watobo 0.9.21 → 0.9.23

data/modules/passive/disclosure_emails.rb

@@ -1,12 +1,3 @@
-#.
-# disclosure_emails.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/disclosure_ipaddr.rb

@@ -1,80 +1,82 @@
-#.
-# disclosure_ipaddr.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
-
-# @private 
-module Watobo#:nodoc: all
+# @private
+module Watobo #:nodoc: all
   module Modules
     module Passive
-      
+
       class Disclosure_ipaddr < Watobo::PassiveCheck
-               
+
         def initialize(project)
           @project = project
           super(project)
           @info.update(
-            :check_name => 'IP Adress Disclosure',    # name of check which briefly describes functionality, will be used for tree and progress views
-            :description => 'Looks for (internal) IP adresses.',   # description of checkfunction
-            :author => "Andreas Schmidt", # author of check
-            :version => "0.9"   # check version
+              :check_name => 'IP Adress Disclosure', # name of check which briefly describes functionality, will be used for tree and progress views
+              :description => 'Looks for (internal) IP adresses.', # description of checkfunction
+              :author => "Andreas Schmidt", # author of check
+              :version => "0.9" # check version
           )
-          
+
           @finding.update(
-            :threat => 'Internal information may be revealed, which could help an attacker to prepare further attacks',        # thread of vulnerability, e.g. loss of information
-            :class => "IP Adress Disclosure",# vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-            :type => FINDING_TYPE_INFO,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-            :measure => "Remove all information which reveal internal information." 
-            )
-          
+              :threat => 'Internal information may be revealed, which could help an attacker to prepare further attacks', # thread of vulnerability, e.g. loss of information
+              :class => "IP Adress Disclosure", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+              :type => FINDING_TYPE_INFO, # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+              :measure => "Remove all information which reveal internal information."
+          )
+
           @pattern = '[^\d\.](\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})[^(\d\.)]+?'
-          
+
           @known_ips = []
         end
-        
+
         def do_test(chat)
           begin
             #  puts "running module: #{Module.nesting[0].name}"
             return false if chat.response.nil?
-            return false unless chat.response.has_body?
-            if chat.response.content_type =~ /(text|script)/ then
-               body = chat.response.body_encoded
-               body.scan(/#{@pattern}/) { |match|
-                  ip_addr = match.first
-                  octets = ip_addr.split('.')
-                  isIP = true
-                  octets.each do |o|
-                      isIP = false if o.to_i > 255 
-                  end
-                  if isIP then
-                    if ip_addr =~ /^10\./ or (ip_addr =~ /^192.168/) or ( octets[0] == "172" && (16..32).include?(octects[1].to_i) )
-                      title = "Private IP: #{ip_addr}"
-                    else
-                      title = "Public IP: #{ip_addr}"
-                    end
-                    dummy = chat.request.site + ":" + ip_addr
-                    if not @known_ips.include?(dummy)
-                      addFinding( :proof_pattern => ip_addr, 
-                                  :chat => chat,
-                                  :title => title)  
-                      @known_ips.push dummy
-                    end
-                  end                  
-             }
+            data = chat.response.headers
+            # remove Location header
+            while mi=data.index { |i| i=~ /^Location/i }
+              data.delete_at mi
+            end
+
+            data = data.join
+            unless chat.response.has_body?
+              if chat.response.content_type =~ /(text|script)/ then
+                body = chat.response.body_encoded
+                data << body
+              end
             end
+
+            data.scan(/#{@pattern}/) { |match|
+              ip_addr = match.first
+              octets = ip_addr.split('.')
+              isIP = true
+              octets.each do |o|
+                isIP = false if o.to_i > 255
+              end
+              if isIP then
+                if ip_addr =~ /^10\./ or (ip_addr =~ /^192.168/) or (octets[0] == "172" && (16..32).include?(octets[1].to_i))
+                  title = "Private IP: #{ip_addr}"
+                else
+                  title = "Public IP: #{ip_addr}"
+                end
+                dummy = chat.request.site + ":" + ip_addr
+                if not @known_ips.include?(dummy)
+                  addFinding(:proof_pattern => ip_addr,
+                             :chat => chat,
+                             :title => title)
+                  @known_ips.push dummy
+                end
+              end
+            }
+
           rescue => bang
             #  raise
             puts "ERROR!! #{Module.nesting[0].name}"
             puts bang
+            puts bang.backtrace if $DEBUG
           end
         end
       end
-      
+
     end
   end
 end

data/modules/passive/filename_as_parameter.rb

@@ -1,12 +1,3 @@
-#.
-# filename_as_parameter.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/form_spotter.rb

@@ -1,12 +1,3 @@
-#.
-# form_spotter.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/hidden_fields.rb

@@ -1,45 +1,36 @@
-#.
-# hidden_fields.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
-module Watobo#:nodoc: all
-  module Modules
-    module Passive
-      
-      
-      class Hidden_fields < Watobo::PassiveCheck
-        def initialize(project)
-         @project = project
-          super(project)
-          
-          @info.update(
-                        :check_name => 'Hidden Fields',    # name of check which briefly describes functionality, will be used for tree and progress views
-          :description => "Detects all hidden fields",   # description of checkfunction
-          :author => "Andreas Schmidt", # author of check
-          :version => "1.0"   # check version
-          )
-          
-          @finding.update(
-                          :threat => 'Hidden field parameters sometimes are accepted as input variables.',        # thread of vulnerability, e.g. loss of information
-          :class => "Hidden Fields",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
-          :type => FINDING_TYPE_INFO,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
-          :measure => "N/A" 
-          )
-         
-
-        end
-        
-        def do_test(chat)
-          begin
-            
-            if chat.response.content_type =~ /(text|script)/ and chat.response.status !~ /404/ and chat.response.has_body? then
-              doc = Nokogiri::HTML(chat.response.body)
+module Watobo#:nodoc: all
+  module Modules
+    module Passive
+      
+      
+      class Hidden_fields < Watobo::PassiveCheck
+        def initialize(project)
+         @project = project
+          super(project)
+          
+          @info.update(
+                        :check_name => 'Hidden Fields',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "Detects all hidden fields",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "1.0"   # check version
+          )
+          
+          @finding.update(
+                          :threat => 'Hidden field parameters sometimes are accepted as input variables.',        # thread of vulnerability, e.g. loss of information
+          :class => "Hidden Fields",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_INFO,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          :measure => "N/A" 
+          )
+         
+
+        end
+        
+        def do_test(chat)
+          begin
+            
+            if chat.response.content_type =~ /(text|script)/ and chat.response.status !~ /404/ and chat.response.has_body? then
+              doc = Nokogiri::HTML(chat.response.body)
               doc.xpath('//input[@type="hidden"]').each do |i|
                 pp = "<input[^<]+name=.#{i[:name]}[^<]+/?>"
                 #pp = Regexp.quote(tag)
@@ -47,21 +38,21 @@ module Watobo#:nodoc: all
                 #pp.gsub!(/['"]/,".")
                 # also nokogiro removes trailing /
                 #pp.gsub!(/>$/, "/?>")
-                addFinding(  
-                           :proof_pattern => pp, 
-                           :title => "#{i[:name]}",
-                           :chat => chat
-                          )  
-              end
-            end
-          rescue => bang
-            #  raise
-            puts "ERROR!! #{Module.nesting[0].name}"
-            puts bang
-            puts bang.backtrace if $DEBUG
-          end
-        end
-      end
-    end
-  end
-end
+                addFinding(  
+                           :proof_pattern => pp, 
+                           :title => "#{i[:name]}",
+                           :chat => chat
+                          )  
+              end
+            end
+          rescue => bang
+            #  raise
+            puts "ERROR!! #{Module.nesting[0].name}"
+            puts bang
+            puts bang.backtrace if $DEBUG
+          end
+        end
+      end
+    end
+  end
+end

data/modules/passive/hotspots.rb

@@ -1,12 +1,3 @@
-#.
-# hotspots.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/in_script_parameter.rb

@@ -1,12 +1,3 @@
-#.
-# in_script_parameter.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 require 'cgi'
 # @private 
 module Watobo#:nodoc: all

data/modules/passive/json_web_token.rb

@@ -0,0 +1,93 @@
+# @private
+module Watobo #:nodoc: all
+  module Modules
+    module Passive
+
+
+      class Json_web_token < Watobo::PassiveCheck
+
+
+        def initialize(project)
+          @project = project
+          super(project)
+          begin
+            @info.update(
+                :check_name => 'Detect JSON Web Tokens', # name of check which briefly describes functionality, will be used for tree and progress views
+                :description => "This module detects JSON Web Tokens which are used for authentication purposes.", # description of checkfunction
+                :author => "Andreas Schmidt", # author of check
+                :version => "1.0" # check version
+            )
+
+            @finding.update(
+                :threat => 'Informational', # thread of vulnerability, e.g. loss of information
+                :class => "JSON Web Token", # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+                :type => FINDING_TYPE_HINT # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+            )
+
+
+            @pattern_list = []
+            #@pattern_list << "access_token"
+            @pattern_list << '.*_token'
+          rescue => bang
+            puts bang
+            puts bang.backtrace if $DEBUG
+          end
+        end
+
+        def do_test(chat)
+# check for Bearer Authentication Scheme
+# Authorization: Bearer e...
+          begin
+            pattern = 'Authorization.*Bearer(.*)'
+            chat.request.headers do |header|
+              if header =~ /#{pattern}/i then
+                match = $1.strip
+                addFinding(
+                    :check_pattern => "#{pattern}",
+                    :proof_pattern => "#{match}",
+                    :title => "[Bearer Authentication Scheme] - #{chat.request.path}",
+                    :chat => chat
+                )
+              end
+
+            end
+          rescue => bang
+            puts "ERROR!! #{Module.nesting[0].name}"
+            puts bang
+          end
+
+          # check cookies
+          pattern = '.*_token'
+          chat.response.new_cookies do |c|
+            begin
+              if c.name =~ /#{pattern}/
+                e = c.value.split('.')
+                next if e.size != 3
+                # parse jwt header
+                th = JSON.parse( Base64.decode64(e[0]))
+                # parse jwt payload
+                tp =  JSON.parse( Base64.decode64(e[1]))
+
+                # if we reach this point everything is fine
+                addFinding(
+                    :check_pattern => "#{pattern}",
+                    :proof_pattern => "#{c.value}",
+                    :title => "[Cookie] - #{chat.request.path}",
+                    :chat => chat
+                )
+              end
+            rescue => bang
+              # print error only in debug mode
+              if $DEBUG
+                puts "ERROR!! #{Module.nesting[0].name}"
+                puts bang
+              end
+            end
+          end
+
+        end
+      end
+
+    end
+  end
+end

data/modules/passive/multiple_server_headers.rb

@@ -1,12 +1,3 @@
-#.
-# multiple_server_headers.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/possible_login.rb

@@ -1,12 +1,3 @@
-#.
-# possible_login.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules

data/modules/passive/redirect_url.rb

@@ -1,12 +1,3 @@
-#.
-# redirect_url.rb
-#.
-# Copyright 2014 by siberas, http://www.siberas.de
-# This file is part of WATOBO (Web Application Tool Box) http://watobo.sourceforge.com
-# WATOBO is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License.
-# WATOBO is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
-# You should have received a copy of the GNU General Public License along with WATOBO; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
 # @private 
 module Watobo#:nodoc: all
   module Modules