watobo 0.9.21 → 0.9.23

data/modules/passive/ajax.rb

@@ -1,79 +1,70 @@
-#.
-# ajax.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+require 'cgi'
 
-require 'cgi'
-
 # @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Passive
-      
-      
-      class Ajax < Watobo::PassiveCheck
-        
-        def initialize(project)
-          @project = project
-          super(project)
-          
-          @info.update(
-                       :check_name => 'Ajax',    # name of check which briefly describes functionality, will be used for tree and progress views
-          :description => "Spots Ajax Frameworks like jQuery.",   # description of checkfunction
-          :author => "Andreas Schmidt", # author of check
-          :version => "1.1"   # check version
-          )
-          
-          @finding.update(
-                          :threat => 'Framework may contain vulnerabilities.',        # thread of vulnerability, e.g. loss of information
-          :class => "Ajax Framework",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-          :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
-          )
-          
-            @fw_patterns = []
-            @fw_patterns << { :name => 'jQuery', :pattern => 'jQuery v([0-9\.]*) .*jquery.(com|org)'}
-        end
-        
-        def showError(chatid, message)
-          puts "!!! Error #{Module.nesting[0].name}"  
-          puts "Chat: [#{chatid}]"
-          puts message
-        end
-        
-        def do_test(chat)
-          begin
-            return false if chat.response.nil?
-            return false unless chat.response.has_body?
-            return true unless chat.response.content_type =~ /(text|script)/ 
-            
-            @fw_patterns.each do |pattern|
-              #body = chat.response.body.unpack("C*").pack("C*")
-              body = chat.response.body_encoded
-              
-              if body =~ /#{pattern[:pattern]}/i then
-               version = $1.strip
-               addFinding(
-                           #:check_pattern => "#{pattern[:pattern]}", 
-                :proof_pattern => "#{pattern[:pattern]}",
-                :chat=>chat,
-                :title =>"[ #{pattern[:name]} #{version} ] - #{chat.request.path}",            
-                )
-                
-              end
-            end
-          rescue => bang
-            # raise
-            puts bang
-            puts bang.backtrace
-            showError(chat.id, bang)
-          end
-        end
-        
-      end
-    end
-  end
-end
+module Watobo#:nodoc: all
+  module Modules
+    module Passive
+      
+      
+      class Ajax < Watobo::PassiveCheck
+        
+        def initialize(project)
+          @project = project
+          super(project)
+          
+          @info.update(
+                       :check_name => 'Ajax',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "Spots Ajax Frameworks like jQuery.",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "1.1"   # check version
+          )
+          
+          @finding.update(
+                          :threat => 'Framework may contain vulnerabilities.',        # thread of vulnerability, e.g. loss of information
+          :class => "Ajax Framework",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
+          )
+          
+            @fw_patterns = []
+            @fw_patterns << { :name => 'jQuery', :pattern => 'jQuery v([0-9\.]*) .*jquery.(com|org)'}
+        end
+        
+        def showError(chatid, message)
+          puts "!!! Error #{Module.nesting[0].name}"  
+          puts "Chat: [#{chatid}]"
+          puts message
+        end
+        
+        def do_test(chat)
+          begin
+            return false if chat.response.nil?
+            return false unless chat.response.has_body?
+            return true unless chat.response.content_type =~ /(text|script)/ 
+            
+            @fw_patterns.each do |pattern|
+              #body = chat.response.body.unpack("C*").pack("C*")
+              body = chat.response.body_encoded
+              
+              if body =~ /#{pattern[:pattern]}/i then
+               version = $1.strip
+               addFinding(
+                           #:check_pattern => "#{pattern[:pattern]}", 
+                :proof_pattern => "#{pattern[:pattern]}",
+                :chat=>chat,
+                :title =>"[ #{pattern[:name]} #{version} ] - #{chat.request.path}",            
+                )
+                
+              end
+            end
+          rescue => bang
+            # raise
+            puts bang
+            puts bang.backtrace
+            showError(chat.id, bang)
+          end
+        end
+        
+      end
+    end
+  end
+end

data/modules/passive/autocomplete.rb

@@ -1,66 +1,57 @@
-#.
-# autocomplete.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Passive
-      
-      
-      class Autocomplete < Watobo::PassiveCheck
-        def initialize(project)
-          @project = project
-          super(project)
-          
-          @info.update(
-                       :check_name => 'Password AutoComplete',    # name of check which briefly describes functionality, will be used for tree and progress views
-          :description => "Checks Password Fields For AutoCompletion",   # description of checkfunction
-          :author => "Andreas Schmidt", # author of check
-          :version => "0.9"   # check version
-          )
-          
-          @finding.update(
-                          :threat => 'Password values may be stored on the local filesystem.',        # thread of vulnerability, e.g. loss of information
-          :class => "Password Autocompletion",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-           :rating => VULN_RATING_LOW,
-          :measure => "The form field should have an attribute autocomplete=\"off\"" 
-          )
-        end
-        
-        def do_test(chat)
-          begin
-                       
-           if chat.response.respond_to? :input_fields     
-             chat.response.input_fields do |f|
-            
-              ac = f.autocomplete.nil? ? "" : f.autocomplete
-              
-              if f.type =~ /password/i and ( ac =~ /off/i or ac.empty? )          
-              addFinding(  
-                         :proof_pattern => "input[^>]*type=[^>=]*password.*>{1}", 
-              :title => "#{chat.request.file}",
-              :chat => chat
-              )  
-              end
-              end
-            end
-          rescue => bang
-            #  raise
-            puts "ERROR!! #{Module.nesting[0].name}"
-            puts bang
-            puts bang.backtrace if $DEBUG
-          end
-          return false
-        end
-      end
-      
-    end
-  end
-end
+module Watobo#:nodoc: all
+  module Modules
+    module Passive
+      
+      
+      class Autocomplete < Watobo::PassiveCheck
+        def initialize(project)
+          @project = project
+          super(project)
+          
+          @info.update(
+                       :check_name => 'Password AutoComplete',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "Checks Password Fields For AutoCompletion",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "0.9"   # check version
+          )
+          
+          @finding.update(
+                          :threat => 'Password values may be stored on the local filesystem.',        # thread of vulnerability, e.g. loss of information
+          :class => "Password Autocompletion",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+           :rating => VULN_RATING_LOW,
+          :measure => "The form field should have an attribute autocomplete=\"off\"" 
+          )
+        end
+        
+        def do_test(chat)
+          begin
+                       
+           if chat.response.respond_to? :input_fields     
+             chat.response.input_fields do |f|
+            
+              ac = f.autocomplete.nil? ? "" : f.autocomplete
+              
+              if f.type =~ /password/i and ( ac =~ /off/i or ac.empty? )          
+              addFinding(  
+                         :proof_pattern => "input[^>]*type=[^>=]*password.*>{1}", 
+              :title => "#{chat.request.file}",
+              :chat => chat
+              )  
+              end
+              end
+            end
+          rescue => bang
+            #  raise
+            puts "ERROR!! #{Module.nesting[0].name}"
+            puts bang
+            puts bang.backtrace if $DEBUG
+          end
+          return false
+        end
+      end
+      
+    end
+  end
+end

data/modules/passive/cookie_options.rb

@@ -1,12 +1,3 @@
-#.
-# cookie_options.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # .
 # cookie_options.rb
 #   

data/modules/passive/cookie_xss.rb

@@ -1,12 +1,3 @@
-#.
-# cookie_xss.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 
 # @private 
 module Watobo#:nodoc: all

data/modules/passive/detect_code.rb

@@ -1,12 +1,3 @@
-#.
-# detect_code.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/detect_fileupload.rb

@@ -1,12 +1,3 @@
-#.
-# detect_fileupload.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/detect_infrastructure.rb

@@ -1,12 +1,3 @@
-#.
-# detect_infrastructure.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/detect_one_time_tokens.rb

@@ -1,12 +1,3 @@
-#.
-# detect_one_time_tokens.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/dirindexing.rb

@@ -1,12 +1,3 @@
-#.
-# dirindexing.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 
 # @private 
 module Watobo#:nodoc: all

data/modules/passive/disclosure_domino.rb

@@ -1,70 +1,61 @@
-#.
-# disclosure_domino.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Passive
-      
-      
-      class Disclosure_domino < Watobo::PassiveCheck
-        
-        def initialize(project)
-           @project = project
-          super(project)
-          
-          @info.update(
-            :check_name => 'Domino DB name disclosure.',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :description => "Identifies Domino DB names.",   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "1.0"   # check version
-            )
-            
-          @finding.update(
-            :threat => 'Unintended disclosure of Domino DB name can lead to data breach.',        # thread of vulnerability, e.g. loss of information
-            :class => "Domino DB Names",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
-          )
-          
-        
-          @pattern = '([a-zA-Z\/\-0-9\.:]+\.nsf)'
-          @dbs = []
-        end
-        
-        def do_test(chat)
-          begin
+module Watobo#:nodoc: all
+  module Modules
+    module Passive
+      
+      
+      class Disclosure_domino < Watobo::PassiveCheck
+        
+        def initialize(project)
+           @project = project
+          super(project)
+          
+          @info.update(
+            :check_name => 'Domino DB name disclosure.',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :description => "Identifies Domino DB names.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "1.0"   # check version
+            )
+            
+          @finding.update(
+            :threat => 'Unintended disclosure of Domino DB name can lead to data breach.',        # thread of vulnerability, e.g. loss of information
+            :class => "Domino DB Names",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
+          )
+          
+        
+          @pattern = '([a-zA-Z\/\-0-9\.:]+\.nsf)'
+          @dbs = []
+        end
+        
+        def do_test(chat)
+          begin
             #  puts "running module: #{Module.nesting[0].name}"
-            return if chat.response.nil? or chat.response.body.nil?
-            if chat.response.content_type =~ /text/ then
-              chat.response.body_encoded.split("\n").each do |line|
-                if line =~ /#{@pattern}/ then
-                  match = $1
-                  if not @dbs.include?(match) then
-                    @dbs.push match
+            return if chat.response.nil? or chat.response.body.nil?
+            if chat.response.content_type =~ /text/ then
+              chat.response.body_encoded.split("\n").each do |line|
+                if line =~ /#{@pattern}/ then
+                  match = $1
+                  if not @dbs.include?(match) then
+                    @dbs.push match
                     addFinding( 
                                 :proof_pattern => "#{match}",
                                 :chat => chat,
                                 :title => match
-                                )
-                  end
-                end                
-              end
-            end
-          rescue => bang
-          #  raise
-            puts "ERROR!! #{self.class}"
-            puts bang
-            puts bang.backtrace if $DEBUG
-          end
-        end
-      end
-      
-    end
-  end
-end
+                                )
+                  end
+                end                
+              end
+            end
+          rescue => bang
+          #  raise
+            puts "ERROR!! #{self.class}"
+            puts bang
+            puts bang.backtrace if $DEBUG
+          end
+        end
+      end
+      
+    end
+  end
+end