watobo 0.9.8.677

data/modules/active/xss/xss_simple.rb

@@ -0,0 +1,179 @@
+# .
+# xss_simple.rb
+# 
+# Copyright 2012 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+module Watobo
+  module Modules
+    module Active
+      module Xss
+        
+        
+        class Xss_simple < Watobo::ActiveCheck
+          
+          def initialize(project, prefs={})
+            super(project, prefs)
+            
+            threat =<<'EOF'
+Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. 
+A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser 
+within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to 
+VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
+
+When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the 
+hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible 
+by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another 
+location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially 
+compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content 
+from the file system may execute code under the local machine zone allowing for system compromise.
+
+Source: http://projects.webappsec.org/Cross-Site+Scripting
+EOF
+            
+            measure = "All user input should be filtered and/or escaped using a method appropriate for the output context"
+            
+            @info.update(
+                         :check_name => 'Simple Cross Site Scripting Checks',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :check_group => AC_GROUP_XSS,
+            :description => "Check for every parameter if response contains XSS'able content.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "0.9"   # check version
+            )
+            
+            @finding.update(
+                            :threat => threat,        # thread of vulnerability, e.g. loss of information
+                            :class => "Reflected XSS",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_VULN,         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+            :rating => VULN_RATING_HIGH,
+            :measure => measure
+            )
+            
+            @xss_checks=[ 
+            ["<script>watobo</script>", "<script>watobo</script>"],
+            ["%3Cscript%3Ewatobo%3C/script%3E", "<script>watobo</script>"],
+            ["%0a<script>watobo</script>", "<script>watobo</script>"],              # prepend %0A can circumvent checks ... seen in the wild
+            ["%0a%3Cscript%3Ewatobo%3C/script%3E", "<script>watobo</script>"],   # prepend %0A can circumvent checks ... seen in the wild
+            ["<watobo", "<watobo"],
+            ["%00<watobo", "<watobo"],
+            ["%3Cwatobo%3E", "<watobo>"], 
+            ]
+            
+            
+          end
+          
+          
+          def generateChecks(chat)    
+            #
+            #  Check GET-Parameters
+            #
+            begin
+              
+              
+              chat.request.get_parm_names.each do |parm|
+               # puts parm
+                # puts "#{Module.nesting[0].name}: run check on chat-id (#{chat.id}) with parm (#{parm})"
+                @xss_checks.each do |check, pattern|
+                  checker = proc {
+                    test_request = nil
+                    test_response = nil
+                    test = chat.copyRequest
+                    test.replace_get_parm(parm, check)
+                    test_request,test_response = doRequest(test)
+                                       
+                    if not test_response then
+                      puts "got no respons :("
+                    elsif test_response.join =~ /(#{pattern})/i
+                      match = $1
+                    #    puts "found xss (get)"
+                   #   test_chat = Chat.new(test,test_response,chat.id)
+                      
+                    #  resource = "/" + test_request.resource
+                      
+                      addFinding(test_request, test_response,
+                                 :check_pattern => "#{check}", 
+                      :proof_pattern => "#{match}", 
+                      :test_item => parm,
+                      :class => "Reflected XSS [GET]", 
+                      :chat => chat,
+                      :title => "[#{parm}] - #{test_request.path}"
+                      )
+                    end
+                    #@project.new_finding(:short_name=>"#{parm}", :check=>"#{check}", :proof=>"#{pattern}", :kategory=>"XSS-Post", :type=>"Vuln", :chat=>test_chat, :rating=>"High")
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                end
+              end
+              
+              
+              
+              #
+              #  Check POST-Parameters
+              #
+              
+              chat.request.post_parm_names.each do |parm|
+                #puts "#{chat.id}: run check on post parm #{parm}"
+                @xss_checks.each do |check, pattern|
+                  
+                  
+                  checker = proc {
+                    
+                    test = chat.copyRequest
+                    # modify the test request
+                    test.replace_post_parm(parm, check)
+                    test_request,test_response = doRequest(test)
+                    
+                    match = nil
+                    if test_response.join =~ /(#{pattern})/i
+                      match = $1
+                   #   puts "Reflected XSS [POST] - #{parm}"
+                    #  test_chat = Chat.new(test, test_response, chat.id)
+                     # resource = "/" + test_request.resource
+                      addFinding(test_request, test_response,
+                      :test_item => parm,
+                                 :check_pattern => "#{check}", 
+                      :proof_pattern => "#{match}", 
+                      :class => "Reflected XSS [POST]", 
+                      :chat => chat,
+                      :title => "[#{parm}] - #{test_request.path}"
+                      )
+                    end
+                    # don't use 'return' here
+                    [ test_request, test_response ]
+                  }
+                  yield checker
+                end
+              end
+              
+            rescue => bang
+              puts bang
+              puts bang.backtrace if $DEBUG
+              puts "ERROR!! #{Module.nesting[0].name}"
+              raise
+              
+              
+            end
+          end
+          
+        end
+        
+      end
+    end
+  end
+end

data/modules/passive/cookie_options.rb

@@ -0,0 +1,97 @@
+# .
+# cookie_options.rb
+# 
+# Copyright 2012 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+# .
+# cookie_options.rb
+#   
+# Copyright 2010 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+module Watobo
+  module Modules
+    module Passive
+      
+      
+      class Cookie_options < Watobo::PassiveCheck
+        
+        def initialize(project)
+          
+          @project = project
+          super(project)
+          @info.update(
+                       :check_name => 'Cookie Security',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => 'Cookies especially Session Cookies should be set only over a secure channel. Additionally there should be set some security options.',   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "0.9"   # check version
+          )
+          
+          @finding.update(
+                          :threat => 'Cookies used in this application are not secured by special Cookie Options like Secure or HTTPOnly. If Cookie Security is not in place, sensitive cookie information may be revealed.',        # thread of vulnerability, e.g. loss of information
+          :class => "Cookie Security",# vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_VULN,         # e.g. Hints, Info, Vuln 
+          :rating=> VULN_RATING_MEDIUM  # [Symbol] Critical, High, Medium, Low, Info
+          )
+        end
+        
+        def do_test(chat)
+          begin
+            # puts "running module: #{Module.nesting[0].name}"
+            if chat.response.headers.each do |h|
+                if h =~ /(^Set-Cookie.*)/ then
+                  dummy = h.split(";")
+                  cookie = dummy.shift
+                  options = dummy.join(";")
+                  
+                  if (chat.request.proto =~ /https/i and options !~ /secure/i) or options !~ /httponly/i then
+                    cookie.gsub!(/=.*/,"")
+                    addFinding( :proof_pattern => options, 
+                               :check_pattern => "Set-Cookie:.*", 
+                    :chat => chat, 
+                    :title => 'Security Options',
+                    :unique => cookie)
+                  end
+                end
+              end
+            end
+          rescue
+            puts "ERROR!! #{Module.nesting[0].name}"
+          end
+        end
+      end
+      
+    end
+  end
+end

data/modules/passive/cookie_xss.rb

@@ -0,0 +1,85 @@
+# .
+# cookie_xss.rb
+# 
+# Copyright 2012 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+
+module Watobo
+  module Modules
+    module Passive
+      
+      
+      class Cookie_xss < Watobo::PassiveCheck
+        
+        def initialize(project)
+          @project = project
+          super(project)
+          
+          @info.update(
+            :check_name => 'Cookie XSS',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :description => "If cookies will be used in the content body, they can be misused for XSS-Attacks.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "0.9"   # check version
+            )
+            
+          @finding.update(
+            :threat => 'A cookie value has been found in the body of the HTML page. This may be exploited for XSS attacks.',        # thread of vulnerability, e.g. loss of information
+            :class => "Cookie Security",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_HINT         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
+          )
+        end
+        
+        def do_test(chat)
+          begin
+            #  puts "running module: #{Module.nesting[0].name}"
+            return if chat.response.nil? or chat.response.body.nil?
+            if chat.response.content_type =~ /text/
+              all_cookies = chat.request.cookies
+              if all_cookies
+                # puts all_parms
+                all_cookies.each do |cookie|
+                  dummy = cookie.split("=")
+                  cname = dummy.shift
+                  cval = Regexp.quote(dummy.join)
+                  
+                    if chat.response.body =~ /#{cval}/ and cval.length > 5 then
+                      
+                      addFinding(:proof_pattern => "#{cval}", 
+                      :check_pattern => "#{cval}", 
+                      :chat => chat, 
+                      :title => "[#{cname}] - #{chat.request.path}")
+                      break
+                    end
+
+                end
+                return true
+                
+              end
+            end
+          end
+        rescue => bang
+          puts "ERROR!! #{Module.nesting[0].name}"
+          puts bang
+          puts bang.backtrace if $DEBUG
+        end
+      end
+      
+    end
+  end
+end

data/modules/passive/detect_code.rb

@@ -0,0 +1,89 @@
+# .
+# detect_code.rb
+# 
+# Copyright 2012 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+module Watobo
+  module Modules
+    module Passive
+      
+      
+      class Detect_code < Watobo::PassiveCheck
+       
+        def initialize(project)
+            @project = project
+          super(project)
+          
+          @info.update(
+            :check_name => 'Detect Code Snippets',    # name of check which briefly describes functionality, will be used for tree and progress views
+            :description => "Detects code snippets which may reveal sensitive information.",   # description of checkfunction
+            :author => "Andreas Schmidt", # author of check
+            :version => "0.9"   # check version
+            )
+            
+          @finding.update(
+            :threat => 'Code snippets may reveal internal information like database passwords.',        # thread of vulnerability, e.g. loss of information
+            :class => "Code Snippets",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+            :type => FINDING_TYPE_HINT         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN 
+          )
+          
+         
+          @pattern_list = []
+          @pattern_list << ['<\?php', "PHP" ]
+          @pattern_list << [ '<!--.*select ', "COMMENT" ]
+          @pattern_list << [ 'sample code', "COMMENT" ]
+              @pattern_list << [ '<%[^<%]*%>', "ASP" ]
+          
+          
+        end
+        
+        def do_test(chat)
+          begin
+            #  puts "running module: #{Module.nesting[0].name}"
+            #   puts "body" + chat.response.body.join
+            return if chat.response.nil? or chat.response.body.nil?
+            if chat.response.content_type =~ /text/ then
+            
+              @pattern_list.each do |pat, type|
+                #   puts "+check pattern #{pat}"
+                if  chat.response.body =~ /(#{pat})/i then
+                  #   puts "!!! MATCH !!!"
+                  
+                  match = $1
+                  path = "/" + chat.request.path
+                  addFinding(  
+                  :proof_pattern => "#{match}", 
+                  :chat => chat,
+                  :title => "[#{type}] - #{path}"
+                  )
+                end
+            end
+            end
+          rescue => bang
+            #raise
+            puts "ERROR!! #{Module.nesting[0].name}"
+            puts bang
+            puts bang.backtrace if $DEBUG
+          end
+        end
+      end
+      
+    end
+  end
+end

data/modules/passive/detect_fileupload.rb

@@ -0,0 +1,80 @@
+# .
+# detect_fileupload.rb
+# 
+# Copyright 2012 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+module Watobo
+  module Modules
+    module Passive
+      class Detect_fileupload < Watobo::PassiveCheck
+        def initialize(project)
+          @project = project
+          super(project)
+
+          @info.update(
+          :check_name => 'Detect File Upload Functionality',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "Detects file upload functions which may be exploited to upload malicious file contents.",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "0.9"   # check version
+          )
+
+          @finding.update(
+          :threat => 'File upload functions sometimes can be exploited to upload malicious code. This can lead to server- or client-side code excecution.',        # thread of vulnerability, e.g. loss of information
+          :class => "File Uploads",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_HINT         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          )
+
+          @pattern_list = []
+          @pattern_list << Regexp.new("<input [^>]*type=.file.")
+
+        end
+
+        def do_test(chat)
+          begin
+            return if chat.response.nil? or chat.response.body.nil?
+            if chat.response.content_type =~ /text/
+                          
+              @pattern_list.each do |pat|
+              #puts "+check pattern #{pat}"
+                if pat.match(chat.response.body) # =~ /(#{pat})/i then
+                #   puts "!!! MATCH (FILE UPLOAD)!!!"
+                match = $1
+                #   puts match
+                addFinding(
+                :check_pattern => "#{pat}",
+                :proof_pattern => "#{match}",
+                :title => "#{chat.request.path_ext}",
+                :chat => chat
+                )
+
+                end
+              end
+            else
+            # puts chat.response.content_type
+            end
+          rescue => bang
+          puts "ERROR!! #{Module.nesting[0].name}"
+          puts bang
+          end
+        end
+      end
+
+    end
+  end
+end

data/modules/passive/detect_infrastructure.rb

@@ -0,0 +1,98 @@
+# .
+# detect_infrastructure.rb
+# 
+# Copyright 2012 by siberas, http://www.siberas.de
+# 
+# This file is part of WATOBO (Web Application Tool Box)
+#        http://watobo.sourceforge.com
+# 
+# WATOBO is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation version 2 of the License.
+# 
+# WATOBO is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with WATOBO; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# .
+module Watobo
+  module Modules
+    module Passive
+      class Detect_infrastructure < Watobo::PassiveCheck
+        def initialize(project)
+          @project = project
+          super(project)
+
+          @info.update(
+          :check_name => 'Infrastructure Information',    # name of check which briefly describes functionality, will be used for tree and progress views
+          :description => "Searching for information in response body which may reveal information about Plattform, CMS-Systems, Application Server, ...",   # description of checkfunction
+          :author => "Andreas Schmidt", # author of check
+          :version => "0.9"   # check version
+          )
+
+          @finding.update(
+          :threat => 'Information about the underlying infrastructure may help an attacker to perform specialized attacks.',        # thread of vulnerability, e.g. loss of information
+          :class => "Infrastructure",    # vulnerability class, e.g. Stored XSS, SQL-Injection, ...
+          :type => FINDING_TYPE_INFO         # FINDING_TYPE_HINT, FINDING_TYPE_INFO, FINDING_TYPE_VULN
+          )
+
+          @pattern_list = []
+          @pattern_list << [ 'Server', Regexp.new('<address>(.*)Server at') ]
+          @pattern_list << [ 'eZPublish CMS', Regexp.new('title="(eZ Publish)')]
+          @pattern_list << [ 'Imperia CMS', Regexp.new('content=[^>]*(IMPERIA [\d\.]*)')]
+          @pattern_list << [ 'Typo3 CMS', Regexp.new('content=[^>]*(TYPO3 [\d\.]* CMS)')]
+          @pattern_list << [ 'Open Text CMS', Regexp.new('published by[^>]*(Open Text Web Solutions[\-\s\d\.]*)')]
+          #<meta name="generator" content="Sefrengo / www.sefrengo.org" >
+          #<meta name="author" content="CMS Sefrengo">
+          @pattern_list << [ 'Sefrengo CMS', Regexp.new('content=[^>]*(Sefrengo[\s\d\.]*)')]
+          @pattern_list << [ 'Tomcat', Regexp.new('(Apache Tomcat\/\d{1,4}\.\d{1,4}\.\d{1,4})') ]
+          @pattern_list << [ 'Microsoft-IIS', Regexp.new('<img src="welcome.png" alt="(IIS7)"')]
+#          When it’s a SharePoint 2010 site, you will get the result is like this: MicrosoftSharePointTeamServices: 14.0.0.6106
+@pattern_list << [ 'SharePoint 2010', Regexp.new('MicrosoftSharePointTeamServices.*14.0.0.6106')]
+# And in SharePoint 2007 site, the result is like this: MicrosoftSharePointTeamServices:12.0.0.4518
+@pattern_list << [ 'SharePoint 2007', Regexp.new('MicrosoftSharePointTeamServices.*12.0.0.4518')]
+          
+
+          #@pattern_list << 'sample code'
+
+        end
+
+        def do_test(chat)
+          begin
+             # puts "running module: #{Module.nesting[0].name}"
+            #   puts "body" + chat.response.body.join
+            return if chat.response.nil? or chat.response.body.nil?
+            if chat.response.content_type =~ /text/ then
+              
+                @pattern_list.each do |pat|
+
+                  if chat.response.join =~ /(#{pat[1]})/i then
+                    #   puts "!!! MATCH !!!"
+                    match = $1
+                    addFinding(
+                    :proof_pattern => "#{match}",
+                    :chat => chat,
+                    :title => "[#{pat[0]}] - #{match.slice(0..15)}"
+                    )
+                    break
+                  end
+              end
+            end
+          rescue => bang
+            puts "ERROR!! #{Module.nesting[0].name}"
+            puts bang
+            if $DEBUG
+              puts bang.backtrace 
+              puts chat.response.join
+            end
+          end
+        end
+      end
+
+    end
+  end
+end