/// <summary>
/// Bu fonksiyon taramada bulunan zafiyet sayısını döndürür.
/// This function returns found vulnerability count.
/// </summary>
/// <param name="manager">W3afManager Instance</param>
/// <returns></returns>
private static int GetScanVulnerabilitiesCount(W3afManager manager)
{
try
{
int VulnerabilityCount = 0;
string id = GetScanID(manager);
if (id != null)
{
Vulnerabilities vuln = ScanController.GetScanVulnerabilities(manager, id);
foreach (var item in vuln.Items)
{
VulnerabilityCount = Convert.ToInt32(item.Id);
}
}
else
{
Console.WriteLine("\n\n***Tarama Yok***\n");
}
return(VulnerabilityCount);
}
catch (Exception ex)
{
Console.WriteLine("\nScanView::howScanVulnerabilities\n Exception:" + ex.Message);
return(0);
}
}
private void MainForm_Load(object sender, EventArgs e)
{
vulnerabilities = new Vulnerabilities();
System.Xml.Serialization.XmlSerializer reader = new
System.Xml.Serialization.XmlSerializer(vulnerabilities.GetType());
System.IO.StreamReader file =
new System.IO.StreamReader(System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\XML\Vulnerabilities.xml");
vulnerabilities = (Vulnerabilities)reader.Deserialize(file);
staticVulnerabilities = new StaticVulnerabilities();
reader = new
System.Xml.Serialization.XmlSerializer(staticVulnerabilities.GetType());
file =
new System.IO.StreamReader(System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\XML\StaticVulnerabilities.xml");
staticVulnerabilities = (StaticVulnerabilities)reader.Deserialize(file);
disclosureVulnerabilities = new DisclosureVulnerabilities();
reader = new
System.Xml.Serialization.XmlSerializer(disclosureVulnerabilities.GetType());
file =
new System.IO.StreamReader(System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\XML\DisclosureVulnerabilities.xml");
disclosureVulnerabilities = (DisclosureVulnerabilities)reader.Deserialize(file);
file.Close();
}
/// <summary>
/// Bu fonksiyon Taramada bulunan zafiyetleri gösterir.
/// This function shows vulnerabilities found in Scan.
/// </summary>
/// <param name="manager"></param>
public static void ShowScanVulnerabilities(W3afManager manager)
{
try
{
string id = GetScanID(manager);
if (id != null)
{
Vulnerabilities vuln = ScanController.GetScanVulnerabilities(manager, id);
foreach (var item in vuln.Items)
{
Console.WriteLine("\nID: " + item.Id +
"\nName: " + item.Name +
"\nHref: " + item.Href +
"\nURL: " + item.Url);
}
}
else
{
Console.WriteLine("\n\n***Tarama Yok***\n");
}
}
catch (Exception ex)
{
Console.WriteLine("\nScanView::howScanVulnerabilities\n Exception:" + ex.Message);
}
}
/// <summary>
/// The check for vulnerabilities.
/// </summary>
/// <param name="browser">
/// The browser.
/// </param>
/// <param name="testCase">
/// The testCase.
/// </param>
/// <param name="testValue">
/// The tested val.
/// </param>
private void CheckForVulnerabilities(
BrowserAbstract browser,
TestCase testCase,
string testValue)
{
// waiting for page to load
browser.WaitForPageLoad(5000);
string alertText;
browser.DismissedIfAlertDisplayed(out alertText);
if (browser.AlertMessageDisplayed.Contains(TestBaseHelper.AttackSignature))
{
// since we use the same browser instance clear the alerts after the issue has been logged
browser.AlertMessageDisplayed.Clear();
// we found one issue
this.vulnerabilityFound = true;
Vulnerabilities.Enqueue(new Vulnerability
{
Title = testCase.TestName,
Level = (int)VulnerabilityLevelEnum.High,
TestedParam = string.Empty,
TestedVal = testValue,
Evidence = "Found by {0}".FormatIc(browser.BrowserType.ToString()),
MatchString = testCase.MatchString,
TestPlugin = GetType().Name
});
}
}
private int CalcDamage(DealDamage damage)
{
// First check for immunities, then resistance, then vulnerability (p. 197 Player's Handbook)
if (Immunities.Contains(damage.DamageType))
{
return(0);
}
int actualHpDamage = damage.Hp;
// Resistances and vulnerabilities do not stack, so one does as much as multiple.
if (Resistances.Contains(damage.DamageType))
{
actualHpDamage /= 2; // integer division correctly rounds down
}
// It is technically possible to have a resistance and a vulnerability for the same damage type.
// https://rpg.stackexchange.com/a/167448
if (Vulnerabilities.Contains(damage.DamageType))
{
actualHpDamage *= 2;
}
return(actualHpDamage);
// Possible future refactor: It's a little bit inefficient to check all of the
// lists every time, especially since this function is called from in a loop.
}
/// <summary>
/// Overriding the Check Vulnerability implementation because we just want to look in the response headers.
/// </summary>
/// <param name="webRequestContext">
/// The web Request Context.
/// </param>
/// <param name="testcase">
/// The test case.
/// </param>
/// <param name="testedParam">
/// The tested Parameter.
/// </param>
/// <param name="testValue">
/// The tested Val.
/// </param>
/// <seealso cref="M:BackScatterScannerLib.Engine.TestBase.CheckForVuln(WebRequestContext,TestCase,string,string)"/>
protected override void CheckForVulnerabilities(
WebRequestContext webRequestContext,
TestCase testcase,
string testedParam,
string testValue)
{
HttpWebResponseHolder response = webRequestContext.ResponseHolder;
var fromHeaderValue = response.Headers["From"];
if (response.Headers == null ||
string.IsNullOrWhiteSpace(fromHeaderValue))
{
return;
}
// Have we injected a from header and does it contain the domain we are attempting to redirect to?
if (fromHeaderValue.IndexOf("*****@*****.**", StringComparison.InvariantCultureIgnoreCase) > -1)
{
Vulnerabilities.Enqueue(new Vulnerability
{
Title = "HTTP Response Splitting - Newline Injection",
Level = (int)VulnerabilityLevelEnum.High,
TestedParam = testedParam,
TestedVal = testValue,
HttpResponse = response,
Evidence = $"From : {fromHeaderValue}",
MatchString = testcase.MatchString,
TestPlugin = GetType().Name
});
}
}
private void RemoveRelated([NotNull] IWeakness weakness)
{
RemoveRelatedForEntities(weakness);
RemoveRelatedForDataFlows(weakness);
var vulnerabilities = Vulnerabilities?.Where(x => x.WeaknessId == weakness.Id).ToArray();
if (vulnerabilities?.Any() ?? false)
{
foreach (var vulnerability in vulnerabilities)
{
RemoveVulnerability(vulnerability.Id);
}
}
}
private void SetVulnerabilityText()
{
foreach (var item in CaseEdit.VulnerabilityList)
{
VulnerabilityText += Vulnerabilities.Where(r => r.Id == item).Select(r => r.Name + ", ").First();
}
if (!string.IsNullOrWhiteSpace(VulnerabilityText))
{
VulnerabilityText = VulnerabilityText.Substring(0, VulnerabilityText.Length - 2);
}
if (string.IsNullOrWhiteSpace(VulnerabilityText))
{
VulnerabilityText = "n/a";
}
}
/// <inheritdoc/>
protected override void CheckForVulnerabilities(
WebRequestContext webRequestContext,
TestCase testcase,
string testedParam,
string testValue)
{
if (webRequestContext.Browser.AlertMessageDisplayed.Contains(TestBaseHelper.AttackSignature))
{
Vulnerabilities.Enqueue(new Vulnerability
{
Title = testcase.TestName,
Level = (int)VulnerabilityLevelEnum.High,
TestedParam = testedParam,
TestedVal = testValue,
HttpResponse = webRequestContext.ResponseHolder,
Evidence = $"Found by {webRequestContext.Browser.BrowserType}",
MatchString = testcase.MatchString,
TestPlugin = GetType().Name
});
}
}
private void MainForm_Load(object sender, EventArgs e)
{
// no smaller than design time size
this.MinimumSize = new System.Drawing.Size(this.Width, this.Height);
// no larger than screen size
this.MaximumSize = new System.Drawing.Size(Screen.PrimaryScreen.Bounds.Width, Screen.PrimaryScreen.Bounds.Height);
this.AutoSize = true;
this.AutoSizeMode = AutoSizeMode.GrowAndShrink;
vulnerabilities = new Vulnerabilities();
System.Xml.Serialization.XmlSerializer reader = new
System.Xml.Serialization.XmlSerializer(vulnerabilities.GetType());
System.IO.StreamReader file =
new System.IO.StreamReader(System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\XML\Vulnerabilities.xml");
vulnerabilities = (Vulnerabilities)reader.Deserialize(file);
staticVulnerabilities = new StaticVulnerabilities();
reader = new
System.Xml.Serialization.XmlSerializer(staticVulnerabilities.GetType());
file =
new System.IO.StreamReader(System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\XML\StaticVulnerabilities.xml");
staticVulnerabilities = (StaticVulnerabilities)reader.Deserialize(file);
disclosureVulnerabilities = new DisclosureVulnerabilities();
reader = new
System.Xml.Serialization.XmlSerializer(disclosureVulnerabilities.GetType());
file =
new System.IO.StreamReader(System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\XML\DisclosureVulnerabilities.xml");
disclosureVulnerabilities = (DisclosureVulnerabilities)reader.Deserialize(file);
file.Close();
}
/// <summary>
/// The inspect response.
/// </summary>
/// <param name="requestTarget">
/// The request target.
/// </param>
/// <param name="responseTarget">
/// The response target.
/// </param>
/// <param name="response">
/// The current response.
/// </param>
/// <param name="plugIn">
/// The plug in.
/// </param>
/// <param name="testCase">
/// The test case.
/// </param>
/// <param name="testParameter">
/// The tested parameter.
/// </param>
/// <param name="testValue">
/// The tested val.
/// </param>
public override void InspectResponse(
ITarget requestTarget,
ITarget responseTarget,
HttpWebResponseHolder response,
string plugIn,
TestCase testCase,
string testParameter,
string testValue)
{
string accessControlAllowOrigin = response.Headers["Access-Control-Allow-Origin"];
if (!string.IsNullOrWhiteSpace(accessControlAllowOrigin) &&
accessControlAllowOrigin.IndexOf("*", StringComparison.InvariantCultureIgnoreCase) != -1)
{
bool matchFound = false;
foreach (string allowedDomain in this.whiteListDomains)
{
if (Regex.Match(accessControlAllowOrigin, allowedDomain).Success)
{
matchFound = true;
break;
}
}
if (!matchFound)
{
Vulnerabilities.Enqueue(new Vulnerability
{
TestPlugin = GetType().Name + " (via " + plugIn + ")",
Title = "Access-Control-Allow-Origin has wildcard for domain not in WebSec white list",
Level = (int)VulnerabilityLevelEnum.Low,
Evidence = accessControlAllowOrigin,
HttpResponse = response
});
}
}
}
/// <summary>
/// The inspect response.
/// </summary>
/// <param name="requestTarget">
/// The request target.
/// </param>
/// <param name="responseTarget">
/// The response target.
/// </param>
/// <param name="response">
/// The current response.
/// </param>
/// <param name="plugIn">
/// The plug in.
/// </param>
/// <param name="testCase">
/// The test case.
/// </param>
/// <param name="testParameter">
/// The tested parameter.
/// </param>
/// <param name="testValue">
/// The tested val.
/// </param>
public override void InspectResponse(
ITarget requestTarget,
ITarget responseTarget,
HttpWebResponseHolder response,
string plugIn,
TestCase testCase,
string testParameter,
string testValue)
{
string accessControlAllowMethods = response.Headers["Access-Control-Allow-Methods"];
if (!string.IsNullOrWhiteSpace(accessControlAllowMethods) &&
accessControlAllowMethods.ContainsAnyOi(new[] { "put", "delete", "options" }))
{
Vulnerabilities.Enqueue(new Vulnerability
{
TestPlugin = GetType().Name + " (via " + plugIn + ")",
Title = "Access-Control-Allow-Methods allows methods other than GET and POST",
Level = (int)VulnerabilityLevelEnum.Low,
Evidence = accessControlAllowMethods,
HttpResponse = response
});
}
}
private bool IsVulnerable(DamageType damageType)
{
return(Vulnerabilities.Contains(damageType));
}
public string VulnerabilitiesLabel() => Vulnerabilities?.Count > 0 ? EnumerableToCSV(Vulnerabilities.Select(i => ((Constants.DamageTypes)i).ToString())) : "None";
private bool IsUsed([NotNull] IWeakness weakness)
{
return((_entities?.Any(x => x.Vulnerabilities?.Any(y => y.WeaknessId == weakness.Id) ?? false) ?? false) ||
(_dataFlows?.Any(x => x.Vulnerabilities?.Any(y => y.WeaknessId == weakness.Id) ?? false) ?? false) ||
(Vulnerabilities?.Any(x => x.WeaknessId == weakness.Id) ?? false));
}
public void Setup()
{
_file = new FileInfo(@"..\..\..\src\Resources\npmrepository.json").FullName;
_vulners = Vulnerabilities.LoadFromFile(_file).Result;
}
public void AddVulnerability(DamageTypes damageType)
{
Vulnerabilities.Add(damageType);
}
