public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
if (vuln.id == 1) // check authentication
{
CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
else
{
CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
}
public void SetSoapFaultException(WSOperation operation, SoapException soapEx, WSDescriberForReport WSItemVulnerabilities, bool isDebug)
{
if (WSItemVulnerabilities.Vulns.Where(v => v.VulnerableMethodName.Equals(operation.MethodName) && v.Vuln.id == 7).Count() <= 0) // aynı method için sadece 1 tane soap fault zafiyeti yaz
{
mainForm.Log(" Soap Exception: " + soapEx.ToString(), FontStyle.Regular, isDebug);
VulnerabilityForReport soapFaultVuln = new VulnerabilityForReport();
soapFaultVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 7).FirstOrDefault();
soapFaultVuln.VulnerableMethodName = operation.MethodName;
soapFaultVuln.VulnerableParamName = "";
soapFaultVuln.Payload = "";
soapFaultVuln.Response = soapEx.Message;
soapFaultVuln.StatusCode = "";
WSItemVulnerabilities.Vulns.Add(soapFaultVuln);
}
}
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
for (int j = 0; j < operation.Parameters.Count; j++)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
catch (SoapException soapEx)
{
//throw ex;
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code is not 401, no redirect
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = operation.MethodName;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = wsInvoker.ResultString;
authVuln.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true);
}
}
public List<WSOperation> GetOperations()
{
List<WSOperation> lst = new List<WSOperation>();
foreach (Service ser in serviceDescription.Services)
{
String webServiceName = ser.Name.ToString();
foreach (Port port in ser.Ports)
{
string portName = port.Name;
string binding = port.Binding.Name;
Binding bind = bindColl[binding];
if (bind != null)
{
PortType portTyp = portTypColl[bind.Type.Name];
foreach (Operation op in portTyp.Operations)
{
WSOperation operObj = new WSOperation();
operObj.ClassName = webServiceName;
operObj.MethodName = op.Name;
if (lst.Where(it => it.ClassName.Equals(operObj.ClassName) && it.MethodName.Equals(operObj.MethodName)).Count() == 0)
{
OperationMessageCollection opMsgColl = op.Messages;
OperationInput opInput = opMsgColl.Input;
OperationOutput opOutput = opMsgColl.Output;
string inputMsg = opInput.Message.Name;
string outputMsg = opOutput.Message.Name;
Message msgInput = msgColl[inputMsg];
List<WSParameter> InputParam = GetParameters(msgInput);
Message msgOutput = msgColl[outputMsg];
List<WSParameter> OutputParams = GetParameters(msgOutput);
operObj.Parameters = InputParam;
if (OutputParams != null && OutputParams.Count > 0)
{
operObj.ReturnType = OutputParams[0].TypeName;
}
lst.Add(operObj);
}
}
}
}
}
return lst;
}
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr)
{
mainForm.Log(logStr, FontStyle.Bold, true);
VulnerabilityForReport vulnRep = new VulnerabilityForReport();
vulnRep.Vuln = vuln;
vulnRep.VulnerableMethodName = operation.MethodName;
vulnRep.VulnerableParamName = paramName;
vulnRep.Payload = payload;
vulnRep.Response = wsInvoker.ResultString;
vulnRep.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(vulnRep);
}
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
int paramIndexToTest = 0;
for (int i = 0; i < operation.Parameters.Count; i++)
{
if (i == paramIndexToTest)
{
foreach (string payload in vuln.request)
{
bool vulnFoundForParam = false;
wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim());
for (int j = 0; j < operation.Parameters.Count; j++)
{
if (j != paramIndexToTest)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
catch (SoapException soapEx)
{
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug);
mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug);
if (!string.IsNullOrEmpty(vuln.statusCode))
{
if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString()))
{
if (vuln.response == null || vuln.response.Count() == 0)
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
}
else
{
foreach (string text in vuln.response)
{
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
break;
}
}
}
}
}
else
{
foreach (string text in vuln.response)
{
//if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
// Vulnerability Found
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text);
vulnFoundForParam = true;
break;
}
}
}
if (vulnFoundForParam)
{
break;
}
}
}
paramIndexToTest++;
}
}
