public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
if (vuln.id == 1) // check authentication
{
CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
else
{
CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
}
public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
{
if (vuln.id == 1) // check authentication
{
CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
else
{
CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
}
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr)
{
mainForm.Log(logStr, FontStyle.Bold, true, false);
VulnerabilityForReport vulnRep = new VulnerabilityForReport();
vulnRep.Vuln = vuln;
vulnRep.VulnerableMethodName = operation.MethodName;
vulnRep.VulnerableParamName = paramName;
vulnRep.Payload = payload;
vulnRep.Response = wsInvoker.ResultString;
vulnRep.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(vulnRep);
}
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
{
for (int j = 0; j < operation.Parameters.Count; j++)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
catch (SoapException soapEx)
{
//throw ex;
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code != 401, no redirection
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = operation.MethodName;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = wsInvoker.ResultString;
authVuln.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
for (int j = 0; j < operation.Parameters.Count; j++)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
catch (SoapException soapEx)
{
//throw ex;
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code is not 401, no redirect
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = operation.MethodName;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = wsInvoker.ResultString;
authVuln.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true);
}
}
private void SetParameterDefaultValue(WebServiceToInvoke wsInvoker, WSParameter wSParameter, bool isDebug)
{
switch (wSParameter.TypeName)
{
case "int":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.IntDefaultVal, FontStyle.Regular, isDebug, false);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.IntDefaultVal);
break;
case "string":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.StringDefaultVal, FontStyle.Regular, isDebug, false);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.StringDefaultVal);
break;
case "double":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.DoubleDefaultVal, FontStyle.Regular, isDebug, false);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.DoubleDefaultVal);
break;
case "decimal":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.DecimalDefaultVal, FontStyle.Regular, isDebug, false);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.DecimalDefaultVal);
break;
case "boolean":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.BooleanDefaultVal, FontStyle.Regular, isDebug, false);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.BooleanDefaultVal);
break;
case "bool":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.BooleanDefaultVal, FontStyle.Regular, isDebug, false);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.BooleanDefaultVal);
break;
default:
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.StringDefaultVal, FontStyle.Regular, isDebug, false);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.StringDefaultVal);
break;
}
}
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
{
int paramIndexToTest = 0;
for (int i = 0; i < operation.Parameters.Count; i++)
{
if (i == paramIndexToTest)
{
foreach (string payload in vuln.request)
{
bool vulnFoundForParam = false;
wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim());
for (int j = 0; j < operation.Parameters.Count; j++)
{
if (j != paramIndexToTest)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
catch (SoapException soapEx)
{
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug, false);
mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug, false);
if (!string.IsNullOrEmpty(vuln.statusCode))
{
if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString()))
{
if (vuln.response == null || vuln.response.Count() == 0)
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
}
else
{
foreach (string text in vuln.response)
{
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
break;
}
}
}
}
}
else
{
foreach (string text in vuln.response)
{
//if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
// Vulnerability Found
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text);
vulnFoundForParam = true;
break;
}
}
}
if (vulnFoundForParam)
{
break;
}
}
}
paramIndexToTest++;
}
}
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr)
{
mainForm.Log(logStr, FontStyle.Bold, true);
VulnerabilityForReport vulnRep = new VulnerabilityForReport();
vulnRep.Vuln = vuln;
vulnRep.VulnerableMethodName = operation.MethodName;
vulnRep.VulnerableParamName = paramName;
vulnRep.Payload = payload;
vulnRep.Response = wsInvoker.ResultString;
vulnRep.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(vulnRep);
}
private void SetParameterDefaultValue(WebServiceToInvoke wsInvoker, WSParameter wSParameter, bool isDebug)
{
switch (wSParameter.TypeName)
{
case "int":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.IntDefaultVal, FontStyle.Regular, isDebug);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.IntDefaultVal);
break;
case "string":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.StringDefaultVal, FontStyle.Regular, isDebug);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.StringDefaultVal);
break;
case "double":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.DoubleDefaultVal, FontStyle.Regular, isDebug);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.DoubleDefaultVal);
break;
case "decimal":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.DecimalDefaultVal, FontStyle.Regular, isDebug);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.DecimalDefaultVal);
break;
case "boolean":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.BooleanDefaultVal, FontStyle.Regular, isDebug);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.BooleanDefaultVal);
break;
case "bool":
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.BooleanDefaultVal, FontStyle.Regular, isDebug);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.BooleanDefaultVal);
break;
default:
mainForm.Log(" " + wSParameter.Name + " - " + wSParameter.TypeName + ":" + DefaultValues.StringDefaultVal, FontStyle.Regular, isDebug);
wsInvoker.AddParameter(wSParameter.Name, DefaultValues.StringDefaultVal);
break;
}
}
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
int paramIndexToTest = 0;
for (int i = 0; i < operation.Parameters.Count; i++)
{
if (i == paramIndexToTest)
{
foreach (string payload in vuln.request)
{
bool vulnFoundForParam = false;
wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim());
for (int j = 0; j < operation.Parameters.Count; j++)
{
if (j != paramIndexToTest)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
catch (SoapException soapEx)
{
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug);
mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug);
if (!string.IsNullOrEmpty(vuln.statusCode))
{
if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString()))
{
if (vuln.response == null || vuln.response.Count() == 0)
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
}
else
{
foreach (string text in vuln.response)
{
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
break;
}
}
}
}
}
else
{
foreach (string text in vuln.response)
{
//if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
// Vulnerability Found
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text);
vulnFoundForParam = true;
break;
}
}
}
if (vulnFoundForParam)
{
break;
}
}
}
paramIndexToTest++;
}
}
private void btnScan_Click(object sender, EventArgs e)
{
if (services != null && services.Count > 0)
{
lvResult.Items.Clear();
scanDirectory = DirectoryHelper.GetScanDirectoryName();
DirectoryHelper.CreateScanDirectory(scanDirectory);
ReportObject reportObject = new ReportObject();
reportObject.ScanStartDate = DateTime.Now;
reportObject.WsDescs = new List<WSDescriberForReport>();
reportObject.TotalRequestCount = 0;
Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true);
foreach (WSDescriber wsDesc in services)
{
WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport();
WSItemVulnerabilities.WsDesc = wsDesc;
WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>();
WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>();
WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>();
Log("WSDL Address: " + wsDesc.WSDLAddress, FontStyle.Bold, true);
Log("Parsing WSDL...", FontStyle.Regular, true);
List<Param> respHeader = new List<Param>();
bool untrustedSSLSecureChannel = false;
Parser parser = new Parser(wsDesc, ref untrustedSSLSecureChannel, ref respHeader);
if (chkStaticScan.Checked)
{
Log("Static Analysis Started", FontStyle.Regular, true);
StaticVulnerabilityScanner svs = new StaticVulnerabilityScanner();
foreach (StaticVulnerabilitiesStaticVulnerability staticVuln in staticVulnerabilities.StaticVulnerability)
{
Log(" Testing: " + staticVuln.title, FontStyle.Regular, chkDebug.Checked);
string staticScanRes = svs.ScanIt(staticVuln, parser.rawWSDL);
if (!string.IsNullOrEmpty(staticScanRes))
{
Log(" " + staticVuln.title + " Vulnerability Found: " + staticScanRes, FontStyle.Bold, true);
StaticVulnerabilityForReport vulnRep = new StaticVulnerabilityForReport();
vulnRep.Vuln = staticVuln;
vulnRep.XMLLine = staticScanRes;
WSItemVulnerabilities.StaticVulns.Add(vulnRep);
}
}
Log("Static Analysis Finished", FontStyle.Regular, true);
}
if (chkDynamicScan.Checked)
{
Log("Getting Methods...", FontStyle.Regular, true);
List<WSOperation> operations = parser.GetOperations();
WebServiceToInvoke wsInvoker = new WebServiceToInvoke(wsDesc.WSDLAddress.Replace("?WSDL", ""));
if (!wsDesc.WSUri.Scheme.Equals("https"))
{
Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + wsDesc.WSUri.Scheme, FontStyle.Bold, true);
AddSSLRelatedVulnerability(WSItemVulnerabilities, 0);
}
else
{
if (untrustedSSLSecureChannel)
{
Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true);
AddSSLRelatedVulnerability(WSItemVulnerabilities, -1);
}
}
DynamicVulnerabilityScanner dynScn = new DynamicVulnerabilityScanner(this);
foreach (WSOperation operation in operations)
{
Log("Method: " + operation.MethodName, FontStyle.Regular, chkDebug.Checked);
foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability)
{
if (vuln.id != 0 && vuln.id != 7) // 0 for insecure transport - ssl not used , 7 for verbose soap fault message
{
wsInvoker.PreInvoke();
Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked);
Log(" Parameter Count: " + operation.Parameters.Count, FontStyle.Regular, chkDebug.Checked);
try
{
dynScn.ScanVulnerabilities(wsInvoker, operation, vuln, parser.TargetNameSpace, wsDesc, WSItemVulnerabilities, reportObject,
chkDebug.Checked, ref respHeader, txtCustomSoapHeaderTags.Text.Trim(), txtCustomSoapBodyTags.Text.Trim());
}
catch (System.Web.Services.Protocols.SoapException soapEx)
{
dynScn.SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, chkDebug.Checked);
}
catch (Exception ex)
{
Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked);
}
}
}
}
}
if (chkInfoDisclosure.Checked)
{
Log("Information Disclosure Analysis Started", FontStyle.Regular, true);
InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this);
foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability)
{
Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked);
string infoScanRes = idvs.ScanIt(infoVuln, respHeader);
if (!string.IsNullOrEmpty(infoScanRes))
{
Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true);
DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport();
vulnRep.Vuln = infoVuln;
vulnRep.Value = infoScanRes;
WSItemVulnerabilities.InfoVulns.Add(vulnRep);
}
}
Log("Information Disclosure Analysis Finished", FontStyle.Regular, true);
}
reportObject.WsDescs.Add(WSItemVulnerabilities);
}
reportObject.ScanEndDate = DateTime.Now;
Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true);
string reportFilePath = scanDirectory + @"\Report\Report.html";
ReportHelper.CreateHTMLReport(reportObject,
System.AppDomain.CurrentDomain.BaseDirectory + @"\ReportTemplates\HTMLReportTemplate.html",
reportFilePath);
Process.Start(reportFilePath);
}
else
{
MessageBox.Show("Please Select WSDL List File!!!");
}
}
