void ReportLocalFileInclude()
{
this.Scnr.SetTraceTitle("Local File Include Found", 10);
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Local File Include Found";
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Local File Include/Path Traversal"), this.GetSummary());
foreach (FindingReason reason in this.Reasons)
{
pr.AddReason(reason);
}
for (int i = 0; i < this.RequestTriggers.Count; i++)
{
pr.Triggers.Add(this.RequestTriggers[i], this.RequestTriggerDescs[i], this.TriggerRequests[i], this.ResponseTriggers[i], this.ResponseTriggerDescs[i], this.TriggerResponses[i]);
}
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
if (this.ConfidenceLevel == 3)
{
pr.Confidence = FindingConfidence.High;
}
else if (this.ConfidenceLevel == 2)
{
pr.Confidence = FindingConfidence.Medium;
}
else
{
pr.Confidence = FindingConfidence.Low;
}
this.Scnr.AddFinding(pr);
}
void ReportRemoteFileInclude()
{
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Remote File Include Found";
//#pr.Summary = "Remote File Include been detected in the '{0}' parameter of the {1} section of the request.<i<br>>This was tested by injecting a payload with a unique domain name, then time taken to fetch the response is noted. If subsequent requests with the same payload return quicker then it is inferred that DNS cachcing of the domain name in the payload by the server has sped up the response times.<i<br>><i<br>><i<hh>>Test Trace:<i</hh>>{2}".format(this.Scnr.InjectedParameter, this.Scnr.InjectedSection, this.Scnr.GetTrace());
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Remote File Include"), this.GetSummary());
foreach (FindingReason reason in this.Reasons)
{
pr.AddReason(reason);
}
for (int i = 0; i < this.RequestTriggers.Count; i++)
{
pr.Triggers.Add(this.RequestTriggers[i], this.RequestTriggerDescs[i], this.TriggerRequests[i], this.ResponseTriggers[i], this.ResponseTriggerDescs[i], this.TriggerResponses[i]);
}
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
if (this.ConfidenceLevel == 3)
{
pr.Confidence = FindingConfidence.High;
}
else if (this.ConfidenceLevel == 2)
{
pr.Confidence = FindingConfidence.Medium;
}
else
{
pr.Confidence = FindingConfidence.Low;
}
this.Scnr.AddFinding(pr);
this.Scnr.SetTraceTitle("Remote File Include", 10);
}
internal static void AddPluginResult(Finding PR)
{
if (PR != null)
{
lock (PluginResultQ)
{
PluginResultQ.Enqueue(PR);
}
}
}
void ReportCRLFInjection(string req_trigger, string req_trigger_desc, string res_trigger, string res_trigger_desc)
{
this.Scnr.SetTraceTitle("Header Injection Found", 10);
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Header Injection Found";
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Header Injection"), this.GetSummary());
pr.AddReason(this.reason);
pr.Triggers.Add(req_trigger, req_trigger_desc, this.Scnr.InjectedRequest, res_trigger, res_trigger_desc, this.Scnr.InjectionResponse);
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
pr.Confidence = FindingConfidence.High;
this.Scnr.AddFinding(pr);
}
static void StartModuleOnFinding(object ModuleDisplayNameFindingId)
{
List <object> Args = (List <object>)ModuleDisplayNameFindingId;
string ModuleDisplayName = Args[0].ToString();
int FindingId = (int)Args[1];
if (FindingId == -1)
{
return;
}
Finding PR = IronDB.GetPluginResultFromDB(FindingId);
Module M = GetModuleFromDisplayName(ModuleDisplayName, FINDING);
if (M != null)
{
M.ThreadId = IronThread.ThreadId;
M.StartModuleOnFinding(PR);
}
}
void ReportCommandInjection()
{
this.Scnr.SetTraceTitle("Command Injection Found", 10);
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Command Injection Found";
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Command Injection"), this.GetSummary());
foreach (FindingReason reason in this.Reasons)
{
pr.AddReason(reason);
}
for (int i = 0; i < this.RequestTriggers.Count; i++)
{
pr.Triggers.Add(this.RequestTriggers[i], this.RequestTriggerDescs[i], this.TriggerRequests[i], this.ResponseTriggers[i], this.ResponseTriggerDescs[i], this.TriggerResponses[i]);
}
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
pr.Confidence = FindingConfidence.High;
this.Scnr.AddFinding(pr);
}
public virtual void StartModuleOnFinding(Finding Result)
{
}
void ReportSSI(string req_trigger, string req_trigger_desc, string res_trigger, string res_trigger_desc)
{
this.Scnr.SetTraceTitle("Server Side Includes Injection Found", 10);
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Server Side Includes Injection Found";
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Server Side Includes Injection"), this.GetSummary());
pr.AddReason(this.reason);
pr.Triggers.Add(req_trigger, req_trigger_desc, this.Scnr.InjectedRequest, res_trigger, res_trigger_desc, this.Scnr.InjectionResponse);
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
pr.Confidence = FindingConfidence.High;
this.Scnr.AddFinding(pr);
}
void ReportRemoteFileInclude()
{
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Remote File Include Found";
//#pr.Summary = "Remote File Include been detected in the '{0}' parameter of the {1} section of the request.<i<br>>This was tested by injecting a payload with a unique domain name, then time taken to fetch the response is noted. If subsequent requests with the same payload return quicker then it is inferred that DNS cachcing of the domain name in the payload by the server has sped up the response times.<i<br>><i<br>><i<hh>>Test Trace:<i</hh>>{2}".format(this.Scnr.InjectedParameter, this.Scnr.InjectedSection, this.Scnr.GetTrace());
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Remote File Include"), this.GetSummary());
foreach (FindingReason reason in this.Reasons)
{
pr.AddReason(reason);
}
for (int i = 0; i < this.RequestTriggers.Count; i++)
{
pr.Triggers.Add(this.RequestTriggers[i], this.RequestTriggerDescs[i], this.TriggerRequests[i], this.ResponseTriggers[i], this.ResponseTriggerDescs[i], this.TriggerResponses[i]);
}
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
if (this.ConfidenceLevel == 3)
{
pr.Confidence = FindingConfidence.High;
}
else if (this.ConfidenceLevel == 2)
{
pr.Confidence = FindingConfidence.Medium;
}
else
{
pr.Confidence = FindingConfidence.Low;
}
this.Scnr.AddFinding(pr);
this.Scnr.SetTraceTitle("Remote File Include", 10);
}
internal static Finding GetPluginResultFromDB(int ID)
{
Finding PR = null;
using (SQLiteConnection DB = new SQLiteConnection("data source=" + PluginResultsLogFile))
{
DB.Open();
using (SQLiteCommand cmd = DB.CreateCommand())
{
cmd.CommandText = "SELECT HostName, Title, FinderName, FinderType, Meta, Summary, Severity, Confidence, Type, UniquenessString FROM Findings WHERE ID=@ID LIMIT 1";
cmd.Parameters.AddWithValue("@ID", ID);
using(SQLiteDataReader result = cmd.ExecuteReader())
{
PR = new Finding(result["HostName"].ToString());
PR.Id = ID;
PR.Title = result["Title"].ToString();
PR.FinderName = result["FinderName"].ToString();
PR.FinderType = result["FinderType"].ToString();
try
{
PR.XmlSummary = result["Summary"].ToString();
}
catch
{
PR.Summary = result["Summary"].ToString();
}
try
{
PR.XmlMeta = result["Meta"].ToString();
}
catch { }
PR.Severity = GetSeverity(Int32.Parse(result["Severity"].ToString()));
PR.Confidence = GetConfidence(Int32.Parse(result["Confidence"].ToString()));
PR.Type = GetResultType(Int32.Parse(result["Type"].ToString()));
PR.Signature = result["UniquenessString"].ToString();
}
cmd.CommandText = "SELECT TriggersEncoded, RequestTriggerDesc, RequestTrigger, RequestHeaders, RequestBody, BinaryRequest, ResponseTriggerDesc, ResponseTrigger, ResponseHeaders, ResponseBody, BinaryResponse, RoundTrip FROM Triggers WHERE ID=@ID";
cmd.Parameters.AddWithValue("@ID", ID);
using (SQLiteDataReader result = cmd.ExecuteReader())
{
while (result.Read())
{
string RequestTrigger = result["RequestTrigger"].ToString();
string ResponseTrigger = result["ResponseTrigger"].ToString();
if (result["TriggersEncoded"].ToString().Equals("1"))
{
try
{
RequestTrigger = Tools.Base64Decode(RequestTrigger);
}
catch { }
try
{
ResponseTrigger = Tools.Base64Decode(ResponseTrigger);
}
catch { }
}
IronLogRecord ILR = new IronLogRecord();
ILR.RequestHeaders = result["RequestHeaders"].ToString();
ILR.RequestBody = result["RequestBody"].ToString();
ILR.IsRequestBinary = (result["BinaryRequest"].ToString().Equals("1"));
ILR.ResponseHeaders = result["ResponseHeaders"].ToString();
ILR.ResponseBody = result["ResponseBody"].ToString();
ILR.IsResponseBinary = (result["BinaryResponse"].ToString().Equals("1"));
try
{
ILR.RoundTrip = Int32.Parse(result["RoundTrip"].ToString());
}
catch { }
Session IrSe = Session.GetIronSessionFromIronLogRecord(ILR, 0);
if (IrSe.Response != null)
{
PR.Triggers.Add(RequestTrigger, result["RequestTriggerDesc"].ToString(), IrSe.Request, ResponseTrigger, result["ResponseTriggerDesc"].ToString(), IrSe.Response);
}
else
{
PR.Triggers.Add(RequestTrigger, result["RequestTriggerDesc"].ToString(), IrSe.Request);
}
}
}
if (PR.FromActiveScan)
{
try
{
cmd.CommandText = "SELECT RequestHeaders, RequestBody, BinaryRequest, ResponseHeaders, ResponseBody, BinaryResponse, RoundTrip FROM BaseLine WHERE FindingID=@FindingID LIMIT 1";
cmd.Parameters.AddWithValue("@FindingID", ID);
using (SQLiteDataReader result = cmd.ExecuteReader())
{
if (result.HasRows)
{
IronLogRecord ILR = new IronLogRecord();
ILR.RequestHeaders = result["RequestHeaders"].ToString();
ILR.RequestBody = result["RequestBody"].ToString();
ILR.IsRequestBinary = (result["BinaryRequest"].ToString().Equals("1"));
ILR.ResponseHeaders = result["ResponseHeaders"].ToString();
ILR.ResponseBody = result["ResponseBody"].ToString();
ILR.IsResponseBinary = (result["BinaryResponse"].ToString().Equals("1"));
try
{
ILR.RoundTrip = Int32.Parse(result["RoundTrip"].ToString());
}
catch { }
Session IrSe = Session.GetIronSessionFromIronLogRecord(ILR, 0);
PR.BaseRequest = IrSe.Request;
PR.BaseResponse = IrSe.Response;
}
}
}
catch { }
}
}
}
return PR;
}
void ReportCommandInjection()
{
this.Scnr.SetTraceTitle("Command Injection Found", 10);
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Command Injection Found";
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Command Injection"), this.GetSummary());
foreach (FindingReason reason in this.Reasons)
{
pr.AddReason(reason);
}
for (int i = 0; i < this.RequestTriggers.Count; i++)
{
pr.Triggers.Add(this.RequestTriggers[i], this.RequestTriggerDescs[i], this.TriggerRequests[i], this.ResponseTriggers[i], this.ResponseTriggerDescs[i], this.TriggerResponses[i]);
}
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
pr.Confidence = FindingConfidence.High;
this.Scnr.AddFinding(pr);
}
void ShowFullFinding(Finding F, string TriggerHighlighting)
{
if (ResultsDisplayRTB.InvokeRequired)
{
ShowFullFinding_d CALL_d = new ShowFullFinding_d(ShowFullFinding);
ResultsDisplayRTB.Invoke(CALL_d, new object[] { F, TriggerHighlighting });
}
else
{
StringBuilder SB = new StringBuilder(@"{\rtf1{\colortbl ;\red0\green77\blue187;\red247\green150\blue70;\red255\green0\blue0;\red0\green200\blue50;}");
SB.Append(@" \b \fs30"); SB.Append(Tools.RtfSafe(F.Title)); SB.Append(@"\b0 \fs20 \par \par");
SB.Append(@" \cf1 \b Plugin: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(F.Plugin)); SB.Append(@" \par");
if (F.Type == FindingType.Vulnerability)
{
SB.Append(@" \cf1 \b Severity: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(F.Severity.ToString())); SB.Append(@" \par");
SB.Append(@" \cf1 \b Confidence: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(F.Confidence.ToString())); SB.Append(@" \par");
}
SB.Append(@" \par");
SB.Append(@" \cf1 \b Summary: \b0 \cf0 \par ");
SB.AppendLine(Tools.RtfSafe(F.Summary));
SB.Append(@" \par \par \par ");
if (F.Triggers.Count > 0)
{
Trigger T = F.Triggers.GetTrigger(0);
SB.Append(Tools.RtfSafe(Finding.GetTriggerHighlighting(T, "PassivePlugin", false)));
if (PassivePluginLogRequestView.GetRequest() == null)
{
if (T.Request != null)
{
PassivePluginLogRequestView.SetRequest(T.Request);
}
if (T.Response != null)
{
PassivePluginLogResponseView.SetResponse(T.Response);
}
}
}
ResultsDisplayRTB.Rtf = SB.ToString();
}
}
public void Add(Finding PR)
{
this.ResultList.Add(PR);
}
internal static Finding GetPluginResultFromDB(int ID)
{
SQLiteConnection DB = new SQLiteConnection("data source=" + PluginResultsLogFile);
DB.Open();
SQLiteCommand cmd = DB.CreateCommand();
cmd.CommandText = "SELECT HostName, Title, Plugin, Summary, Severity, Confidence, Type, UniquenessString FROM PluginResult WHERE ID=@ID LIMIT 1";
cmd.Parameters.AddWithValue("@ID", ID);
SQLiteDataReader result = cmd.ExecuteReader();
Finding PR = new Finding(result["HostName"].ToString());
PR.Id = ID;
PR.Title = result["Title"].ToString();
PR.Plugin = result["Plugin"].ToString();
PR.Summary = result["Summary"].ToString();
PR.Severity = GetSeverity(Int32.Parse(result["Severity"].ToString()));
PR.Confidence = GetConfidence(Int32.Parse(result["Confidence"].ToString()));
PR.Type = GetResultType(Int32.Parse(result["Type"].ToString()));
PR.Signature = result["UniquenessString"].ToString();
result.Close();
cmd.CommandText = "SELECT RequestTrigger, RequestHeaders, RequestBody, BinaryRequest, ResponseTrigger, ResponseHeaders, ResponseBody, BinaryResponse FROM Triggers WHERE ID=@ID";
cmd.Parameters.AddWithValue("@ID", ID);
result = cmd.ExecuteReader();
while (result.Read())
{
string RequestTrigger = result["RequestTrigger"].ToString();
string ResponseTrigger = result["ResponseTrigger"].ToString();
IronLogRecord ILR = new IronLogRecord();
ILR.RequestHeaders = result["RequestHeaders"].ToString();
ILR.RequestBody = result["RequestBody"].ToString();
ILR.IsRequestBinary = (result["BinaryRequest"].ToString().Equals("1"));
ILR.ResponseHeaders = result["ResponseHeaders"].ToString();
ILR.ResponseBody = result["ResponseBody"].ToString();
ILR.IsResponseBinary = (result["BinaryResponse"].ToString().Equals("1"));
Session IrSe = Session.GetIronSessionFromIronLogRecord(ILR,0);
if (IrSe.Response != null)
{
PR.Triggers.Add(RequestTrigger, IrSe.Request, ResponseTrigger, IrSe.Response);
}
else
{
PR.Triggers.Add(RequestTrigger, IrSe.Request);
}
}
result.Close();
DB.Close();
return PR;
}
internal static void UpdateResultsTab(Finding PR)
{
if (UI.ResultsDisplayRTB.InvokeRequired)
{
UpdateResultsTab_d URT_d = new UpdateResultsTab_d(UpdateResultsTab);
UI.Invoke(URT_d, new object[] { PR });
}
else
{
ResetPluginResultsTab();
StringBuilder SB = new StringBuilder(@"{\rtf1{\colortbl ;\red0\green77\blue187;\red247\green150\blue70;\red255\green0\blue0;\red0\green200\blue50;}");
SB.Append(@" \b \fs30"); SB.Append(Tools.RtfSafe(PR.Title)); SB.Append(@"\b0 \fs20 \par \par");
SB.Append(@" \cf1 \b ID: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.Id.ToString())); SB.Append(@" \par");
SB.Append(@" \cf1 \b Plugin: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.Plugin)); SB.Append(@" \par");
if (PR.Type == FindingType.Vulnerability)
{
SB.Append(@" \cf1 \b Severity: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.Severity.ToString())); SB.Append(@" \par");
SB.Append(@" \cf1 \b Confidence: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.Confidence.ToString())); SB.Append(@" \par");
}
SB.Append(@" \par");
SB.Append(@" \cf1 \b Summary: \b0 \cf0 \par ");
SB.AppendLine(Tools.RtfSafe(PR.Summary));
SB.Append(@" \par \par");
UI.ResultsDisplayRTB.Rtf = SB.ToString();
for (int i=0; i < PR.Triggers.GetTriggers().Count; i++ )
{
UI.ResultsTriggersGrid.Rows.Add(new object[] { (i + 1).ToString() });
}
if (UI.ResultsTriggersGrid.Rows.Count > 0)
{
UI.ResultsTriggersGrid.Rows[0].Selected = true;
DisplayPluginResultsTrigger(0);
}
if (!UI.main_tab.SelectedTab.Name.Equals("mt_results")) UI.main_tab.SelectTab("mt_results");
}
}
public bool IsSignatureUnique(string Host, FindingType Type, string Signature)
{
return(Finding.IsSignatureUnique(this.Name, Host, Type, Signature));
}
public void AddFinding(Finding F)
{
F.ScanId = this.ID;
F.AffectedSection = this.InjectedSection;
F.AffectedParameter = this.InjectedParameter;
F.FinderName = this.ActivePluginName;
F.FinderType = "ActivePlugin";
F.BaseRequest = this.BaseRequest;
F.BaseResponse = this.BaseResponse;
this.PRs.Add(F);
F.Report();
}
public void Remove(Finding PR)
{
this.ResultList.Remove(PR);
}
public void Add(Finding PR)
{
this.ResultList.Add(PR);
}
internal static void AddPluginResult(Finding PR)
{
if (PR != null)
{
lock (PluginResultQ)
{
PluginResultQ.Enqueue(PR);
}
}
}
public virtual void StartModuleOnFinding(Finding Result)
{
}
string GetFindingHash(Finding F)
{
StringBuilder SB = new StringBuilder();
SB.Append(F.Title);
SB.Append(F.Summary);
SB.Append(F.Type);
SB.Append(F.FinderName);
SB.Append(F.FinderType);
SB.Append(F.Severity.ToString());
SB.Append(F.Confidence.ToString());
SB.Append(F.AffectedHost);
SB.Append(F.AffectedParameter);
SB.Append(F.AffectedSection);
foreach (FindingReason Reason in F.Reasons)
{
SB.Append(Reason.Reason);
SB.Append(Reason.FalsePositiveCheck);
}
foreach (Trigger T in F.Triggers.GetTriggers())
{
SB.Append(T.RawRequestTriggerDescription);
SB.Append(T.ResponseTriggerDescription);
SB.Append(T.RequestTrigger);
SB.Append(T.ResponseTrigger);
}
return Tools.MD5(SB.ToString());
}
public void Remove(Finding PR)
{
this.ResultList.Remove(PR);
}
internal static void Start()
{
ProxyRunning = true;
if (!EventHandlersAssigned)
{
Fiddler.FiddlerApplication.AfterSessionComplete += delegate(Fiddler.Session Sess)
{
IronProxy.AfterSessionComplete(Sess);
};
Fiddler.FiddlerApplication.BeforeRequest += delegate(Fiddler.Session Sess)
{
IronProxy.BeforeRequest(Sess);
};
Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session Sess)
{
IronProxy.BeforeResponse(Sess);
};
Fiddler.FiddlerApplication.OnValidateServerCertificate += delegate(object sender, Fiddler.ValidateServerCertificateEventArgs e)
{
if(e.CertificatePolicyErrors != SslPolicyErrors.None)
{
string PluginName = "Internal SSL Checker";
string Signature = string.Format("SSLCertificateChecker|{0}|{1}|{2}", new object[] { e.Session.host, e.Session.port.ToString(), e.CertificatePolicyErrors.ToString() });
if (Finding.IsSignatureUnique(PluginName, e.Session.host, FindingType.Vulnerability, Signature))
{
Finding PR = new Finding(e.Session.host);
PR.Plugin = PluginName;
PR.Severity = FindingSeverity.Medium;
PR.Confidence = FindingConfidence.High;
PR.Title = string.Format("SSL Certificate Error for {0}:{1} ", new object[] { e.Session.host, e.Session.port.ToString() });
PR.Summary = string.Format("The remote server running Host: {0} and Port: {1} returned an invalid SSL certificate.<i<br>> <i<h>>Error:<i</h>> {2}. <i<br>> <i<h>>Certificate Details:<i</h>> {3}", new object[] { e.Session.host, e.Session.port.ToString(), e.CertificatePolicyErrors.ToString(), e.ServerCertificate.Subject });
PR.Signature = Signature;
PR.Report();
}
e.Session.oFlags.Add("IronFlag-SslError", "Yes");
}
//string SSLError = sslPolicyErrors.ToString();
//if (!SSLError.Equals("None"))
//{
// string PluginName = "Internal SSL Checker";
// string Signature = string.Format("SSLCertificateChecker|{0}|{1}|{2}", new object[] { Sess.host, Sess.port.ToString(), sslPolicyErrors.ToString() });
// if (Finding.IsSignatureUnique(PluginName, Sess.host, FindingType.Vulnerability, Signature))
// {
// Finding PR = new Finding(Sess.host);
// PR.Plugin = PluginName;
// PR.Severity = FindingSeverity.Medium;
// PR.Confidence = FindingConfidence.High;
// PR.Title = string.Format("SSL Certificate Error for {0}:{1} ", new object[] { Sess.host, Sess.port.ToString() });
// PR.Summary = string.Format("The remote server running Host: {0} and Port: {1} returned an invalid SSL certificate.<i<br>> <i<h>>Error:<i</h>> {2}. <i<br>> <i<h>>Certificate Details:<i</h>> {3}", new object[] { Sess.host, Sess.port.ToString(), sslPolicyErrors.ToString(), ServerCertificate.Subject });
// PR.Signature = Signature;
// PR.Report();
// }
// Sess.oFlags.Add("IronFlag-SslError", "Yes");
// bTreatCertificateAsValid = false;
// return false;
//}
//else
//{
// bTreatCertificateAsValid = true;
// return true;
//}
};
//Fiddler.FiddlerApplication.OnValidateServerCertificate.OverrideServerCertificateValidation += delegate(Fiddler.Session Sess, string sExpectedCN, X509Certificate ServerCertificate, X509Chain ServerCertificateChain, SslPolicyErrors sslPolicyErrors, out bool bTreatCertificateAsValid)
//{
// string SSLError = sslPolicyErrors.ToString();
// if (!SSLError.Equals("None"))
// {
// string PluginName = "Internal SSL Checker";
// string Signature = string.Format("SSLCertificateChecker|{0}|{1}|{2}", new object[] { Sess.host, Sess.port.ToString(), sslPolicyErrors.ToString() });
// if (Finding.IsSignatureUnique(PluginName, Sess.host, FindingType.Vulnerability, Signature))
// {
// Finding PR = new Finding(Sess.host);
// PR.Plugin = PluginName;
// PR.Severity = FindingSeverity.Medium;
// PR.Confidence = FindingConfidence.High;
// PR.Title = string.Format("SSL Certificate Error for {0}:{1} ", new object[] { Sess.host, Sess.port.ToString() });
// PR.Summary = string.Format("The remote server running Host: {0} and Port: {1} returned an invalid SSL certificate.<i<br>> <i<h>>Error:<i</h>> {2}. <i<br>> <i<h>>Certificate Details:<i</h>> {3}", new object[] { Sess.host, Sess.port.ToString(), sslPolicyErrors.ToString(), ServerCertificate.Subject });
// PR.Signature = Signature;
// PR.Report();
// }
// Sess.oFlags.Add("IronFlag-SslError", "Yes");
// bTreatCertificateAsValid = false;
// return false;
// }
// else
// {
// bTreatCertificateAsValid = true;
// return true;
// }
//};
Fiddler.FiddlerApplication.OnNotification += delegate(object Sender, Fiddler.NotificationEventArgs Args)
{
if (Args.NotifyString.Contains("Unable to bind to port"))
{
IronProxy.Stop();
IronException.Report("Proxy could not be stared", "Listening Proxy could not be started. Likely reason could be the use of the port by another process","");
IronUI.ShowProxyStoppedError("Proxy Not Started! All features depend on the proxy, start proxy to activate them.");
}
};
EventHandlersAssigned = true;
}
Fiddler.CONFIG.IgnoreServerCertErrors = true;
//Fiddler.CONFIG.bReuseServerSockets = false;
IronUI.UpdateProxyStatusInConfigPanel(true);
if (IronProxy.LoopBackOnly)
{
Fiddler.FiddlerApplication.Startup(IronProxy.Port, Fiddler.FiddlerCoreStartupFlags.Default & ~ Fiddler.FiddlerCoreStartupFlags.AllowRemoteClients & ~Fiddler.FiddlerCoreStartupFlags.RegisterAsSystemProxy);
//Fiddler.FiddlerApplication.Startup(IronProxy.Port, Fiddler.FiddlerCoreStartupFlags.Default);
}
else
{
Fiddler.FiddlerApplication.Startup(IronProxy.Port, Fiddler.FiddlerCoreStartupFlags.Default & ~Fiddler.FiddlerCoreStartupFlags.RegisterAsSystemProxy & ~Fiddler.FiddlerCoreStartupFlags.ChainToUpstreamGateway);
}
}
internal static void UpdateResultsTab(Finding PR)
{
if (UI.ResultsDisplayRTB.InvokeRequired)
{
UpdateResultsTab_d URT_d = new UpdateResultsTab_d(UpdateResultsTab);
UI.Invoke(URT_d, new object[] { PR });
}
else
{
ResetPluginResultsTab();
StringBuilder SB = new StringBuilder(@"{\rtf1{\colortbl ;\red0\green77\blue187;\red247\green150\blue70;\red255\green0\blue0;\red0\green200\blue50;}");
SB.Append(@" \b \fs30"); SB.Append(Tools.RtfSafe(PR.Title)); SB.Append(@"\b0 \fs20 \par \par");
SB.Append(@" \cf1 \b Finding ID: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.Id.ToString())); SB.Append(@" \par");
if (PR.Type == FindingType.Vulnerability)
{
SB.Append(@" \par \cf1 \b Severity: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.Severity.ToString())); SB.Append(@" \par");
SB.Append(@" \cf1 \b Confidence: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.Confidence.ToString())); SB.Append(@" \par \par");
}
switch (PR.FinderType)
{
case("ActivePlugin"):
SB.Append(@" \cf1 \b Discovery Mode: \b0 \cf0 Automated Vulnerability Scan \par");
SB.Append(@" \cf1 \b Scan ID: \b0 \cf0 "); SB.AppendLine(PR.ScanId.ToString()); SB.Append(@" \par");
SB.Append(@" \cf1 \b Vulnerability Check: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.FinderName)); SB.Append(@" \par");
break;
case ("PassivePlugin"):
SB.Append(@" \cf1 \b Discovery Mode: \b0 \cf0 Passive Traffic Analysis \par");
SB.Append(@" \cf1 \b Passive Plugin Name: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(PR.FinderName)); SB.Append(@" \par");
break;
default:
if (PR.FinderType.Length > 0 || PR.FinderName.Length > 0)
{
SB.Append(@" \cf1 \b Discovered By: \b0 \cf0 "); SB.AppendLine(Tools.RtfSafe(string.Format("{0} {1}",PR.FinderName, PR.FinderType))); SB.Append(@" \par");
}
break;
}
SB.Append(@" \par");
SB.Append(@" \cf1 \b Summary: \b0 \cf0 \par ");
SB.AppendLine(Tools.RtfSafe(PR.Summary));
SB.Append(@" \par ");
switch (PR.FinderType)
{
case("ActivePlugin"):
StringBuilder ASB = new StringBuilder();
if (PR.Reasons.Count > 0)
{
ASB.Append("<i<br>>IronWASP has reported this issue because of the following reasons:<i<br>>");
for (int i = 0; i < PR.Reasons.Count; i++)
{
ASB.Append(string.Format("<i<br>><i<b>><i<cb>>Reason {0}:<i</b>><i</cb>> <i<br>>", i + 1));
ASB.Append(PR.Reasons[i].Reason);
if (PR.Reasons[i].TriggerIds.Count > 0)
{
ASB.Append("<i<br>><i<br>>The request and response associated with this check can be seen by clicking on ");
if (PR.Reasons[i].TriggerIds.Count == 1)
{
ASB.Append("Trigger "); ASB.Append(PR.Reasons[i].TriggerIds[0]);
}
else
{
ASB.Append("Triggers ");
for(int ii=0; ii < PR.Reasons[i].TriggerIds.Count; ii++)
{
if (ii == 0)
{
ASB.Append(PR.Reasons[i].TriggerIds[ii]);
}
else if (ii == PR.Reasons[i].TriggerIds.Count - 1)
{
ASB.Append(" and "); ASB.Append(PR.Reasons[i].TriggerIds[ii]);
}
else
{
ASB.Append(", "); ASB.Append(PR.Reasons[i].TriggerIds[ii]);
}
}
}
ASB.Append("<i<br>>The 'Trigger Analysis Tools' section has tools to compare the Request/Response of two different triggers or one trigger and the normal Request/Response.");
ASB.Append("<i<br>>Doing a right-click on a Trigger id will show a menu with options to resend selected request or to send it after editing. Click on the 'Select this Request for Manual Testing' option in that menu for this feature.");
}
if (PR.Reasons[i].FalsePositiveCheck.Length > 0)
{
ASB.Append("<i<br>><i<br>><i<cg>><i<b>>False Positive Check Assistance:<i</b>><i</cg>><i<br>>");
ASB.Append(PR.Reasons[i].FalsePositiveCheck);
ASB.Append("<i<br>>");
}
}
}
ASB.Append("<i<br>><i<hh>>More Scan Information:<i</hh>><i<br>>");
ASB.Append("To view all the payloads, requests/responses and detailed scan trace information associated with this vulnerability detection scan, please click on the associated button in the <i<b>>Trigger Analysis Tools<i</b>> section below.<i<br>>");
SB.Append(Tools.RtfSafe(ASB.ToString()));
break;
case("PassivePlugin"):
Request AHR = new Request(PR.AffectedHost);
StringBuilder PSB = new StringBuilder();
PSB.Append("<i<br>><i<br>><i<b>><i<co>>NOTE:<i</b>><i</co>><i<br>>");
PSB.Append(string.Format("There might be more instances of this issue in <i<cb>>{0}<i</cb>> but they have not been reported to avoid creating a lot of noise.", AHR.Host));
PSB.Append(string.Format("<i<br>><i<br>>In order to identify every single instance of this issue on <i<cb>>{0}<i</cb>> follow these steps:", AHR.Host));
PSB.Append("<i<br>>1) Go to the 'Logs' section in IronWASP and click on the 'Search and Analyze Logs' button");
PSB.Append("<i<br>>2) Select the logs on which you want to do the analysis. Proxy logs would be selected by default.");
PSB.Append("<i<br>>3) Click the checkbox before the Hostname filter option and then click on the '+' radio button to set this filter option as a white-list.");
PSB.Append(string.Format("<i<br>>4) Now enter the hostname <i<cb>>{0}<i</cb>> in to the textbox field in this area. Donot add http:// or https:// or / here.", AHR.Host));
PSB.Append("<i<br>>5) If required you can configure some of the other options to set the search filter and then click on the 'Search with this Filter' button to perform a search.");
PSB.Append("<i<br>>6) Click on the 'Select all rows' checkbox in the search results section and then click on the 'Test Selected Sessions' button.");
PSB.Append("<i<br>>7) A new window wil appear, select the 'Run Passive Plugins on Selected Sessions' option here and click the 'Next Step' button.");
PSB.Append(string.Format("<i<br>>8) You will be shown a list of Passive Plugins, select the one named <i<cb>>{0}<i</cb>> and click the 'Start Test' button", PR.FinderName));
PSB.Append("<i<br>>9) Now you will be shown all instances of this issue present in the logs matching your search filter.");
SB.Append(Tools.RtfSafe(PSB.ToString()));
break;
}
UI.ResultsDisplayRTB.Rtf = SB.ToString();
if (PR.FromActiveScan && PR.BaseRequest != null && PR.BaseResponse != null)
{
UI.ResultsTriggersGrid.Rows.Add(new object[] { "Normal" });
UI.SelectForDiffTriggersGrid.Rows.Add(new object[] { false, "Normal" });
}
for (int i=0; i < PR.Triggers.GetTriggers().Count; i++ )
{
UI.ResultsTriggersGrid.Rows.Add(new object[] { string.Format("Trigger {0}", i + 1) });
UI.SelectForDiffTriggersGrid.Rows.Add(new object[] { false, string.Format("Trigger {0}", i + 1) });
}
if (UI.ResultsTriggersGrid.Rows.Count > 0)
{
if (PR.FromActiveScan && UI.ResultsTriggersGrid.Rows.Count == 2)
{
UI.ResultsTriggersGrid.Rows[1].Selected = false;
UI.ResultsTriggersGrid.Rows[1].Selected = true;
}
else
{
UI.ResultsTriggersGrid.Rows[0].Selected = false;
UI.ResultsTriggersGrid.Rows[0].Selected = true;
}
//DisplayPluginResultsTrigger(0);
}
if (!UI.main_tab.SelectedTab.Name.Equals("mt_results")) UI.main_tab.SelectTab("mt_results");
}
}
public void AddFinding(Finding PR)
{
this.PRs.Add(PR);
PR.Plugin = this.ActivePluginName;
PR.Report();
}
internal static List<IronTrace> GetScanTraces(Finding F)
{
List<IronTrace> TraceRecords = new List<IronTrace>();
using(SQLiteConnection DB = new SQLiteConnection("data source=" + TraceLogFile))
{
DB.Open();
using (SQLiteCommand cmd = DB.CreateCommand())
{
cmd.CommandText = "SELECT ID, Message, OverviewXml FROM ScanTrace WHERE ScanID=@ScanID AND PluginName=@PluginName AND Section=@Section AND Parameter=@Parameter ORDER BY ID";
cmd.Parameters.AddWithValue("@ScanID", F.ScanId);
cmd.Parameters.AddWithValue("@PluginName", F.FinderName);
cmd.Parameters.AddWithValue("@Section", F.AffectedSection);
cmd.Parameters.AddWithValue("@Parameter", F.AffectedParameter);
using (SQLiteDataReader result = cmd.ExecuteReader())
{
while (result.Read())
{
IronTrace Trace = new IronTrace();
try
{ Trace.ID = Int32.Parse(result["ID"].ToString()); }
catch { continue; }
try
{
Trace.MessageXml = result["Message"].ToString();
}
catch
{
Trace.Message = result["Message"].ToString();
}
Trace.OverviewXml = result["OverviewXml"].ToString();
TraceRecords.Add(Trace);
}
}
}
}
return TraceRecords;
}
void ReportSQLInjection(FindingConfidence Confidence)
{
this.Scnr.SetTraceTitle("SQLi Found", 100);
Finding PR = new Finding(this.Scnr.InjectedRequest.BaseUrl);
PR.Title = "SQL Injection Detected";
PR.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("SQL Injection"), this.GetSummary());
foreach (FindingReason reason in this.reasons)
{
PR.AddReason(reason);
}
for (int i = 0; i < this.RequestTriggers.Count; i++)
{
PR.Triggers.Add(this.RequestTriggers[i], this.RequestTriggerDescs[i], this.TriggerRequests[i], this.ResponseTriggers[i], this.ResponseTriggerDescs[i], this.TriggerResponses[i]);
}
PR.Type = FindingType.Vulnerability;
PR.Severity = FindingSeverity.High;
PR.Confidence = Confidence;
this.Scnr.AddFinding(PR);
}
internal static List<Finding> GetPluginResultsLogRecords(int StartID)
{
List<Finding> PluginResultsLogRecords = new List<Finding>();
using (SQLiteConnection DB = new SQLiteConnection("data source=" + PluginResultsLogFile))
{
DB.Open();
using (SQLiteCommand cmd = DB.CreateCommand())
{
cmd.CommandText = "SELECT ID, HostName, Title, FinderName, FinderType, Meta, UniquenessString, Severity, Confidence, Type FROM Findings WHERE ID > @StartID LIMIT 1000";
cmd.Parameters.AddWithValue("@StartID", StartID);
using (SQLiteDataReader result = cmd.ExecuteReader())
{
while (result.Read())
{
Finding PR = new Finding(result["HostName"].ToString());
PR.Id = Int32.Parse(result["ID"].ToString());
PR.Title = result["Title"].ToString();
PR.FinderName = result["FinderName"].ToString();
PR.FinderType = result["FinderType"].ToString();
try
{
PR.XmlMeta = result["Meta"].ToString();
}
catch { }
PR.AffectedHost = result["HostName"].ToString();
PR.Severity = GetSeverity(Int32.Parse(result["Severity"].ToString()));
PR.Confidence = GetConfidence(Int32.Parse(result["Confidence"].ToString()));
PR.Type = GetResultType(Int32.Parse(result["Type"].ToString()));
PR.Signature = result["UniquenessString"].ToString();
PluginResultsLogRecords.Add(PR);
}
}
}
}
return PluginResultsLogRecords;
}
public List <string> GetSignatureList(string Host, FindingType Type)
{
return(Finding.GetSignatureList(this.Name, Host, Type));
}
void ReportSQLError(List<string> Errors)
{
this.Scnr.SetTraceTitle("SQL Error Messages Found", 100);
Finding PR = new Finding(this.Scnr.InjectedRequest.BaseUrl);
PR.Title = "SQL Error Messages Found";
string Summary = string.Format("{0} SQL Error Messages have been found in the response when testing this parameter. All checks performed to identify SQL Injection returned negative results so the reason for why these error messages appear cannot be determined.<i<br>>", this.GetFindingOpeningDesc("SQL Error Triggering"));
Summary = Summary + "The error messages are:<i<br>>";
foreach (string Error in Errors)
{
Summary = Summary + string.Format("<i<cr>>{0}<i</cr>><i<br>>", Error);
}
PR.Summary = Summary;
if (this.RequestTriggers.Count > 0)
{
PR.Triggers.Add("", "", this.TriggerRequests[0], string.Join("\r\n", Errors.ToArray()), string.Format("The response contained {0} SQL error messages", Errors.Count), this.TriggerResponses[0]);
}
PR.Type = FindingType.Vulnerability;
PR.Severity = FindingSeverity.Medium;
PR.Confidence = FindingConfidence.High;
this.Scnr.AddFinding(PR);
}
void ReportSSRF()
{
this.Scnr.SetTraceTitle("Server Side Request Forgery Found", 10);
Finding pr = new Finding(this.Scnr.InjectedRequest.BaseUrl);
pr.Title = "Server Side Request Forgery Found";
pr.Summary = string.Format("{0}<i<br>><i<br>>{1}", this.GetFindingOpeningDesc("Server Side Request Forgery"), this.GetSummary());
foreach (FindingReason reason in this.Reasons)
{
pr.AddReason(reason);
}
for (int i = 0; i < this.RequestTriggers.Count; i++)
{
pr.Triggers.Add(this.RequestTriggers[i], this.RequestTriggerDescs[i], this.TriggerRequests[i], this.ResponseTriggers[i], this.ResponseTriggerDescs[i], this.TriggerResponses[i]);
}
pr.Type = FindingType.Vulnerability;
pr.Severity = FindingSeverity.High;
if (this.ConfidenceLevel == 3)
{
pr.Confidence = FindingConfidence.High;
}
else if (this.ConfidenceLevel == 2)
{
pr.Confidence = FindingConfidence.Medium;
}
else
{
pr.Confidence = FindingConfidence.Low;
}
this.Scnr.AddFinding(pr);
}
