Ejemplo n.º 1
0
        public List <WSOperation> GetOperations()
        {
            List <WSOperation> lst = new List <WSOperation>();

            if (serviceDescription != null)
            {
                foreach (Service ser in serviceDescription.Services)
                {
                    String webServiceName = ser.Name.ToString();
                    foreach (Port port in ser.Ports)
                    {
                        string  portName = port.Name;
                        string  binding  = port.Binding.Name;
                        Binding bind     = bindColl[binding];

                        if (bind != null)
                        {
                            PortType portTyp = portTypColl[bind.Type.Name];

                            foreach (Operation op in portTyp.Operations)
                            {
                                WSOperation operObj = new WSOperation();
                                operObj.ClassName  = webServiceName;
                                operObj.MethodName = op.Name;

                                if (lst.Where(it => it.ClassName.Equals(operObj.ClassName) && it.MethodName.Equals(operObj.MethodName)).Count() == 0)
                                {
                                    OperationMessageCollection opMsgColl = op.Messages;
                                    OperationInput             opInput   = opMsgColl.Input;
                                    OperationOutput            opOutput  = opMsgColl.Output;
                                    string inputMsg  = opInput.Message.Name;
                                    string outputMsg = opOutput.Message.Name;

                                    Message            msgInput   = msgColl[inputMsg];
                                    List <WSParameter> InputParam = GetParameters(msgInput);

                                    Message            msgOutput    = msgColl[outputMsg];
                                    List <WSParameter> OutputParams = GetParameters(msgOutput);

                                    operObj.Parameters = InputParam;
                                    if (OutputParams != null && OutputParams.Count > 0)
                                    {
                                        operObj.ReturnType = OutputParams[0].TypeName;
                                    }

                                    lst.Add(operObj);
                                }
                            }
                        }
                    }
                }
            }
            return(lst);
        }
Ejemplo n.º 2
0
 public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
                                 string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
                                 bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
 {
     if (vuln.id == 1) // check authentication
     {
         CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
     }
     else
     {
         CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
     }
 }
Ejemplo n.º 3
0
        private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities,
                             VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr)
        {
            mainForm.Log(logStr, FontStyle.Bold, true, false);
            VulnerabilityForReport vulnRep = new VulnerabilityForReport();

            vulnRep.Vuln = vuln;
            vulnRep.VulnerableMethodName = operation.MethodName;
            vulnRep.VulnerableParamName  = paramName;
            vulnRep.Payload    = payload;
            vulnRep.Response   = wsInvoker.ResultString;
            vulnRep.StatusCode = wsInvoker.StatusCode.ToString();

            WSItemVulnerabilities.Vulns.Add(vulnRep);
        }
Ejemplo n.º 4
0
        public void SetSoapFaultException(WSOperation operation, SoapException soapEx, WSDescriberForReport WSItemVulnerabilities, bool isDebug)
        {
            if (WSItemVulnerabilities.Vulns.Where(v => v.VulnerableMethodName.Equals(operation.MethodName) && v.Vuln.id == 7).Count() <= 0) // aynı method için sadece 1 tane soap fault zafiyeti yaz
            {
                mainForm.Log("   Soap Exception: " + soapEx.ToString(), FontStyle.Regular, isDebug, false);

                VulnerabilityForReport soapFaultVuln = new VulnerabilityForReport();
                soapFaultVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 7).FirstOrDefault();
                soapFaultVuln.VulnerableMethodName = operation.MethodName;
                soapFaultVuln.VulnerableParamName  = "";
                soapFaultVuln.Payload    = "";
                soapFaultVuln.Response   = soapEx.Message;
                soapFaultVuln.StatusCode = "";

                WSItemVulnerabilities.Vulns.Add(soapFaultVuln);
            }
        }
Ejemplo n.º 5
0
        private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
                                                string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
                                                bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
        {
            for (int j = 0; j < operation.Parameters.Count; j++)
            {
                SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
            }

            try
            {
                try
                {
                    reportObject.TotalRequestCount++;
                    wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
                }
                catch (SoapException soapEx)
                {
                    //throw ex;
                    SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
                }
                catch (Exception ex)
                {
                    throw ex;
                }
            }
            finally { wsInvoker.PosInvoke(); }

            if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code != 401, no redirection
            {
                VulnerabilityForReport authVuln = new VulnerabilityForReport();
                authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
                authVuln.VulnerableMethodName = operation.MethodName;
                authVuln.VulnerableParamName  = "";
                authVuln.Payload    = "";
                authVuln.Response   = wsInvoker.ResultString;
                authVuln.StatusCode = wsInvoker.StatusCode.ToString();

                WSItemVulnerabilities.Vulns.Add(authVuln);

                mainForm.Log("   Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true, false);
            }
        }
Ejemplo n.º 6
0
        private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
                                          string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
                                          bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
        {
            int paramIndexToTest = 0;

            for (int i = 0; i < operation.Parameters.Count; i++)
            {
                if (i == paramIndexToTest)
                {
                    foreach (string payload in vuln.request)
                    {
                        bool vulnFoundForParam = false;

                        wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim());
                        for (int j = 0; j < operation.Parameters.Count; j++)
                        {
                            if (j != paramIndexToTest)
                            {
                                SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
                            }
                        }

                        try
                        {
                            try
                            {
                                reportObject.TotalRequestCount++;
                                wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
                            }
                            catch (SoapException soapEx)
                            {
                                SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
                            }
                            catch (Exception ex)
                            {
                                throw ex;
                            }
                        }
                        finally { wsInvoker.PosInvoke(); }

                        mainForm.Log("   StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug, false);
                        mainForm.Log("   Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug, false);

                        if (!string.IsNullOrEmpty(vuln.statusCode))
                        {
                            if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString()))
                            {
                                if (vuln.response == null || vuln.response.Count() == 0)
                                {
                                    SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, "   " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode);
                                    vulnFoundForParam = true;
                                }
                                else
                                {
                                    foreach (string text in vuln.response)
                                    {
                                        if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
                                        {
                                            SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, "   " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
                                            vulnFoundForParam = true;
                                            break;
                                        }
                                    }
                                }
                            }
                        }
                        else
                        {
                            foreach (string text in vuln.response)
                            {
                                //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
                                if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
                                {
                                    // Vulnerability Found
                                    SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, "   " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text);
                                    vulnFoundForParam = true;
                                    break;
                                }
                            }
                        }
                        if (vulnFoundForParam)
                        {
                            break;
                        }
                    }
                }
                paramIndexToTest++;
            }
        }