watobo 0.9.12 → 0.9.13
Sign up to get free protection for your applications and to get access to all the features.
- data/.yardopts +2 -2
- data/{CHANGELOG → CHANGELOG.md} +62 -0
- data/README.md +30 -0
- data/bin/nfq_server.rb +4 -3
- data/bin/watobo_gui.rb +1 -1
- data/config/ott_cache.yml +4 -0
- data/config/scanner.yml +1 -18
- data/config/sid_cache.yml +14 -0
- data/extras/private-hostspot.sh +17 -0
- data/extras/watobo-installer.sh +61 -0
- data/extras/watobo-transparent.sh +38 -0
- data/icons/BestPractice_16x16.ico +0 -0
- data/icons/BestPractice_24x24.ico +0 -0
- data/lib/watobo/adapters/data_store.rb +25 -3
- data/lib/watobo/adapters/file/file_store.rb +19 -11
- data/lib/watobo/adapters/session_store.rb +3 -2
- data/lib/watobo/adapters.rb +1 -1
- data/lib/watobo/ca.rb +1 -1
- data/lib/watobo/config.rb +17 -19
- data/lib/watobo/constants.rb +3 -2
- data/lib/watobo/core/active_check.rb +62 -40
- data/lib/watobo/core/active_checks.rb +73 -0
- data/lib/watobo/core/ca.rb +3 -2
- data/lib/watobo/core/cert_store.rb +3 -2
- data/lib/watobo/core/chat.rb +122 -0
- data/lib/watobo/core/chats.rb +301 -0
- data/lib/watobo/core/conversation.rb +71 -0
- data/lib/watobo/core/cookie.rb +9 -25
- data/lib/watobo/core/finding.rb +89 -0
- data/lib/watobo/core/findings.rb +132 -0
- data/lib/watobo/core/forwarding_proxy.rb +4 -2
- data/lib/watobo/core/fuzz_gen.rb +3 -2
- data/lib/watobo/core/intercept_carver.rb +24 -12
- data/lib/watobo/core/intercept_filter.rb +4 -3
- data/lib/watobo/core/interceptor.rb +9 -888
- data/lib/watobo/core/min_class.rb +27 -0
- data/lib/watobo/core/netfilter_queue.rb +3 -2
- data/lib/watobo/core/ott_cache.rb +156 -0
- data/lib/watobo/core/parameter.rb +66 -0
- data/lib/watobo/core/passive_check.rb +15 -22
- data/lib/watobo/core/passive_checks.rb +72 -0
- data/lib/watobo/core/passive_scanner.rb +69 -0
- data/lib/watobo/core/plugin.rb +33 -0
- data/lib/watobo/core/project.rb +40 -547
- data/lib/watobo/core/proxy.rb +7 -2
- data/lib/watobo/core/request.rb +95 -10
- data/lib/watobo/core/response.rb +44 -3
- data/lib/watobo/core/scanner.rb +6 -7
- data/lib/watobo/core/scanner3.rb +439 -0
- data/lib/watobo/core/scope.rb +106 -0
- data/lib/watobo/core/session.rb +106 -286
- data/lib/watobo/core/sid_cache.rb +121 -0
- data/lib/watobo/core/subscriber.rb +48 -0
- data/lib/watobo/core.rb +2 -2
- data/lib/watobo/defaults.rb +3 -2
- data/lib/watobo/external/diff/lcs/array.rb +1 -1
- data/lib/watobo/external/diff/lcs/block.rb +1 -1
- data/lib/watobo/external/diff/lcs/callbacks.rb +1 -1
- data/lib/watobo/external/diff/lcs/change.rb +1 -1
- data/lib/watobo/external/diff/lcs/hunk.rb +1 -1
- data/lib/watobo/external/diff/lcs/ldiff.rb +1 -1
- data/lib/watobo/external/diff/lcs/string.rb +1 -1
- data/lib/watobo/external/diff/lcs.rb +1 -1
- data/lib/watobo/external/ntlm/ntlm.rb +1 -1
- data/lib/watobo/externals.rb +1 -1
- data/lib/watobo/framework/create_project.rb +19 -12
- data/lib/watobo/framework/init.rb +4 -3
- data/lib/watobo/framework/init_modules.rb +32 -3
- data/lib/watobo/framework/license_text.rb +3 -2
- data/lib/watobo/framework/load_chat.rb +36 -0
- data/lib/watobo/framework.rb +2 -2
- data/lib/watobo/gui/about_watobo.rb +3 -2
- data/lib/watobo/gui/browser_preview.rb +4 -3
- data/lib/watobo/gui/certificate_dialog.rb +3 -2
- data/lib/watobo/gui/chat_diff.rb +6 -14
- data/lib/watobo/gui/chatviewer_frame.rb +30 -5
- data/lib/watobo/gui/checkboxtree.rb +13 -12
- data/lib/watobo/gui/checks_policy_frame.rb +8 -10
- data/lib/watobo/gui/client_cert_dialog.rb +8 -6
- data/lib/watobo/gui/confirm_scan_dialog.rb +5 -3
- data/lib/watobo/gui/conversation_table.rb +288 -51
- data/lib/watobo/gui/conversation_table_ctrl.rb +36 -3
- data/lib/watobo/gui/conversation_table_ctrl2.rb +416 -0
- data/lib/watobo/gui/csrf_token_dialog.rb +25 -33
- data/lib/watobo/gui/dashboard.rb +47 -45
- data/lib/watobo/gui/define_scope_frame.rb +27 -22
- data/lib/watobo/gui/differ_frame.rb +238 -0
- data/lib/watobo/gui/edit_comment.rb +3 -2
- data/lib/watobo/gui/edit_scope_dialog.rb +7 -6
- data/lib/watobo/gui/finding_info.rb +3 -2
- data/lib/watobo/gui/findings_tree.rb +101 -26
- data/lib/watobo/gui/full_scan_dialog.rb +5 -6
- data/lib/watobo/gui/fuzzer_gui.rb +51 -18
- data/lib/watobo/gui/goto_url_dialog.rb +92 -0
- data/lib/watobo/gui/hex_viewer.rb +16 -5
- data/lib/watobo/gui/html_viewer.rb +309 -0
- data/lib/watobo/gui/intercept_filter_dialog.rb +3 -2
- data/lib/watobo/gui/interceptor_gui.rb +5 -4
- data/lib/watobo/gui/interceptor_settings_dialog.rb +4 -3
- data/lib/watobo/gui/list_box.rb +4 -3
- data/lib/watobo/gui/log_file_viewer.rb +55 -0
- data/lib/watobo/gui/log_viewer.rb +3 -82
- data/lib/watobo/gui/login_wizzard.rb +3 -3
- data/lib/watobo/gui/main_window.rb +183 -164
- data/lib/watobo/gui/manual_request_editor.rb +157 -642
- data/lib/watobo/gui/master_pw_dialog.rb +3 -2
- data/lib/watobo/gui/mixins/gui_settings.rb +3 -2
- data/lib/watobo/gui/page_tree.rb +3 -2
- data/lib/watobo/gui/password_policy_dialog.rb +3 -2
- data/lib/watobo/gui/plugin_board.rb +103 -73
- data/lib/watobo/gui/preferences_dialog.rb +3 -2
- data/lib/watobo/gui/progress_window.rb +3 -2
- data/lib/watobo/gui/project_wizzard.rb +3 -2
- data/lib/watobo/gui/proxy_dialog.rb +3 -2
- data/lib/watobo/gui/quick_scan_dialog.rb +17 -32
- data/lib/watobo/gui/request_builder_frame.rb +134 -0
- data/lib/watobo/gui/request_editor.rb +14 -9
- data/lib/watobo/gui/rewrite_filters_dialog.rb +4 -3
- data/lib/watobo/gui/rewrite_rules_dialog.rb +4 -3
- data/lib/watobo/gui/save_chat_dialog.rb +7 -3
- data/lib/watobo/gui/scanner_settings_dialog.rb +4 -3
- data/lib/watobo/gui/select_chat_dialog.rb +15 -25
- data/lib/watobo/gui/session_management_dialog.rb +21 -25
- data/lib/watobo/gui/sites_tree.rb +5 -4
- data/lib/watobo/gui/status_bar.rb +3 -2
- data/lib/watobo/gui/table_editor.rb +398 -386
- data/lib/watobo/gui/tagless_viewer.rb +3 -2
- data/lib/watobo/gui/templates/plugin.rb +3 -2
- data/lib/watobo/gui/templates/plugin2.rb +4 -3
- data/lib/watobo/gui/templates/plugin_base.rb +168 -0
- data/lib/watobo/gui/text_viewer.rb +49 -3
- data/lib/watobo/gui/transcoder_window.rb +3 -2
- data/lib/watobo/gui/utils/gui_utils.rb +5 -4
- data/lib/watobo/gui/utils/init_icons.rb +5 -2
- data/lib/watobo/gui/utils/load_icons.rb +3 -2
- data/lib/watobo/gui/utils/load_plugins.rb +22 -5
- data/lib/watobo/gui/utils/master_password.rb +3 -2
- data/lib/watobo/gui/utils/save_default_settings.rb +7 -5
- data/lib/watobo/gui/utils/save_project_settings.rb +1 -1
- data/lib/watobo/gui/utils/save_proxy_settings.rb +4 -3
- data/lib/watobo/gui/utils/save_scanner_settings.rb +5 -4
- data/lib/watobo/gui/utils/session_history.rb +3 -2
- data/lib/watobo/gui/workspace_dialog.rb +3 -2
- data/lib/watobo/gui/www_auth_dialog.rb +4 -3
- data/lib/watobo/gui/xml_viewer_frame.rb +3 -2
- data/lib/watobo/gui.rb +6 -3
- data/lib/watobo/http/cookies/cookies.rb +66 -0
- data/lib/watobo/http/data/data.rb +68 -0
- data/lib/watobo/{gui/mixins/subscriber.rb → http/url/url.rb} +33 -19
- data/lib/watobo/http_socket/agent.rb +851 -0
- data/lib/watobo/http_socket/client_socket.rb +290 -0
- data/lib/watobo/http_socket/connection.rb +423 -0
- data/lib/watobo/http_socket/http_socket.rb +273 -0
- data/lib/watobo/http_socket/ntlm_auth.rb +152 -0
- data/lib/watobo/http_socket/proxy.rb +31 -0
- data/lib/watobo/http_socket.rb +25 -0
- data/lib/watobo/interceptor/proxy.rb +883 -0
- data/lib/watobo/interceptor/transparent.rb +37 -0
- data/lib/watobo/interceptor.rb +25 -0
- data/lib/watobo/mixins/check_info.rb +50 -0
- data/lib/watobo/mixins/httpparser.rb +92 -20
- data/lib/watobo/mixins/request_parser.rb +103 -88
- data/lib/watobo/mixins/shapers.rb +42 -11
- data/lib/watobo/mixins/transcoders.rb +61 -57
- data/lib/watobo/mixins.rb +3 -2
- data/lib/watobo/parser/html.rb +106 -0
- data/lib/watobo/parser.rb +22 -0
- data/lib/watobo/utils/check_regex.rb +3 -2
- data/lib/watobo/utils/copy_object.rb +3 -2
- data/lib/watobo/utils/crypto.rb +3 -2
- data/lib/watobo/utils/expand_range.rb +3 -2
- data/lib/watobo/utils/file_management.rb +7 -3
- data/lib/watobo/utils/hexprint.rb +3 -2
- data/lib/watobo/utils/load_chat.rb +4 -3
- data/lib/watobo/utils/load_icon.rb +3 -2
- data/lib/watobo/utils/print_debug.rb +3 -2
- data/lib/watobo/utils/response_builder.rb +6 -4
- data/lib/watobo/utils/response_hash.rb +66 -49
- data/lib/watobo/utils/secure_eval.rb +3 -2
- data/lib/watobo/utils/strings.rb +3 -2
- data/lib/watobo/utils/text2request.rb +4 -5
- data/lib/watobo/utils/url.rb +46 -0
- data/lib/watobo/utils.rb +3 -2
- data/lib/watobo.rb +13 -3
- data/modules/active/Apache/mod_status.rb +15 -11
- data/modules/active/Flash/crossdomain.rb +17 -14
- data/modules/active/RoR/cve_2013_015x.rb +21 -0
- data/modules/active/directories/dirwalker.rb +10 -16
- data/modules/active/discovery/fileextensions.rb +10 -7
- data/modules/active/discovery/http_methods.rb +8 -9
- data/modules/active/domino/domino_db.rb +10 -11
- data/modules/active/dotNET/custom_errors.rb +124 -0
- data/modules/active/dotNET/dotnet_files.rb +112 -0
- data/modules/active/fileinclusion/lfi_simple.rb +9 -7
- data/modules/active/jboss/jboss_basic.rb +12 -9
- data/modules/active/sap/its_commands.rb +10 -9
- data/modules/active/sap/its_service_parameter.rb +10 -9
- data/modules/active/sap/its_services.rb +10 -9
- data/modules/active/sap/its_xss.rb +11 -10
- data/modules/active/siebel/siebel_apps.rb +14 -16
- data/modules/active/sqlinjection/sql_boolean.rb +139 -75
- data/modules/active/sqlinjection/sqli_error.rb +9 -6
- data/modules/active/sqlinjection/sqli_timing.rb +13 -11
- data/modules/active/xml/xml_xxe.rb +134 -0
- data/modules/active/xss/{xss_rated.rb → xss_ng.rb} +89 -56
- data/modules/active/xss/xss_simple.rb +9 -6
- data/modules/passive/ajax.rb +85 -0
- data/modules/passive/autocomplete.rb +78 -0
- data/modules/passive/cookie_options.rb +3 -2
- data/modules/passive/cookie_xss.rb +3 -2
- data/modules/passive/detect_code.rb +7 -4
- data/modules/passive/detect_fileupload.rb +3 -2
- data/modules/passive/detect_infrastructure.rb +7 -4
- data/modules/passive/detect_one_time_tokens.rb +3 -2
- data/modules/passive/dirindexing.rb +3 -2
- data/modules/passive/disclosure_domino.rb +3 -2
- data/modules/passive/disclosure_emails.rb +3 -2
- data/modules/passive/disclosure_ipaddr.rb +3 -2
- data/modules/passive/filename_as_parameter.rb +3 -2
- data/modules/passive/form_spotter.rb +10 -7
- data/modules/passive/hidden_fields.rb +73 -0
- data/modules/passive/hotspots.rb +7 -4
- data/modules/passive/in_script_parameter.rb +3 -2
- data/modules/passive/multiple_server_headers.rb +4 -3
- data/modules/passive/possible_login.rb +3 -2
- data/modules/passive/redirect_url.rb +3 -2
- data/modules/passive/redirectionz.rb +6 -3
- data/modules/passive/xss_dom.rb +16 -9
- data/plugins/catalog/catalog.rb +119 -193
- data/plugins/crawler/crawler.rb +4 -3
- data/plugins/crawler/gui/auth_frame.rb +3 -2
- data/plugins/crawler/gui/crawler_gui.rb +3 -2
- data/plugins/crawler/gui/general_settings_frame.rb +3 -2
- data/plugins/crawler/gui/hooks_frame.rb +3 -2
- data/plugins/crawler/gui/scope_frame.rb +3 -2
- data/plugins/crawler/gui/settings_tabbook.rb +3 -2
- data/plugins/crawler/gui/status_frame.rb +3 -2
- data/plugins/crawler/gui.rb +3 -2
- data/plugins/crawler/lib/bags.rb +3 -2
- data/plugins/crawler/lib/constants.rb +3 -2
- data/plugins/crawler/lib/engine.rb +3 -2
- data/plugins/crawler/lib/grabber.rb +3 -2
- data/plugins/crawler/lib/uri_mp.rb +1 -1
- data/plugins/filefinder/filefinder.rb +92 -70
- data/plugins/sqlmap/bin/test.rb +3 -2
- data/plugins/sqlmap/gui/main.rb +3 -2
- data/plugins/sqlmap/gui/options_frame.rb +4 -3
- data/plugins/sqlmap/gui.rb +1 -1
- data/plugins/sqlmap/lib/sqlmap_ctrl.rb +3 -2
- data/plugins/sqlmap/sqlmap.rb +1 -1
- data/plugins/sslchecker/cli/sslchecker_cli.rb +1 -1
- data/plugins/sslchecker/gui/cipher_table.rb +17 -10
- data/plugins/sslchecker/gui/gui.rb +59 -56
- data/plugins/sslchecker/gui/sslchecker.rb +1 -1
- data/plugins/sslchecker/lib/check.rb +43 -18
- data/plugins/wshell/gui/main.rb +130 -0
- data/plugins/wshell/icons/wsh.ico +0 -0
- data/plugins/wshell/lib/core.rb +99 -0
- data/plugins/wshell/wshell.rb +33 -0
- metadata +80 -8
- data/README +0 -26
- data/lib/watobo/core/http_socket.rb +0 -161
- data/lib/watobo/gui/plugin/base.rb +0 -82
data/.yardopts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# .
|
|
2
2
|
# .yardopts
|
|
3
3
|
#
|
|
4
|
-
# Copyright
|
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
|
5
5
|
#
|
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
7
|
# http://watobo.sourceforge.com
|
|
@@ -21,4 +21,4 @@
|
|
|
21
21
|
# .
|
|
22
22
|
--no-private
|
|
23
23
|
*.xxx
|
|
24
|
-
|
|
24
|
+
--files CHANGELOG.md
|
data/{CHANGELOG → CHANGELOG.md}
RENAMED
|
@@ -1,3 +1,65 @@
|
|
|
1
|
+
Version 0.9.13
|
|
2
|
+
===
|
|
3
|
+
News
|
|
4
|
+
---
|
|
5
|
+
**Core**
|
|
6
|
+
|
|
7
|
+
* Faster socket communication!! Now client sockets are reused
|
|
8
|
+
* Big big changes on core modules, e.g. Watobo::Chats or Watobo::Findings.
|
|
9
|
+
* PassiveScanner - passive checks now run in background
|
|
10
|
+
* New DSL-like Plugin Style - digging into Metaprogramming ... check out WShell Plugin!
|
|
11
|
+
|
|
12
|
+
**Modules**
|
|
13
|
+
|
|
14
|
+
* XSS-NG supports "Parameter Prefetching" - using form fields of response as test parameters
|
|
15
|
+
* Hidden Field Spotter
|
|
16
|
+
* Improved boolean SQLi detection
|
|
17
|
+
* added some .NET Checks for well-known files, e.g. Trace.adx and Error Pages /w Stack-Trace
|
|
18
|
+
* XXE (Xml eXternal Entity) check
|
|
19
|
+
* Check html password fields for autocomplete attribute
|
|
20
|
+
|
|
21
|
+
**Plugins**
|
|
22
|
+
|
|
23
|
+
* SSL Checker now also shows the tested method (SSLv3, TLS, ..)
|
|
24
|
+
* WShell - Watobo Shell; With WShell you can execute ruby commands in the context of WATOBO. Very useful for advanced analysis, debugging purposes or simply to explore WATOBO.
|
|
25
|
+
|
|
26
|
+
**GUI**
|
|
27
|
+
|
|
28
|
+
* Parameter names in Table view are now automatically en-/decoded
|
|
29
|
+
* Right-Click on a plugin to get some information about it - only works on new plugins at the moment ...
|
|
30
|
+
* Introduced a new chat viewer with HTML highlighting (based on FXScintilla)
|
|
31
|
+
* ConversationTable: added 'space' hotkey to open "Edit Comment" dialog
|
|
32
|
+
* ConversationTable: added hotkeys for "goto url" navigation
|
|
33
|
+
* ChatViewer: xml/html content gets prettyfied for text- and html-viewer
|
|
34
|
+
* FindingsTree: added counter to finding class
|
|
35
|
+
* FindingsTree: memorize expanded nodes
|
|
36
|
+
* Conversation table filter now opens as a dialog and displays more information
|
|
37
|
+
|
|
38
|
+
Fixes
|
|
39
|
+
---
|
|
40
|
+
**Core**
|
|
41
|
+
|
|
42
|
+
* Bug in parsing multipart requests caused by incorrect boundary handling
|
|
43
|
+
* conversation text filter now works on responses without content-type header
|
|
44
|
+
|
|
45
|
+
**Fuzzer**
|
|
46
|
+
|
|
47
|
+
* fixed generator in fuzzer engine
|
|
48
|
+
|
|
49
|
+
**GUI**
|
|
50
|
+
|
|
51
|
+
* crash after selecting client certs
|
|
52
|
+
* no more swallowing a space-char at the end of a string when b64decoding with short-cuts
|
|
53
|
+
|
|
54
|
+
**Plugins**
|
|
55
|
+
|
|
56
|
+
* Catalog-Scanner: now all placeholders will be replaced
|
|
57
|
+
* SSLChecker now supports more methods and ciphers, incl. SSLv2
|
|
58
|
+
|
|
59
|
+
**Passive Modules**
|
|
60
|
+
|
|
61
|
+
* FormSpotter: now using nokogiri for parsing/extracting <form> information
|
|
62
|
+
|
|
1
63
|
= Version 0.9.12
|
|
2
64
|
== NEW
|
|
3
65
|
* [Module] Siebel Checks: Enumeration of default apps and files, e.g. base.txt
|
data/README.md
ADDED
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
WATOBO - THE Web Application Toolbox
|
|
2
|
+
===
|
|
3
|
+
WATOBO is a security tool for web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
|
|
4
|
+
|
|
5
|
+
Most important features:
|
|
6
|
+
|
|
7
|
+
* WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
|
|
8
|
+
* WATOB can act as a transparent proxy (requires nfqueue)
|
|
9
|
+
* WATOBO can perform vulnerability checks out of the box
|
|
10
|
+
* WATOBO can perform checks on functions which are protected by Anti-CSRF-/One-Time-Tokens
|
|
11
|
+
* WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
|
|
12
|
+
* WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
|
|
13
|
+
* WATOBO is written in (FX)Ruby and enables you to easily define your own checks
|
|
14
|
+
* WATOBO runs on Windows, Linux, MacOS ... every OS supporting (FX)Ruby
|
|
15
|
+
* WATOBO is free software ( licensed under the GNU General Public License Version 2)
|
|
16
|
+
* It’s by siberas ;)
|
|
17
|
+
|
|
18
|
+
Documentation
|
|
19
|
+
---
|
|
20
|
+
Check out the online documentation and video tutorials at http://watobo.sourceforge.net
|
|
21
|
+
|
|
22
|
+
Tips & Tricks
|
|
23
|
+
---
|
|
24
|
+
* On Linux you should use RVM to install Ruby (http://beginrescueend.com/rvm/install/)
|
|
25
|
+
* Use FoxyProxy or SwitchProxy to easily change your proxy settings
|
|
26
|
+
|
|
27
|
+
|
|
28
|
+
|
|
29
|
+
|
|
30
|
+
|
data/bin/nfq_server.rb
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# .
|
|
3
3
|
# nfq_server.rb
|
|
4
4
|
#
|
|
5
|
-
# Copyright
|
|
5
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
|
6
6
|
#
|
|
7
7
|
# This file is part of WATOBO (Web Application Tool Box)
|
|
8
8
|
# http://watobo.sourceforge.com
|
|
@@ -32,7 +32,8 @@ rescue LoadError
|
|
|
32
32
|
exit
|
|
33
33
|
end
|
|
34
34
|
|
|
35
|
-
|
|
35
|
+
# @private
|
|
36
|
+
module Watobo#:nodoc: all
|
|
36
37
|
module NFQ
|
|
37
38
|
class Connections
|
|
38
39
|
attr :nfqueue
|
|
@@ -185,7 +186,7 @@ module Watobo
|
|
|
185
186
|
end
|
|
186
187
|
end
|
|
187
188
|
|
|
188
|
-
DRb.start_service "druby://127.0.0.1:
|
|
189
|
+
DRb.start_service "druby://127.0.0.1:9090", Watobo::NFQ::Connections.new
|
|
189
190
|
#puts DRb.uri
|
|
190
191
|
DRb.thread.join
|
|
191
192
|
|
data/bin/watobo_gui.rb
CHANGED
data/config/scanner.yml
CHANGED
|
@@ -1,17 +1,3 @@
|
|
|
1
|
-
:sid_patterns:
|
|
2
|
-
- name="(sessid)" value="([0-9a-zA-Z!-]*)"
|
|
3
|
-
- (sessid)=([-0-9a-zA-Z_:]*)(;|&)?
|
|
4
|
-
- (SESSIONID)=([-0-9a-zA-Z_:\.\(\)]*)(;|&)?
|
|
5
|
-
- (PHPSESSID)=([0-9a-zA-Z]*)(;|&)?
|
|
6
|
-
- (ASPSESSIONID)\w*=([0-9a-zA-Z]*)(;|&)?
|
|
7
|
-
- (MYSAPSSO2)=([0-9a-zA-Z.=%]*)(;|&)?
|
|
8
|
-
- (ELEXIRSID)=([0-9a-zA-Z!-]*)(;|&)?
|
|
9
|
-
- (SLSID)=([0-9a-zA-Z!-]*)(;|&)?
|
|
10
|
-
- (sid)=([0-9a-z]*)(')?
|
|
11
|
-
- (saplb_\*)=([-0-9a-zA-Z_:\(\)]*)(;|&)?
|
|
12
|
-
- (DomAuthSessId)=([0-9a-zA-Z]*)(;|&)?
|
|
13
|
-
- (wgate)\/([\w]{4,}\/[\w=~]*)(;|&|'|")?
|
|
14
|
-
- (session)=([-0-9a-zA-Z_:\.]*)(;|&)?
|
|
15
1
|
:logout_signatures:
|
|
16
2
|
- ^Location.*login
|
|
17
3
|
:smart_scan: true
|
|
@@ -27,8 +13,5 @@
|
|
|
27
13
|
:scope: {}
|
|
28
14
|
:run_passive_checks: false
|
|
29
15
|
:client_certificates: {}
|
|
30
|
-
:
|
|
31
|
-
- name="(token)" value="([0-9a-zA-Z!-]*)"
|
|
32
|
-
- (token)=([-0-9a-zA-Z_:]*)(;|&)?
|
|
33
|
-
|
|
16
|
+
:auto_login: true
|
|
34
17
|
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
:patterns:
|
|
2
|
+
- name="(sessid)" value="([0-9a-zA-Z!-]*)"
|
|
3
|
+
- (sessid)=([-0-9a-zA-Z_:]*)(;|&)?
|
|
4
|
+
- (SESSIONID)=([-0-9a-zA-Z_:\.\(\)]*)(;|&)?
|
|
5
|
+
- (PHPSESSID)=([0-9a-zA-Z]*)(;|&)?
|
|
6
|
+
- (ASPSESSIONID)\w*=([0-9a-zA-Z]*)(;|&)?
|
|
7
|
+
- (MYSAPSSO2)=([0-9a-zA-Z.=%]*)(;|&)?
|
|
8
|
+
- (ELEXIRSID)=([0-9a-zA-Z!-]*)(;|&)?
|
|
9
|
+
- (SLSID)=([0-9a-zA-Z!-]*)(;|&)?
|
|
10
|
+
- (sid)=([0-9a-z]*)(')?
|
|
11
|
+
- (saplb_\*)=([-0-9a-zA-Z_:\(\)]*)(;|&)?
|
|
12
|
+
- (DomAuthSessId)=([0-9a-zA-Z]*)(;|&)?
|
|
13
|
+
- (wgate)\/([\w]{4,}\/[\w=~]*)(;|&|'|")?
|
|
14
|
+
- (session)=([-0-9a-zA-Z_:\.]*)(;|&)?
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
iptables -F
|
|
3
|
+
iptables -X
|
|
4
|
+
iptables -t nat -F
|
|
5
|
+
iptables -t nat -X
|
|
6
|
+
iptables -t mangle -F
|
|
7
|
+
iptables -t mangle -X
|
|
8
|
+
iptables -P INPUT ACCEPT
|
|
9
|
+
iptables -P FORWARD ACCEPT
|
|
10
|
+
iptables -P OUTPUT ACCEPT
|
|
11
|
+
|
|
12
|
+
echo "Turning on Natting"
|
|
13
|
+
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
14
|
+
|
|
15
|
+
echo "Allowing ip forwarding"
|
|
16
|
+
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
17
|
+
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
#===========================
|
|
3
|
+
# WATOBO-Installer for Linux
|
|
4
|
+
#---------------------------
|
|
5
|
+
# Tested on BackTrack 5R2
|
|
6
|
+
#===========================
|
|
7
|
+
# Date: 06.08.2012
|
|
8
|
+
# Author: Andreas Schmidt
|
|
9
|
+
Version=1.1
|
|
10
|
+
#---
|
|
11
|
+
# Version 1.1
|
|
12
|
+
# added libnetfilter-queue-dev package & gem
|
|
13
|
+
# added platform detection
|
|
14
|
+
#---
|
|
15
|
+
|
|
16
|
+
info() {
|
|
17
|
+
printf "\033[36m$*\033[0m\n"
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
head() {
|
|
21
|
+
printf "\033[31m$*\033[0m\n"
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
head "##############################################"
|
|
25
|
+
head "# W A T O B O - I N S T A L L E R #"
|
|
26
|
+
head "##############################################"
|
|
27
|
+
info "Version: $Version"
|
|
28
|
+
gem_opts=""
|
|
29
|
+
platform="Generic"
|
|
30
|
+
file=/etc/issue
|
|
31
|
+
if grep -q "BackTrack" $file
|
|
32
|
+
then
|
|
33
|
+
platform="BackTrack"
|
|
34
|
+
gem_opts="--user-install"
|
|
35
|
+
fi
|
|
36
|
+
|
|
37
|
+
info "Platform: $platform"
|
|
38
|
+
|
|
39
|
+
if [ "$platform" == "BackTrack" ]
|
|
40
|
+
then
|
|
41
|
+
echo "Adding /root/.gem/ruby/1.9.2/bin/ to your PATH .."
|
|
42
|
+
echo 'export PATH=$PATH:/root/.gem/ruby/1.9.2/bin' >> /root/.bashrc
|
|
43
|
+
export PATH=$PATH:/root/.gem/ruby/1.9.2/bin
|
|
44
|
+
#. /root/.bashrc
|
|
45
|
+
fi
|
|
46
|
+
|
|
47
|
+
echo "Installing required gems ..."
|
|
48
|
+
for G in ffi multi_json childprocess selenium-webdriver mechanize fxruby net-http-digest_auth net-http-persistent nokogiri domain_name unf webrobots ntlm-http net-http-pipeline nfqueue watobo
|
|
49
|
+
do
|
|
50
|
+
info ">> $G"
|
|
51
|
+
gem install $gem_opts $G
|
|
52
|
+
done
|
|
53
|
+
|
|
54
|
+
echo "Install libnetfilter for transparent proxy mode"
|
|
55
|
+
apt-get install libnetfilter-queue-dev
|
|
56
|
+
|
|
57
|
+
info "Installation finished."
|
|
58
|
+
echo "Open a new shell and type watobo_gui.rb to start WATOBO."
|
|
59
|
+
echo "For manuals/videos and general information about WATOBO please check:"
|
|
60
|
+
echo "* http://watobo.sourceforge.net/"
|
|
61
|
+
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# configure your interfaces here
|
|
3
|
+
INT_IN=wlan0
|
|
4
|
+
INT_OUT=eth0
|
|
5
|
+
|
|
6
|
+
echo "= Interface Configuration ="
|
|
7
|
+
echo "Incoming Interface: $INT_IN"
|
|
8
|
+
echo "Outgoing Interface: $INT_OUT"
|
|
9
|
+
|
|
10
|
+
echo "Resetting IPTables ..."
|
|
11
|
+
iptables -F
|
|
12
|
+
iptables -X
|
|
13
|
+
iptables -t nat -F
|
|
14
|
+
iptables -t nat -X
|
|
15
|
+
iptables -t mangle -F
|
|
16
|
+
iptables -t mangle -X
|
|
17
|
+
iptables -P INPUT ACCEPT
|
|
18
|
+
iptables -P FORWARD ACCEPT
|
|
19
|
+
iptables -P OUTPUT ACCEPT
|
|
20
|
+
|
|
21
|
+
echo "Restarting DHCP ..."
|
|
22
|
+
/etc/init.d/dhcp3-server restart
|
|
23
|
+
|
|
24
|
+
echo "Restarting DNS ..."
|
|
25
|
+
/etc/init.d/bind9 restart
|
|
26
|
+
|
|
27
|
+
echo "Enable IP Forwarding ..."
|
|
28
|
+
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
29
|
+
|
|
30
|
+
echo "Send Packets To NFQUEUE ..."
|
|
31
|
+
iptables -t mangle -A PREROUTING -p tcp -m state --dport 443 --state NEW -j NFQUEUE --queue-num 0
|
|
32
|
+
|
|
33
|
+
echo "Redirect Traffic to WATOBO ..."
|
|
34
|
+
iptables -t nat -A PREROUTING -i $INT_IN -p tcp -m tcp -j REDIRECT --dport 443 --to-ports 8081
|
|
35
|
+
iptables -t nat -A PREROUTING -i $INT_IN -p tcp -m tcp -j REDIRECT --dport 80 --to-ports 8081
|
|
36
|
+
|
|
37
|
+
echo "Turn on Natting ..."
|
|
38
|
+
iptables -t nat -A POSTROUTING -o $INT_OUT -j MASQUERADE
|
|
Binary file
|
|
Binary file
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# .
|
|
2
2
|
# data_store.rb
|
|
3
3
|
#
|
|
4
|
-
# Copyright
|
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
|
5
5
|
#
|
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
7
|
# http://watobo.sourceforge.com
|
|
@@ -19,7 +19,8 @@
|
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
21
21
|
# .
|
|
22
|
-
|
|
22
|
+
# @private
|
|
23
|
+
module Watobo#:nodoc: all
|
|
23
24
|
class DataStore
|
|
24
25
|
|
|
25
26
|
@engine = nil
|
|
@@ -28,7 +29,7 @@ module Watobo
|
|
|
28
29
|
@engine
|
|
29
30
|
end
|
|
30
31
|
|
|
31
|
-
def self.
|
|
32
|
+
def self.connect(project_name, session_name)
|
|
32
33
|
a = Watobo::Conf::Datastore.adapter
|
|
33
34
|
store = case
|
|
34
35
|
when 'file'
|
|
@@ -40,10 +41,31 @@ module Watobo
|
|
|
40
41
|
store
|
|
41
42
|
end
|
|
42
43
|
|
|
44
|
+
def self.method_missing(name, *args, &block)
|
|
45
|
+
super unless @engine.respond_to? name
|
|
46
|
+
@engine.send name, *args, &block
|
|
47
|
+
end
|
|
48
|
+
|
|
43
49
|
|
|
44
50
|
end
|
|
45
51
|
|
|
52
|
+
def self.logs
|
|
53
|
+
return "" if DataStore.engine.nil?
|
|
54
|
+
DataStore.engine.logs
|
|
55
|
+
end
|
|
56
|
+
|
|
46
57
|
def self.log(message, prefs={})
|
|
58
|
+
|
|
59
|
+
text = message
|
|
60
|
+
if message.is_a? Array
|
|
61
|
+
text = message.join("\n| ")
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
#clean up sender's name
|
|
65
|
+
if prefs.has_key? :sender
|
|
66
|
+
prefs[:sender].gsub!(/.*::/,'')
|
|
67
|
+
end
|
|
68
|
+
|
|
47
69
|
if DataStore.engine.respond_to? :logger
|
|
48
70
|
DataStore.engine.logger message, prefs
|
|
49
71
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# .
|
|
2
2
|
# file_store.rb
|
|
3
3
|
#
|
|
4
|
-
# Copyright
|
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
|
5
5
|
#
|
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
7
|
# http://watobo.sourceforge.com
|
|
@@ -19,7 +19,8 @@
|
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
21
21
|
# .
|
|
22
|
-
|
|
22
|
+
# @private
|
|
23
|
+
module Watobo#:nodoc: all
|
|
23
24
|
class FileSessionStore < SessionStore
|
|
24
25
|
def num_chats
|
|
25
26
|
get_file_list(@conversation_path, "*-chat*").length
|
|
@@ -149,10 +150,10 @@ module Watobo
|
|
|
149
150
|
wsp = Watobo.workspace_path
|
|
150
151
|
return false unless File.exist? wsp
|
|
151
152
|
puts "* using workspace path: #{wsp}" if $DEBUG
|
|
152
|
-
|
|
153
|
+
|
|
153
154
|
@log_file = nil
|
|
154
155
|
@log_lock = Mutex.new
|
|
155
|
-
|
|
156
|
+
|
|
156
157
|
@project_path = File.join(wsp, project_name)
|
|
157
158
|
unless File.exist? @project_path
|
|
158
159
|
puts "* create project path: #{@project_path}" if $DEBUG
|
|
@@ -197,7 +198,7 @@ module Watobo
|
|
|
197
198
|
end
|
|
198
199
|
end
|
|
199
200
|
end
|
|
200
|
-
|
|
201
|
+
|
|
201
202
|
@log_file = File.join(@log_path, session_name + ".log")
|
|
202
203
|
|
|
203
204
|
# @chat_files = get_file_list(@conversation_path, "*-chat")
|
|
@@ -255,21 +256,29 @@ module Watobo
|
|
|
255
256
|
s
|
|
256
257
|
|
|
257
258
|
end
|
|
258
|
-
|
|
259
|
+
|
|
260
|
+
def logs
|
|
261
|
+
l = ''
|
|
262
|
+
@log_lock.synchronize do
|
|
263
|
+
l = File.open(@log_file).read
|
|
264
|
+
end
|
|
265
|
+
l
|
|
266
|
+
end
|
|
267
|
+
|
|
259
268
|
def logger( message, prefs = {} )
|
|
260
269
|
opts = { :sender => "unknown", :level => Watobo::Constants::LOG_INFO }
|
|
261
270
|
opts.update prefs
|
|
262
271
|
return false if @log_file.nil?
|
|
263
272
|
begin
|
|
264
|
-
|
|
273
|
+
t = Time.now
|
|
265
274
|
now = t.strftime("%m/%d/%Y @ %H:%M:%S")
|
|
266
275
|
log_message = [ now ]
|
|
267
276
|
log_message << "#{opts[:sender]}"
|
|
268
277
|
if message.is_a? Array
|
|
269
278
|
log_message << message.join("\n| ")
|
|
270
279
|
log_message << "\n-"
|
|
271
|
-
else
|
|
272
|
-
|
|
280
|
+
else
|
|
281
|
+
log_message << message
|
|
273
282
|
end
|
|
274
283
|
@log_lock.synchronize do
|
|
275
284
|
File.open(@log_file,"a") do |lfh|
|
|
@@ -279,8 +288,7 @@ module Watobo
|
|
|
279
288
|
rescue => bang
|
|
280
289
|
puts bang
|
|
281
290
|
end
|
|
282
|
-
|
|
283
|
-
|
|
291
|
+
|
|
284
292
|
end
|
|
285
293
|
|
|
286
294
|
private
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# .
|
|
2
2
|
# session_store.rb
|
|
3
3
|
#
|
|
4
|
-
# Copyright
|
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
|
5
5
|
#
|
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
7
|
# http://watobo.sourceforge.com
|
|
@@ -19,7 +19,8 @@
|
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
21
21
|
# .
|
|
22
|
-
|
|
22
|
+
# @private
|
|
23
|
+
module Watobo#:nodoc: all
|
|
23
24
|
class SessionStore
|
|
24
25
|
|
|
25
26
|
# TODO: Define default methods here
|
data/lib/watobo/adapters.rb
CHANGED
data/lib/watobo/ca.rb
CHANGED
data/lib/watobo/config.rb
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# .
|
|
2
2
|
# config.rb
|
|
3
3
|
#
|
|
4
|
-
# Copyright
|
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
|
5
5
|
#
|
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
7
|
# http://watobo.sourceforge.com
|
|
@@ -19,7 +19,8 @@
|
|
|
19
19
|
# along with WATOBO; if not, write to the Free Software
|
|
20
20
|
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
21
21
|
# .
|
|
22
|
-
|
|
22
|
+
# @private
|
|
23
|
+
module Watobo#:nodoc: all
|
|
23
24
|
module Conf
|
|
24
25
|
|
|
25
26
|
@@settings = Hash.new
|
|
@@ -33,15 +34,15 @@ module Watobo
|
|
|
33
34
|
@@modules.length
|
|
34
35
|
end
|
|
35
36
|
|
|
36
|
-
def self.load_project_settings(
|
|
37
|
+
def self.load_project_settings()
|
|
37
38
|
@@modules.each do |m|
|
|
38
|
-
m.load_project(
|
|
39
|
+
m.load_project()
|
|
39
40
|
end
|
|
40
41
|
end
|
|
41
42
|
|
|
42
|
-
def self.load_session_settings(
|
|
43
|
+
def self.load_session_settings()
|
|
43
44
|
@@modules.each do |m|
|
|
44
|
-
m.load_session(
|
|
45
|
+
m.load_session()
|
|
45
46
|
end
|
|
46
47
|
end
|
|
47
48
|
|
|
@@ -80,29 +81,28 @@ module Watobo
|
|
|
80
81
|
@settings = YAML.load(YAML.dump(settings))
|
|
81
82
|
end
|
|
82
83
|
|
|
83
|
-
def self.save_session(
|
|
84
|
-
raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :save_project_settings
|
|
84
|
+
def self.save_session( *filter, &b)
|
|
85
|
+
#raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :save_project_settings
|
|
85
86
|
s = filter_settings filter
|
|
86
87
|
yield s if block_given?
|
|
87
88
|
# puts group_name
|
|
88
|
-
|
|
89
|
+
Watobo::DataStore.save_session_settings( group_name, s )
|
|
89
90
|
end
|
|
90
91
|
|
|
91
|
-
def self.save_project(
|
|
92
|
-
|
|
92
|
+
def self.save_project( *filter, &b)
|
|
93
|
+
# raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :save_project_settings
|
|
93
94
|
s = filter_settings filter
|
|
94
95
|
# puts @settings.to_yaml
|
|
95
96
|
# puts s.to_yaml
|
|
96
|
-
|
|
97
|
+
Watobo::DataStore.save_project_settings(group_name, s)
|
|
97
98
|
end
|
|
98
99
|
|
|
99
|
-
def self.load_session(
|
|
100
|
-
raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :load_project_settings
|
|
100
|
+
def self.load_session(prefs={}, &b)
|
|
101
101
|
|
|
102
102
|
p = { :update => true }
|
|
103
103
|
p.update prefs
|
|
104
104
|
|
|
105
|
-
s =
|
|
105
|
+
s = Watobo::DataStore.load_session_settings(group_name)
|
|
106
106
|
return false if s.nil?
|
|
107
107
|
|
|
108
108
|
if p[:update] == true
|
|
@@ -112,13 +112,11 @@ module Watobo
|
|
|
112
112
|
end
|
|
113
113
|
end
|
|
114
114
|
|
|
115
|
-
def self.load_project(
|
|
116
|
-
raise ArgumentError, "Need a valid Watobo::DataStore" unless data_store.respond_to? :load_project_settings
|
|
117
|
-
|
|
115
|
+
def self.load_project(prefs={}, &b)
|
|
118
116
|
p = { :update => true }
|
|
119
117
|
p.update prefs
|
|
120
118
|
|
|
121
|
-
s =
|
|
119
|
+
s = Watobo::DataStore.load_project_settings(group_name)
|
|
122
120
|
return false if s.nil?
|
|
123
121
|
|
|
124
122
|
if p[:update] == true
|
data/lib/watobo/constants.rb
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# .
|
|
2
2
|
# constants.rb
|
|
3
3
|
#
|
|
4
|
-
# Copyright
|
|
4
|
+
# Copyright 2013 by siberas, http://www.siberas.de
|
|
5
5
|
#
|
|
6
6
|
# This file is part of WATOBO (Web Application Tool Box)
|
|
7
7
|
# http://watobo.sourceforge.com
|
|
@@ -24,7 +24,8 @@ $debug_active_check = false
|
|
|
24
24
|
$debug_scanner = false
|
|
25
25
|
|
|
26
26
|
|
|
27
|
-
|
|
27
|
+
# @private
|
|
28
|
+
module Watobo#:nodoc: all
|
|
28
29
|
module Constants
|
|
29
30
|
CHAT_SOURCE_UNDEF = 0x00
|
|
30
31
|
CHAT_SOURCE_INTERCEPT = 0x01
|