
+                end
+                [ test_request, test_response ]
+
+              }
+              yield checker
+            end
+
+          end
+        end
+      end
+    end
+  end
+end

data/modules/active/cq5/cqp_user_enumeration.rb

@@ -1,134 +1,125 @@
-#.
-# cqp_user_enumeration.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
-# @private
-module Watobo#:nodoc: all
-  module Modules
-    module Active
-      module Cq5
-        #class Dir_indexing < Watobo::Mixin::Session
-        class Cqp_user_enumeration < Watobo::ActiveCheck
-
-          @info.update(
-          :check_name => 'CQ5 CQP User Enumeration',    # name of check which briefly describes functionality, will be used for tree and progress views
-          :description => "This module checks if CQ JSON extension is aktive and enumerates all usernames.",   # description of checkfunction
-          :author => "Andreas Schmidt", # author of check
-          :version => "1.0",   # check version
-          :check_group => "CQ5"
-          )
-
-          @finding.update(
-          :threat => 'Information Disclosure.',        # thread of vulnerability, e.g. loss of information
-          :class => "CQ5: Users",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-          :rating => VULN_RATING_INFO
-          )
-          def initialize(project, prefs={})
-            super(project, prefs)
-
-          end
-
-          def reset()
-            @checked_locations = []
-          end
-
-          def generateChecks(chat)
-
-            path = chat.request.path
-            return false if @checked_locations.include? path
-            @checked_locations << path
-            #
-            # via JSON Extension
-
-            checker = proc {
-              begin
-                test_request = nil
-                test_response = nil
-
-                test = chat.copyRequest
-
-                test.set_file_extension('.json')
-
-                status, test_request, test_response = fileExists?(test)
-
-                if status == true and test_response.has_body?
-                  if test_response.content_type =~ /json/
-                    j = JSON.parse test_response.body.to_s
-                    username = j['jcr:createdBy']
-                    puts "\nCQ5 User: #{username}"
-                    addFinding(  test_request, test_response,
-                      :test_item => "#{test_request.url}",
-                      :proof_pattern => "jcr:createdBy.*#{username}",
-                      :chat => chat,
-                      :threat => "Usernames may help an attacker to perform authorization attacks, e.g. brute-force attacks.",
-                      :title => "[#{username}]"
-                      )
-                  end
-
-                end
-              rescue => bang
-                puts bang
-                puts bang.backtrace if $DEBUG
-              end
-              [ test_request, test_response ]
-
-            }
-            yield checker
-
-            #
-            # via XML Extension
-            
-            checker = proc {
-              begin
-                test_request = nil
-                test_response = nil
-
-                test = chat.copyRequest
-
-                test.set_file_extension('.xml')
-
-                status, test_request, test_response = fileExists?(test)
-
-                if status == true and test_response.has_body?
-                  if test_response.content_type =~ /xml/
-                    xml = Nokogiri::XML(test_response.body.to_s)
-                    xml.traverse do |node|
-                      next unless node.respond_to? :attributes
-                      node.attributes.each do |attr|
-                        if attr[0] =~ /By$/i
-                          username = attr[1]  
-                          addFinding(  test_request, test_response,
-                      :test_item => "#{test_request.url}",
-                      :proof_pattern => "#{attr[0]}.*#{username}",
-                      :chat => chat,
-                      :threat => "Usernames may help an attacker to perform authorization attacks, e.g. brute-force attacks.",
-                      :title => "[#{username}]"
-                      )
-                        end
-                      end
-                    end
-
-                  end
-
-                end
-              rescue => bang
-                puts bang
-                puts bang.backtrace if $DEBUG
-              end
-              [ test_request, test_response ]
-
-            }
-            yield checker
-
-          end
-        end
-      end
-    end
-  end
-end
+# @private
+module Watobo#:nodoc: all
+  module Modules
+    module Active
+      module Cq5
+        #class Dir_indexing < Watobo::Mixin::Session
+        class Cqp_user_enumeration < Watobo::ActiveCheck
+
+          @info.update(
+          :check_name => 'CQ5 CQP User Enumeration',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "This module checks if CQ JSON extension is aktive and enumerates all usernames.",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "1.0",   # check version
+          :check_group => "CQ5"
+          )
+
+          @finding.update(
+          :threat => 'Information Disclosure.',        # thread of vulnerability, e.g. loss of information
+          :class => "CQ5: Users",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          :rating => VULN_RATING_INFO
+          )
+          def initialize(project, prefs={})
+            super(project, prefs)
+
+          end
+
+          def reset()
+            @checked_locations = []
+          end
+
+          def generateChecks(chat)
+
+            path = chat.request.path
+            return false if @checked_locations.include? path
+            @checked_locations << path
+            #
+            # via JSON Extension
+
+            checker = proc {
+              begin
+                test_request = nil
+                test_response = nil
+
+                test = chat.copyRequest
+
+                test.set_file_extension('.json')
+
+                status, test_request, test_response = fileExists?(test)
+
+                if status == true and test_response.has_body?
+                  if test_response.content_type =~ /json/
+                    j = JSON.parse test_response.body.to_s
+                    username = j['jcr:createdBy']
+                    puts "\nCQ5 User: #{username}"
+                    addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "jcr:createdBy.*#{username}",
+                      :chat => chat,
+                      :threat => "Usernames may help an attacker to perform authorization attacks, e.g. brute-force attacks.",
+                      :title => "[#{username}]"
+                      )
+                  end
+
+                end
+              rescue => bang
+                puts bang
+                puts bang.backtrace if $DEBUG
+              end
+              [ test_request, test_response ]
+
+            }
+            yield checker
+
+            #
+            # via XML Extension
+            
+            checker = proc {
+              begin
+                test_request = nil
+                test_response = nil
+
+                test = chat.copyRequest
+
+                test.set_file_extension('.xml')
+
+                status, test_request, test_response = fileExists?(test)
+
+                if status == true and test_response.has_body?
+                  if test_response.content_type =~ /xml/
+                    xml = Nokogiri::XML(test_response.body.to_s)
+                    xml.traverse do |node|
+                      next unless node.respond_to? :attributes
+                      node.attributes.each do |attr|
+                        if attr[0] =~ /By$/i
+                          username = attr[1]  
+                          addFinding(  test_request, test_response,
+                      :test_item => "#{test_request.url}",
+                      :proof_pattern => "#{attr[0]}.*#{username}",
+                      :chat => chat,
+                      :threat => "Usernames may help an attacker to perform authorization attacks, e.g. brute-force attacks.",
+                      :title => "[#{username}]"
+                      )
+                        end
+                      end
+                    end
+
+                  end
+
+                end
+              rescue => bang
+                puts bang
+                puts bang.backtrace if $DEBUG
+              end
+              [ test_request, test_response ]
+
+            }
+            yield checker
+
+          end
+        end
+      end
+    end
+  end
+end