watobo 0.9.8.724 → 0.9.9.pre1

data/CHANGELOG

@@ -1,3 +1,18 @@
+= Version 0.9.9.pre1
+== NEW
+* Time-based SQL injection module
+* new XSS module which gives a more accurate exploitability result
+* ConversationTable: values in coloumn Parameters are url-decoded
+* Added a WebCrawler Plugin based on Mechanize
+* Manual Request Editor: Url is displayed in the window title
+
+== Fixes
+* CA Directory is now created in WATOBO working directory '.watobo'
+* Fixed Crash on opening client-certificate dialog
+* ConversationTable: GET and POST parameters are shown in the parameters coloumn 
+* TreeView-Pane: Show full conversation list when Findings tab is selected
+* smaller fixes
+
 = Version 0.9.8
 == NEW
 * Ruby 1.9 Support - no more 1.8 don't even try it ;)
@@ -13,6 +28,8 @@
 * GUI: purge (multiple) findings is possibel via FindingsTree
 
 == Fixes
+* interceptor reset-button
+* Constant declarations
 * lib/mixin/request_parser.rb: fixed file handling
 * fixed pattern for detecting file upload fields
 * optimized "tagless" view

data/bin/watobo

@@ -1,2 +1,2 @@
 #!/bin/ruby
-puts "Please use the command watobo_gui.rb to start watobo."
+puts "Please use the command watobo_gui.rb to start watobo."

data/lib/watobo/adapters/file/file_store.rb

@@ -48,28 +48,28 @@ module Watobo
       end
 
     end
-    
+
     def delete_finding(finding)
       finding_file = File.join("#{@findings_path}", "#{finding.id}-finding")
       File.delete finding_file if File.exist? finding_file
-      
+
     end
-    
+
     def update_finding(finding)
       finding_file = File.join("#{@findings_path}", "#{finding.id}-finding")
-       finding_data = {
-          :request => finding.request.map{|x| x.inspect},
-          :response => finding.response.map{|x| x.inspect},
-          :details => Hash.new
-        }
-        finding_data[:details].update(finding.details)
+      finding_data = {
+        :request => finding.request.map{|x| x.inspect},
+        :response => finding.response.map{|x| x.inspect},
+        :details => Hash.new
+      }
+      finding_data[:details].update(finding.details)
+
+      if File.exists?(finding_file) then
+        fh = File.new(finding_file, "w+b")
+        fh.print YAML.dump(finding_data)
+      fh.close
+      end
 
-        if File.exists?(finding_file) then
-          fh = File.new(finding_file, "w+b")
-          fh.print YAML.dump(finding_data)
-          fh.close
-        end
-      
     end
 
     # add_scan_log
@@ -79,23 +79,23 @@ module Watobo
     def add_scan_log(chat, scan_name = nil)
       begin
         return false if scan_name.nil?
-        puts ">> scan_name"
+       # puts ">> scan_name"
         path = File.join(@scanlog_path, scan_name)
-        
+
         Dir.mkdir path unless File.exist? path
-        
+
         log_file = File.join( path, "log_" + Time.now.to_f.to_s)
 
         chat_data = {
           :request => chat.request.map{|x| x.inspect},
           :response => chat.response.map{|x| x.inspect},
         }
-        puts log_file
+       # puts log_file
         chat_data.update(chat.settings)
         File.open(log_file, "w") { |fh|
           YAML.dump(chat_data, fh)
         }
-      return true
+        return true
       rescue => bang
         puts bang
         puts bang.backtrace if $DEBUG
@@ -135,34 +135,40 @@ module Watobo
       end
     end
 
-    
-
     def initialize(project_name, session_name)
 
       wsp = Watobo.workspace_path
       return false unless File.exist? wsp
       puts "* using workspace path: #{wsp}" if $DEBUG
-      project_path = File.join(wsp, project_name)
-      unless File.exist? project_path
-        puts "* create project path: #{project_path}" if $DEBUG
-        Dir.mkdir(project_path)
+      @project_path = File.join(wsp, project_name)
+      unless File.exist? @project_path
+        puts "* create project path: #{@project_path}" if $DEBUG
+        Dir.mkdir(@project_path)
       end
-      session_path = File.join(project_path, session_name)
 
-      unless File.exist? session_path
-        puts "* create session path: #{session_path}" if $DEBUG
-        Dir.mkdir(session_path)
+      @project_config_path = File.join(@project_path, "config")
+      Dir.mkdir @project_config_path unless File.exist? @project_config_path
+
+      @session_path = File.join(@project_path, session_name)
+
+      unless File.exist? @session_path
+        puts "* create session path: #{@session_path}" if $DEBUG
+        Dir.mkdir(@session_path)
       end
+
+      @session_config_path = File.join(@session_path, "config")
+      Dir.mkdir @session_config_path unless File.exist? @session_config_path
+
       sext = Watobo::Conf::General.session_settings_file_ext
-      
-      @session_file = File.join(session_path, session_name + sext)
-      @project_file = File.join(project_path, project_name + Watobo::Conf::General.project_settings_file_ext)
 
-      @conversation_path = File.expand_path(File.join(session_path, Watobo::Conf::Datastore.conversations))
+      @session_file = File.join(@session_path, session_name + sext)
+      @project_file = File.join(@project_path, project_name + Watobo::Conf::General.project_settings_file_ext)
 
-      @findings_path = File.expand_path(File.join(session_path, Watobo::Conf::Datastore.findings))
-      @log_path = File.expand_path(File.join(session_path, Watobo::Conf::Datastore.event_logs_dir))
-      @scanlog_path = File.expand_path(File.join(session_path, Watobo::Conf::Datastore.scan_logs_dir))
+      @conversation_path = File.expand_path(File.join(@session_path, Watobo::Conf::Datastore.conversations))
+
+      @findings_path = File.expand_path(File.join(@session_path, Watobo::Conf::Datastore.findings))
+      @log_path = File.expand_path(File.join(@session_path, Watobo::Conf::Datastore.event_logs_dir))
+      @scanlog_path = File.expand_path(File.join(@session_path, Watobo::Conf::Datastore.scan_logs_dir))
 
       [ @conversation_path, @findings_path, @log_path, @scanlog_path ].each do |folder|
         if not File.exists?(folder) then
@@ -183,29 +189,64 @@ module Watobo
     #     @finding_files = get_file_list(@findings_path, "*-finding")
     end
 
-    
-    def save_session_settings(session_settings)
-      
+    def save_session_settings(group, session_settings)
+     # puts ">> save_session_settings <<"
+      file = Watobo::Utils.snakecase group.gsub(/\.yml/,'')
+      file << ".yml"
+
+      session_file = File.join(@session_config_path, file)
+     # puts "Dest.File: #{session_file}"
+    #  puts session_settings.to_yaml
+     # puts "---"
+      Watobo::Utils.save_settings(session_file, session_settings)
     end
-    
-    def load_session_settings()
-      
+
+    def load_session_settings(group)
+     # puts ">> load_session_settings : #{group}"
+      file = Watobo::Utils.snakecase group.gsub(/\.yml/,'')
+      file << ".yml"
+
+      session_file = File.join(@session_config_path, file)
+     # puts "File: #{session_file}"
+    #  puts "---"
+
+      s = Watobo::Utils.load_settings(session_file)
+      s
     end
-    
-    def save_project_settings(project_settings)
-      
+
+    def save_project_settings(group, project_settings)
+     # puts ">> save_project_settings : #{group}"
+      file = Watobo::Utils.snakecase group.gsub(/\.yml/,'')
+      file << ".yml"
+
+      project_file = File.join(@project_config_path, file)
+     # puts "Dest.File: #{project_file}"
+     # puts project_settings.to_yaml
+     # puts "---"
+      Watobo::Utils.save_settings(project_file, project_settings)
+
     end
-    
-    def load_project_settings()
-      
+
+    def load_project_settings(group)
+     # puts ">> load_project_settings : #{group}"
+      file = Watobo::Utils.snakecase group.gsub(/\.yml/,'')
+      file << ".yml"
+
+      project_file = File.join(@project_config_path, file)
+     # puts "File: #{project_file}"
+     # puts "---"
+
+      s = Watobo::Utils.load_settings(project_file)
+      s
+
     end
-    
+
     private
-    
+
     def get_file_list(path, pattern)
       Dir["#{path}/#{pattern}"].sort_by{ |x| File.basename(x).sub(/[^0-9]*/,'').to_i }
     end
-    
+
   end
 
 end

data/lib/watobo/config.rb

@@ -25,21 +25,35 @@ module Watobo
     @@settings = Hash.new
     @count = 0
     @@modules = []
+    
     def self.each(&b)
       @@modules.each do |m|
         yield m if block_given?
       end
       @@modules.length
     end
+    
+    def self.load_project_settings(data_store)
+      @@modules.each do |m|
+        m.load_project(data_store)
+      end
+    end
+    
+    def self.load_session_settings(data_store)
+      @@modules.each do |m|
+        m.load_session(data_store)
+      end
+    end
 
     def self.add(group, settings)
       #   puts "* create new configuration for #{group}"
 
-      module_eval("module #{group}; @settings = #{settings} end")
+      module_eval("module #{group}; @settings = #{settings}; end")
       m = const_get(group)
       m.module_eval do
         def self.to_file
-          n = self.to_s.gsub(/(Watobo)?::/, "/").gsub(/([A-Z])([A-Z][a-z])/, '\1_\2').gsub(/([a-z\d])([A-Z])/, '\1_\2').tr("-","_").downcase
+       #   n = self.to_s.gsub(/(Watobo)?::/, "/").gsub(/([A-Z])([A-Z][a-z])/, '\1_\2').gsub(/([a-z\d])([A-Z])/, '\1_\2').tr("-","_").downcase
+          n = Watobo::Utils.snakecase self.to_s.gsub(/(Watobo)?::/, "/")
           n << ".yml"
         end
 
@@ -54,32 +68,94 @@ module Watobo
             puts "! [#{self}] could not update settings from file #{file}" if $DEBUG
           end
         end
+        
+        # returns the group name of the module
+        # e.g. the group name of Watobo::Conf::Interceptor would be Interceptor
+        def self.group_name
+          self.to_s.gsub(/.*::/,"")
+        end
 
         def self.set(settings)
           return false unless settings.is_a? Hash
           @settings = YAML.load(YAML.dump(settings))
         end
 
-        def self.save(path=nil, &b)
+        def self.save_session(data_store, *filter, &b)
+          raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :save_project_settings
+          s = filter_settings filter
+          yield s if block_given?
+         # puts group_name
+          data_store.save_session_settings( group_name, s )
+        end
+
+        def self.save_project(data_store, *filter, &b)
+          raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :save_project_settings
+          s = filter_settings filter
+          data_store.save_project_settings(group_name, s)
+        end
+        
+        def self.load_session(data_store, prefs={}, &b)
+          raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :load_project_settings
+          
+          p = { :update => true }
+          p.update prefs
+          
+          s = data_store.load_session_settings(group_name)
+          return false if s.nil?
+          
+          if p[:update] == true
+            @settings.update s
+          else
+            @settings = s
+          end
+        end
+        
+        def self.load_project(data_store, prefs={}, &b)
+          raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :load_project_settings
+          
+          p = { :update => true }
+          p.update prefs
+          
+          s = data_store.load_project_settings(group_name)
+          return false if s.nil?
+          
+          if p[:update] == true
+            @settings.update s
+          else
+            @settings = s
+          end
+        end
+
+        def self.filter_settings(f)
+          s = YAML.load(YAML.dump(@settings))
+
+          if f.length > 0
+            s.each_key do |k|
+              s.delete k unless f.include? k
+            end
+          end
+          s
+        end
+
+        def self.save(path=nil, *filter, &b)
 
           n = self.to_file
           p = Conf::General.working_directory
           unless path.nil?
             if File.exist? path
-              p = path
+            p = path
             end
-          end 
+          end
 
           file = File.join( p, n )
 
-          s = YAML.load(YAML.dump(@settings))
-          s.each_pair do |k,v|
-            yield k,v if block_given?
-          end
+          s = filter_settings filter
+
+          yield s if block_given?
 
           if File.exist?(File.dirname(file))
-            puts "* save config #{self} to: #{file}"
-            puts s.to_yaml
+           # puts "* save config #{self} to: #{file}"
+           # puts s.to_yaml
             File.open(file, "w") { |fh|
               YAML.dump(s, fh)
             }
@@ -113,7 +189,9 @@ module Watobo
           end
         end
 
-        def self.included(clazz)
+        # TODO: create a class-instance of the module itself, so it can be referenced like @scanner.scope
+        # before creating the reference also check if there's another class-instance variable with the same name
+        def self.included_UNUSED(clazz)
           puts "* #{self} gets included into #{clazz}"
           @settings.each_key do |k|
             puts "* add method for #{k}"

data/lib/watobo/core/active_check.rb

@@ -111,12 +111,12 @@ module Watobo
 
     def postParmNames(chat)
       pnames = chat.request.post_parm_names
+      return pnames unless @settings.has_key? :excluded_parms
+      return pnames unless @settings[:excluded_parms].is_a? Array
       begin
-        @settings[:excluded_parms].each do |p|
-          pnames.delete(p)
-        end
+      pnames.select!{|p| !@settings[:excluded_parms].include? p }        
       rescue => bang
-      puts "! settings 'excluded_parms' missing !"
+      #puts "! settings 'excluded_parms' missing !"
       #  puts @project.settings.to_yaml
       puts bang
       puts bang.backtrace if $DEBUG
@@ -247,6 +247,10 @@ module Watobo
       end
       return false, nil, nil
     end
+    
+    def log_console(msg)
+      puts "[#{Module.nesting[0].name}] #{msg}"
+    end
 
     # +++ run_checks  +++
     # + function: wrapper function for doRequest(r). Needed for additional checks like smartchecks.

data/lib/watobo/core/http_socket.rb

@@ -32,11 +32,11 @@ module Watobo
         bytes_read = 0
         while max_bytes < 0 or bytes_to_read > 0 
           begin
-            timeout(5) do
+         #   timeout(5) do
              # puts "<#{bytes_to_read} / #{bytes_read} / #{max_bytes}"
               buf = socket.readpartial(bytes_to_read)
               bytes_read += buf.length
-            end
+         #   end
           rescue EOFError
             return
           rescue Timeout::Error
@@ -63,19 +63,19 @@ module Watobo
         while (chunk_size = socket.gets)
           next if chunk_size.strip.empty?
           yield "#{chunk_size}" if block_given?
-          num_bytes = chunk_size.strip.hex
+          bytes_to_read = num_bytes = chunk_size.strip.hex
           # puts "> chunk-length: 0x#{chunk_size.strip}(#{num_bytes})"
           return if num_bytes == 0
           bytes_read = 0
           while bytes_read < num_bytes
             begin
-              timeout(5) do
+             # timeout(5) do
                 bytes_to_read = num_bytes - bytes_read
                 # puts bytes_to_read.to_s
                 buf = socket.readpartial(bytes_to_read)
                 bytes_read += buf.length
                 # puts bytes_read.to_s
-              end
+             # end
             rescue EOFError
               # yield buf if buf
               return

data/lib/watobo/core/interceptor.rb

@@ -34,8 +34,7 @@ module Watobo
     #  include Watobo::Conf::Interceptor
 
     attr :port
-    
-    
+
     attr_accessor :mode
 
     attr_accessor :contentLength
@@ -43,11 +42,10 @@ module Watobo
     attr_accessor :target
     attr_accessor :www_auth
     attr_accessor :client_certificates
-    
     def server
       @bind_addr
     end
-    
+
     def subscribe(event, &callback)
       (@event_dispatcher_listeners[event] ||= []) << callback
     end
@@ -188,13 +186,19 @@ module Watobo
 
             #p "getHTTPHeader"
             #s_sock, req, resp = @sender.getHTTPHeader(request, :update_sids => true, :update_session => false, :update_contentlength => true)
+            begin
             s_sock, req, resp = @sender.sendHTTPRequest(request, :update_sids => true, :update_session => false, :update_contentlength => true, :www_auth => @www_auth, :client_certificates => @client_certificates)
-
             if s_sock.nil? then
               c_sock.print resp.join unless resp.nil?
               closeSocket(c_sock)
             next
             end
+            rescue => bang
+              puts bang
+              puts bang.backtrace if $DEBUG
+              closeSocket(c_sock)
+              next
+            end
 
             # check if response should be passed throug
             Thread.current.exit if isPassThrough?(req, resp, s_sock, c_sock)

data/lib/watobo/core/project.rb

@@ -254,6 +254,15 @@ module Watobo
     def projectSettingsFile
       @project_file
     end
+    
+    def session_settings()
+      s = YAML.load(YAML.dump(scan_settings))
+      sf =  [:logout_signatures, :non_unique_parms, :login_chat_ids, :excluded_chats, :csrf_request_ids, :scope ]
+      s.each_key do |k|
+        s.delete k unless sf.include? k
+      end
+      s
+    end
 
     def getLoginChats()
       @scan_settings[:login_chat_ids] ||= []
@@ -625,10 +634,14 @@ module Watobo
       }
       options.update opts
       #  puts "* add finding #{finding.details[:fid]}" if $DEBUG
+      
+      @findings_count ||= Hash.new
+      @findings_count[finding.details[:class]] = 0 unless @findings_count.has_key? finding.details[:class]
 
-      unless @findings.has_key?(finding.details[:fid])
+      unless @findings.has_key?(finding.details[:fid]) or @findings_count[finding.details[:class]] > 100
         begin
           @findings[finding.details[:fid]] = finding
+          @findings_count[finding.details[:class]] += 1
           #@interface.addFinding(new_finding)
           #   puts "* new finding"
           notify(:new_finding, finding) if options[:notify] == true
@@ -639,6 +652,8 @@ module Watobo
           puts bang
           puts bang.backtrace if $DEBUG
         end
+      else
+        puts "Skip finding <#{finding.details[:class]}>"
       end
       end
 

data/lib/watobo/defaults.rb

@@ -25,7 +25,8 @@ module Watobo
     #   puts "* loading defaults from #{config_path}"
     Dir.glob("#{config_path}/*.yml").each do |cf|
       dummy = File.basename(cf).gsub!(/.yml/,'')
-      cc = dummy.strip.gsub(/[^[a-zA-Z\-_]]/,"").gsub( "-" , "_").split("_").map{ |s| s.downcase.capitalize }.join
+      #cc = dummy.strip.gsub(/[^[a-zA-Z\-_]]/,"").gsub( "-" , "_").split("_").map{ |s| s.downcase.capitalize }.join
+      cc = Watobo::Utils.camelcase dummy
       begin
         settings = YAML.load_file(cf)
         Watobo::Conf.add(cc,  settings )

data/lib/watobo/externals.rb

@@ -25,4 +25,4 @@ require 'watobo/external/diff/lcs/callbacks'
 require 'watobo/external/diff/lcs/block'
 require 'watobo/external/diff/lcs/change'
 
-require 'watobo/external/ntlm/ntlm'
+#require 'watobo/external/ntlm/ntlm'

data/lib/watobo/framework/create_project.rb

@@ -20,6 +20,9 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 # .
 module Watobo
+  def self.project
+    @project
+  end
   # create_project is a wrapper function to create a new project
   # you can either create a project by giving a URL (:url),
   # or by giving a :project_name AND a :session_name
@@ -35,6 +38,11 @@ module Watobo
     end
 
     ds = Watobo::DataStore.aquire(project_settings[:project_name], project_settings[:session_name])
+    
+    # updating settings
+    Watobo::Conf.load_project_settings(ds)
+    Watobo::Conf.load_session_settings(ds)
+    
     project_settings[:session_store] = ds
 
     puts "= initialize passive checks ="
@@ -49,8 +57,8 @@ module Watobo
     puts "Total: " + project_settings[:active_checks].length.to_s
 
     project = Project.new(project_settings)
-    @running_projects << project
-    project
+    #@running_projects << project
+    @project = project
     
   end
   

data/lib/watobo/gui/certificate_dialog.rb

@@ -26,7 +26,7 @@ module Watobo
       def createCertificate(sender, sel, ptr)
         @createButton.disable
 
-        cadir = File.join(File.dirname($0), "CA")
+        cadir = File.join(Watobo.working_directory, "CA")
         crl_dir= File.join(cadir, "crl")
         hostname = "watobo"
         domainname = "watobo.local"

data/lib/watobo/gui/chat_diff.rb

@@ -169,6 +169,7 @@ module Watobo
       
       
       def normalizeData(data)
+        raise ArgumentError, "Bad data type. Need Request/Response." unless data.respond_to? :headers 
         dummy = []
         begin
           unless data.headers.nil?
@@ -178,8 +179,13 @@ module Watobo
             
             dummy.push ""
           end
+          
+          
           unless data.body.nil?
-            data.body.split("\n").each do |l|
+            puts "> clean up body #{data.body.length}"
+            body =  data.body.unpack("C*").pack("C*")
+            body.split("\n").each do |l|
+             # puts "[#{i}] #{l}"
               dummy.concat adjustLine(l)
             end
           end
@@ -188,7 +194,7 @@ module Watobo
           dummy = data
         end
         #  puts dummy.join("\n")
-        #return dummy.join("\n")
+       # return dummy.join("\n")
         return dummy
       end
       
@@ -258,6 +264,10 @@ module Watobo
         context_lines = 3
         raw_chunks = []
         collections = []
+        puts "[#{self}]"
+        puts "#{data_old.length} #{data_old.class}"
+        puts "#{data_new.length} #{data_new.class}"
+                
         return collections if diffs.empty?
         oldhunk = hunk = nil
         file_length_difference = 0
@@ -394,6 +404,13 @@ module Watobo
         @normRequestNew = normalizeData(chat_new.request)
         @normResponseNew = normalizeData(chat_new.response)
         
+        puts "= normalized response (new)"
+        puts "#{@normResponseNew.length} #{@normResponseNew.class}"
+        
+        puts "= normalized response (new)"
+        puts "#{@normResponseOrig.length} #{@normResponseOrig.class}"
+        
+        
         # diff normalized data
         @requestDiffs = Diff::LCS.diff( @normRequestOrig, @normRequestNew )
         @responseDiffs = Diff::LCS.diff( @normResponseOrig, @normResponseNew )

data/lib/watobo/gui/client_cert_dialog.rb

@@ -43,7 +43,7 @@ module Watobo
 
         @cert_path = nil
         @client_certificates = {}
-        @client_certificates = project.getClientCertificates unless project.getClientCertificates.nil?
+       #  @client_certificates = project.getClientCertificates unless project.getClientCertificates.nil?
       #  puts client_certificates.to_yaml
 
         @password_policy.update prefs[:password_policy] if prefs.has_key? :password_policy