cpd-sec 0.2.9__py3-none-any.whl

cpd/cli.py

@@ -0,0 +1,315 @@
+import click
+import sys
+import asyncio
+from typing import TextIO
+from cpd.utils.logger import setup_logger, logger
+from cpd.engine import Engine
+
+import os
+import time
+import json
+import requests
+from importlib.metadata import version, PackageNotFoundError
+
+def check_for_updates(quiet=False):
+    """
+    Check for updates on PyPI with local caching to prevent frequent requests.
+    """
+    cache_dir = os.path.expanduser("~/.cpd")
+    cache_file = os.path.join(cache_dir, "update_check.json")
+    
+    # 1. Ensure cache directory exists
+    if not os.path.exists(cache_dir):
+        try:
+            os.makedirs(cache_dir, exist_ok=True)
+        except OSError:
+            return # Fail silently if we can't write
+
+    # 2. Check local cache (debounce 24h)
+    now = time.time()
+    try:
+        if os.path.exists(cache_file):
+            with open(cache_file, 'r') as f:
+                data = json.load(f)
+                last_checked = data.get('last_checked', 0)
+                # If checked within last 24 hours (86400 seconds), skip
+                if now - last_checked < 86400:
+                    return
+    except Exception:
+        pass # Ignore cache read errors
+
+    # 3. Query PyPI
+    try:
+        # Get installed version
+        try:
+            current_version = version("cpd-sec")
+        except PackageNotFoundError:
+            current_version = "0.0.0"
+
+        # Fetch latest from PyPI
+        resp = requests.get("https://pypi.org/pypi/cpd-sec/json", timeout=2)
+        if resp.status_code == 200:
+            info = resp.json()
+            latest_version = info['info']['version']
+            
+            # Simple string comparison or semver? PyPI versions usually sortable.
+            # Use packaging.version if available, or simple check.
+            # Assuming simple check for now:
+            if latest_version != current_version and latest_version > current_version:
+                 msg = f"\n[+] A new version of CPD is available ({latest_version})! Run 'pip install --upgrade cpd-sec' to update.\n"
+                 if not quiet:
+                     click.secho(msg, fg="green", bold=True)
+        
+        # 4. Update Cache
+        with open(cache_file, 'w') as f:
+            json.dump({'last_checked': now, 'latest_seen': latest_version}, f)
+
+    except Exception:
+        # Fail silently on network errors, timeouts, or parse errors
+        pass
+
+def get_version():
+    try:
+        return version("cpd-sec")
+    except PackageNotFoundError:
+        return "unknown"
+
+@click.group()
+@click.version_option(version=get_version())
+@click.option('--verbose', '-v', is_flag=True, help="Enable verbose logging.")
+@click.option('--quiet', '-q', is_flag=True, help="Suppress informational output.")
+@click.option('--log-level', '-l', help="Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL). overrides -v and -q.")
+def cli(verbose, quiet, log_level):
+    """
+    CachePoisonDetector (CPD) - A tool for detecting web cache poisoning vulnerabilities.
+    """
+    setup_logger(verbose, quiet, log_level)
+    
+    # Auto-check for updates on run (skip if quiet to avoid breaking pipelines)
+    if not quiet:
+        check_for_updates(quiet=True)
+
+@cli.command()
+def update():
+    """
+    Check for updates and show upgrade instructions.
+    """
+    logger.info("Checking for updates...")
+    # Force check (bypass cache implicitly by always running check logic? No, check_for_updates uses cache)
+    # So we should probably bypass cache here.
+    
+    try:
+        from importlib.metadata import version, PackageNotFoundError
+        try:
+            current = version("cpd-sec")
+        except PackageNotFoundError:
+            current = "unknown"
+            
+        logger.info(f"Current version: {current}")
+        
+        import requests
+        resp = requests.get("https://pypi.org/pypi/cpd-sec/json", timeout=5)
+        if resp.status_code == 200:
+            latest = resp.json()['info']['version']
+            if latest != current and latest > current:
+                click.secho(f"[+] Update available: {latest}", fg="green", bold=True)
+                click.secho("Run the following command to upgrade:", fg="white")
+                click.secho("    pip install --upgrade cpd-sec", fg="cyan", bold=True)
+            else:
+                click.secho(f"[+] You are using the latest version ({current}).", fg="green")
+        else:
+            logger.error("Failed to fetch update info from PyPI.")
+    except Exception as e:
+        logger.error(f"Update check failed: {e}")
+
+
+@cli.command()
+@click.option('--url', '-u', help="Single URL to scan.")
+@click.option('--file', '-f', type=click.File('r'), help="File containing URLs to scan.")
+@click.option('--request-file', '-r', '-burp', type=click.File('r'), help="File containing raw HTTP request (Burp format).")
+@click.option('--raw', help="Raw HTTP request string (use with caution).")
+@click.option('--concurrency', '-c', default=50, help="Max concurrent requests.")
+@click.option('--header', '-h', multiple=True, help="Custom header (e.g. 'Cookie: foo=bar'). Can be used multiple times.")
+@click.option('--output', '-o', help="File to save JSON results to.")
+def scan(url, file, request_file, raw, concurrency, header, output):
+    """
+    Scan one or more URLs for cache poisoning vulnerabilities.
+    """
+    from cpd.utils.parser import parse_raw_request
+
+    # Parse headers
+    custom_headers = {}
+    if header:
+        for h in header:
+            if ':' in h:
+                key, value = h.split(':', 1)
+                custom_headers[key.strip()] = value.strip()
+            else:
+                logger.warning(f"Invalid header format: {h}. Expected 'Key: Value'")
+
+    urls = []
+    if url:
+        urls.append(url)
+    
+    if file:
+        for line in file:
+            line = line.strip()
+            if line:
+                urls.append(line)
+    
+    # Check for stdin
+    if not url and not file and not sys.stdin.isatty():
+        for line in sys.stdin:
+            line = line.strip()
+            if line:
+                urls.append(line)
+
+    if not urls:
+        # Handle Raw Request
+        if request_file or raw:
+            content = request_file.read() if request_file else raw
+            try:
+                parsed = parse_raw_request(content)
+                logger.info(f"Loaded raw request: {parsed['method']} {parsed['url']}")
+                urls.append(parsed['url'])
+                
+                # Merge headers
+                combined = parsed['headers']
+                combined.update(custom_headers)
+                custom_headers = combined
+            except Exception as e:
+                logger.error(f"Failed to parse raw request: {e}")
+                return
+
+    if not urls:
+        logger.error("No targets specified. Use --url, --file, --request-file, or pipe URLs via stdin.")
+        return
+
+    logger.info(f"Starting scan for {len(urls)} URLs with concurrency {concurrency}")
+    
+    engine = Engine(concurrency=concurrency, headers=custom_headers)
+    findings = asyncio.run(engine.run(urls))
+    
+    if findings:
+        import json
+        logger.info(f"Total findings: {len(findings)}")
+        print(json.dumps(findings, indent=2))
+        
+        if output:
+            try:
+                with open(output, 'w') as f:
+                    json.dump(findings, f, indent=2)
+                logger.info(f"Results saved to {output}")
+            except IOError as e:
+                logger.error(f"Failed to write results to {output}: {e}")
+    else:
+        logger.info("No vulnerabilities found.")
+
+@cli.command()
+@click.option('--url', '-u', required=True, help="Target URL to validate.")
+@click.option('--header', '-H', required=True, help="Header to inject (e.g. 'X-Forwarded-Host: evil.com').")
+@click.option('--method', '-m', default="GET", help="HTTP Method (default: GET).")
+@click.option('--body', '-b', help="Request body.")
+def validate(url, header, method, body):
+    """
+    Manually validate a potential vulnerability by running a step-by-step analysis.
+    """
+    import asyncio
+    import time
+    from cpd.http_client import HttpClient
+    
+    async def _run_validation():
+        headers = {}
+        if ':' in header:
+            key, value = header.split(':', 1)
+            headers[key.strip()] = value.strip()
+        else:
+            logger.error("Invalid header format. Expected 'Key: Value'")
+            return
+
+        async with HttpClient() as client:
+            # 1. Baseline
+            logger.info("[1/4] Fetching Baseline...")
+            cb_base = f"cb={int(time.time())}_base"
+            url_base = f"{url}?{cb_base}" if '?' not in url else f"{url}&{cb_base}"
+            baseline = await client.request(method, url_base, data=body)
+            if not baseline:
+                logger.error("Failed to fetch baseline.")
+                return
+            logger.info(f"Baseline: Status {baseline['status']}, Length {len(baseline['body'])}")
+
+            # 2. Poison Attempt
+            logger.info(f"[2/4] Attempting Poison with {header}...")
+            cb_poison = f"cb={int(time.time())}_poison"
+            url_poison = f"{url}?{cb_poison}" if '?' not in url else f"{url}&{cb_poison}"
+            poison = await client.request(method, url_poison, headers=headers, data=body)
+            if not poison:
+                logger.error("Failed to fetch poison request.")
+                return
+            
+            logger.info(f"Poison Response: Status {poison['status']}, Length {len(poison['body'])}")
+            
+            # Check if poison differed from baseline (ignoring cache buster diffs)
+            # We can't strict check body because timestamps might change, but check status/headers
+            if poison['status'] != baseline['status']:
+                 logger.info(f"-> Poison caused status change: {baseline['status']} -> {poison['status']}")
+            elif len(poison['body']) != len(baseline['body']):
+                 logger.info(f"-> Poison caused length change: {len(baseline['body'])} -> {len(poison['body'])}")
+            else:
+                 logger.warning("-> Poison response identical to baseline (ignoring body content). Attack might have failed.")
+
+            # 3. Verification (Clean Request)
+            logger.info("[3/4] Verifying (Fetching clean URL with same cache key)...")
+            # Reuse url_poison which has the cache buster we tried to poison
+            verify = await client.request("GET", url_poison)
+            if not verify:
+                logger.error("Failed to fetch verify request.")
+                return
+
+            logger.info(f"Verify Response: Status {verify['status']}, Length {len(verify['body'])}")
+            
+            is_hit = False
+            if verify['body'] == poison['body']:
+                logger.info("-> Verify match Poison: YES (Potential Cache Hit)")
+                is_hit = True
+            else:
+                logger.info("-> Verify match Poison: NO (Cache Miss or Dynamic)")
+
+            if verify['body'] == baseline['body']:
+                 logger.info("-> Verify match Baseline: YES")
+            
+            # 4. Fresh Baseline (Drift Check)
+            logger.info("[4/4] Checking Fresh Baseline (for drift)...")
+            cb_fresh = f"cb={int(time.time())}_fresh"
+            url_fresh = f"{url}?{cb_fresh}" if '?' not in url else f"{url}&{cb_fresh}"
+            fresh = await client.request(method, url_fresh, data=body)
+            
+            logger.info(f"Fresh Response: Status {fresh['status']}, Length {len(fresh['body'])}")
+            
+            # Final Analysis
+            print("\n--- Analysis ---")
+            if not is_hit:
+                print("RESULT: Safe. Verification request did not return the poisoned content.")
+                return
+
+            # It was a hit (Verify == Poison)
+            # Logic Fix Check:
+            if len(fresh['body']) == len(verify['body']):
+                 print("RESULT: False Positive (Benign).")
+                 print("Reason: The 'poisoned' content is identical length to a fresh baseline.")
+                 print("The server likely ignored the malicious header, and the site returned standard dynamic content.")
+                 return
+            
+            if fresh['body'] == verify['body']:
+                 print("RESULT: False Positive (Drift).")
+                 print("Reason: Fresh baseline matches the 'poisoned' content. The site just changed naturally.")
+                 return
+
+            print("RESULT: POTENTIAL VULNERABILITY!")
+            print("Reason: Verification matched Poison, but Fresh Baseline differs.")
+            print("The cache appears to be poisoning clean requests with the malicious response.")
+
+    asyncio.run(_run_validation())
+
+if __name__ == "__main__":
+    cli()

cpd/engine.py

@@ -0,0 +1,90 @@
+import asyncio
+from typing import List, Dict
+from cpd.http_client import HttpClient
+from cpd.utils.logger import logger
+
+class Engine:
+    def __init__(self, concurrency: int = 50, timeout: int = 10, headers: Dict[str, str] = None):
+        self.concurrency = concurrency
+        self.timeout = timeout
+        self.headers = headers or {}
+        self.headers = headers or {}
+
+    async def run(self, urls: List[str]):
+        """
+        Main execution loop.
+        """
+        # Worker Pool Pattern
+        queue = asyncio.Queue()
+        
+        # Populate queue
+        for url in urls:
+            queue.put_nowait(url)
+            
+        # Create workers
+        workers = []
+        all_findings = []
+        
+        async def worker():
+             while True:
+                 try:
+                     url = queue.get_nowait()
+                 except asyncio.QueueEmpty:
+                     break
+                 
+                 try:
+                     result = await self._process_url(client, url)
+                     if result:
+                         all_findings.extend(result)
+                 except Exception as e:
+                     logger.error(f"Error processing {url}: {e}")
+                 finally:
+                     queue.task_done()
+
+        async with HttpClient(timeout=self.timeout) as client:
+            # Launch workers
+            for _ in range(self.concurrency):
+                workers.append(asyncio.create_task(worker()))
+            
+            # Wait for all workers to finish
+            await asyncio.gather(*workers)
+            
+            return all_findings
+
+    async def _process_url(self, client: HttpClient, url: str):
+        from cpd.logic.baseline import BaselineAnalyzer
+        
+        
+        # No semaphore needed, worker count limits concurrency
+        logger.info(f"Processing {url}")
+        
+        # 0. Cache Validation
+        from cpd.logic.validator import CacheValidator
+        validator = CacheValidator()
+        is_cached, reason = await validator.analyze(client, url)
+        
+        if is_cached:
+            logger.info(f"Cache detected on {url}: {reason}")
+        else:
+             logger.warning(f"Target {url} does not appear to be using a cache ({reason}). Findings might be invalid.")
+            
+        # 1. Baseline Analysis
+        analyzer = BaselineAnalyzer(headers=self.headers)
+        baseline = await analyzer.analyze(client, url)
+        
+        if not baseline:
+            logger.error(f"Could not establish baseline for {url}")
+            return
+
+        logger.info(f"Baseline established for {url} - Stable: {baseline.is_stable}, Hash: {baseline.body_hash[:8]}")
+        
+        # 2. Poisoning Simulation
+        from cpd.logic.poison import Poisoner
+        poisoner = Poisoner(baseline, headers=self.headers)
+        findings = await poisoner.run(client)
+        if findings:
+            logger.info(f"Scan finished for {url} - Findings: {len(findings)}")
+            return findings
+        else:
+            logger.info(f"Scan finished for {url} - No vulnerabilities found")
+            return []

cpd/http_client.py

@@ -0,0 +1,36 @@
+import aiohttp
+import asyncio
+from typing import Optional, Dict, Any
+from cpd.utils.logger import logger
+
+class HttpClient:
+    def __init__(self, timeout: int = 10, proxy: Optional[str] = None):
+        self.timeout = aiohttp.ClientTimeout(total=timeout)
+        self.proxy = proxy
+        self.session: Optional[aiohttp.ClientSession] = None
+
+    async def __aenter__(self):
+        self.session = aiohttp.ClientSession(timeout=self.timeout)
+        return self
+
+    async def __aexit__(self, exc_type, exc_val, exc_tb):
+        if self.session:
+            await self.session.close()
+
+    async def request(self, method: str, url: str, headers: Optional[Dict[str, str]] = None, **kwargs) -> Any:
+        if not self.session:
+            raise RuntimeError("Session not initialized. Use 'async with' context manager.")
+
+        try:
+            async with self.session.request(method, url, headers=headers, proxy=self.proxy, **kwargs) as response:
+                # Read body immediately to release connection
+                body = await response.read()
+                return {
+                    "status": response.status,
+                    "headers": dict(response.headers),
+                    "body": body,
+                    "url": str(response.url)
+                }
+        except Exception as e:
+            logger.debug(f"Request failed for {url}: {str(e)}")
+            return None

cpd/logic/baseline.py

@@ -0,0 +1,58 @@
+import hashlib
+from typing import Dict, Optional
+from dataclasses import dataclass
+from cpd.http_client import HttpClient
+from cpd.utils.logger import logger
+
+@dataclass
+class Baseline:
+    url: str
+    status: int
+    headers: Dict[str, str]
+    body_hash: str
+    body: bytes = b""
+    is_stable: bool = True
+
+class BaselineAnalyzer:
+    def __init__(self, iterations: int = 3, headers: Dict[str, str] = None):
+        self.iterations = iterations
+        self.headers = headers or {}
+
+    async def analyze(self, client: HttpClient, url: str) -> Optional[Baseline]:
+        """
+        Fetch the URL multiple times to establish a baseline.
+        """
+        responses = []
+        for i in range(self.iterations):
+            resp = await client.request("GET", url, headers=self.headers)
+            if not resp:
+                logger.warning(f"Failed to fetch baseline for {url} (attempt {i+1})")
+                continue
+            responses.append(resp)
+        
+        if not responses:
+            return None
+
+        # Analyze stability
+        first = responses[0]
+        first_hash = self._calculate_hash(first['body'])
+        
+        is_stable = True
+        for resp in responses[1:]:
+            current_hash = self._calculate_hash(resp['body'])
+            if current_hash != first_hash:
+                is_stable = False
+                logger.info(f"Baseline instability detected for {url}")
+                break
+        
+        return Baseline(
+            url=url,
+            status=first['status'],
+            headers=first['headers'],
+            body_hash=first_hash,
+            body=first['body'],
+            is_stable=is_stable
+        )
+
+    def _calculate_hash(self, body: bytes) -> str:
+        return hashlib.sha256(body).hexdigest()