Exemple #1
0
        public TimeBasedCheckResults DoTimeDelayBasedCheck(PayloadGenerator PayloadGen, object OtherInfo, int AverageBaseRoundTrip)
        {
            TimeBasedCheckResults TimeCheckResults = new TimeBasedCheckResults();
            TimeCheckResults.Success = false;

            int DelayTime = 5000;
            if (AverageBaseRoundTrip * 2 > DelayTime)
            {
                DelayTime = AverageBaseRoundTrip * 2;
            }

            string DelayPayload = PayloadGen(DelayTime, OtherInfo);
            this.Scnr.RequestTrace(string.Format("  Injected payload - {0}", DelayPayload));
            Response DelayRes = this.Scnr.Inject(DelayPayload);

            if (DelayRes.RoundTrip < DelayTime)
            {
                this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
                return TimeCheckResults;
            }
            else
            {
                this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
                this.Scnr.Trace("<i<b>>Doing further checks to determine if this delay was valid or a false positive<i</b>>");
            }

            List<int> SmallDelays = new List<int>();
            List<int> BigDelays = new List<int>();
            int BiggestDelay = 0;
            Request DelayRequest=null;
            Response DelayResponse=null;

            int SmallDelayTime = 1000;
            string SmallDelayPayload = PayloadGen(SmallDelayTime, OtherInfo);
            foreach (int i in new int[] { 0, 1, 2 })
            {
                Thread.Sleep(2000);//To help the server recover from big delay
                this.Scnr.RequestTrace(string.Format("  Injected payload - {0}", SmallDelayPayload));
                SmallDelays.Add(this.Scnr.Inject(SmallDelayPayload).RoundTrip);
                if (SmallDelays[i] < SmallDelayTime)
                {
                    this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
                    this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
                    return TimeCheckResults;
                }
                else
                {
                    this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
                }

                Thread.Sleep(1000);//To help the server recover from small delay
                this.Scnr.RequestTrace(string.Format("  Injected payload - {0}", DelayPayload));
                Response Res = this.Scnr.Inject(DelayPayload);
                if (Res.RoundTrip >= BiggestDelay)
                {
                    BiggestDelay = Res.RoundTrip;
                    DelayRequest = this.Scnr.InjectedRequest.GetClone();
                    DelayResponse = Res;
                }
                BigDelays.Add(Res.RoundTrip);
                if (BigDelays[i] < DelayTime)
                {
                    this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
                    this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
                    return TimeCheckResults;
                }
                else
                {
                    this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
                }
            }

            //Analyze small delays to confirm if this is vulnerable
            int SmallDelayTimeDiffSuccessCount = 0;
            foreach (int i in new int[] { 0, 1, 2 })
            {
                if ((BigDelays[i] - DelayTime) >= (SmallDelays[i] - SmallDelayTime))
                {
                    SmallDelayTimeDiffSuccessCount++;
                }
            }
            if (SmallDelayTimeDiffSuccessCount == 3)
            {
                this.Scnr.Trace(string.Format("<i<cr>>The 3 responses for the payload that induced a delay of {0}ms consistently took atleast {1}ms less than the 3 responses for the payload that induced a delay of {2}ms.<i</cr>>", SmallDelayTime, DelayTime - SmallDelayTime ,DelayTime));
                this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
                TimeCheckResults.DelayPayload = DelayPayload;
                TimeCheckResults.DelayInduced = DelayTime;
                TimeCheckResults.DelayObserved = BiggestDelay;
                TimeCheckResults.DelayRequest = DelayRequest;
                TimeCheckResults.DelayResponse = DelayResponse;
                TimeCheckResults.Confidence = FindingConfidence.High;
                TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
                TimeCheckResults.Success = true;
                return TimeCheckResults;
                //Time delay successful high confidence
            }

            SmallDelayTimeDiffSuccessCount = 0;
            foreach (int i in new int[] { 0, 1, 2 })
            {
                if ((BigDelays[i] - (DelayTime - 1000)) >= (SmallDelays[i] - SmallDelayTime))
                {
                    SmallDelayTimeDiffSuccessCount++;
                }
            }
            if (SmallDelayTimeDiffSuccessCount == 3)
            {
                this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, DelayTime - 1000 - SmallDelayTime, DelayTime));
                this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
                TimeCheckResults.DelayPayload = DelayPayload;
                TimeCheckResults.DelayInduced = DelayTime;
                TimeCheckResults.DelayObserved = BiggestDelay;
                TimeCheckResults.DelayRequest = DelayRequest;
                TimeCheckResults.DelayResponse = DelayResponse;
                TimeCheckResults.Confidence = FindingConfidence.Medium;
                TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
                TimeCheckResults.Success = true;
                return TimeCheckResults;
                //Time delay successful medium confidence
            }

            SmallDelayTimeDiffSuccessCount = 0;
            foreach (int i in new int[] { 0, 1, 2 })
            {
                if ((BigDelays[i] - DelayTime / 2) >= (SmallDelays[i] - SmallDelayTime))
                {
                    SmallDelayTimeDiffSuccessCount++;
                }
            }
            if (SmallDelayTimeDiffSuccessCount == 3)
            {
                this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, (DelayTime/2)-SmallDelayTime, DelayTime));
                this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
                TimeCheckResults.DelayPayload = DelayPayload;
                TimeCheckResults.DelayInduced = DelayTime;
                TimeCheckResults.DelayObserved = BiggestDelay;
                TimeCheckResults.DelayRequest = DelayRequest;
                TimeCheckResults.DelayResponse = DelayResponse;
                TimeCheckResults.Confidence = FindingConfidence.Low;
                TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
                TimeCheckResults.Success = true;
                return TimeCheckResults;
                //Time delay successful low confidence
            }
            this.Scnr.Trace("<i<b>>There were no consistent delays based on the injected payloads, so concluding that the earlier delays were false positives.<i</b>>");
            return TimeCheckResults;
        }
Exemple #2
0
        public TimeBasedCheckResults DoTimeDelayBasedCheck(PayloadGenerator PayloadGen, object OtherInfo)
        {
            if (this.AvgBaseRoundTrip < 0)
            {
                this.Scnr.Trace("<i<b>>Sending two requests to find out the normal roundtrip time to be used as baseline<i</b>>");
                //Let's first check the time taken for non-delay payloads
                string NonDelayPayload = PayloadGen(0, OtherInfo);

                Response BaseRes1 = this.Scnr.Inject(NonDelayPayload);
                Response BaseRes2 = this.Scnr.Inject(NonDelayPayload);

                this.AvgBaseRoundTrip = (BaseRes1.RoundTrip + BaseRes2.RoundTrip) / 2;
                this.Scnr.Trace(string.Format("<i<b>>The roundtrip values of the two requests were {0}ms and {1}ms. Their average {2}ms is being used as baseline.<i</b>>", BaseRes1.RoundTrip, BaseRes2.RoundTrip, this.AvgBaseRoundTrip));
            }

            return DoTimeDelayBasedCheck(PayloadGen, OtherInfo, this.AvgBaseRoundTrip);
        }
Exemple #3
0
        public int FindNum(PayloadGenerator PayGenFunction, object Info, Fuzzer F)
        {
            int UpperLimit = 0;
            int LowerLimit = 1;

            string Payload = "";

            bool IsZero = false;
            bool IsOne  = false;

            if (IsPayloadResponseTrue(F, PayGenFunction(Info, "=", "0")))
            {
                IsZero = true;
            }
            if (IsPayloadResponseTrue(F, PayGenFunction(Info, "=", "1")))
            {
                IsOne = true;
            }
            if (IsOne && IsZero)
            {
                throw new Exception("Injection does not work");
            }
            else if (IsOne)
            {
                return(1);
            }
            else if (IsZero)
            {
                return(0);
            }

            for (int i = 0; i < 100; i++)
            //while (true)
            {
                if (i == 20 || i == 40 || i == 60 || i == 80)
                {
                    if (IsPayloadResponseTrue(F, PayGenFunction(Info, "=", "0")))
                    {
                        throw new Exception("Injection does not work");
                    }
                }

                int    ToCheck  = 0;
                string Operator = "<";
                if (UpperLimit == 0)
                {
                    ToCheck = LowerLimit * 10;
                }
                else if (UpperLimit - LowerLimit == 1)
                {
                    Operator = "=";
                    ToCheck  = LowerLimit;
                }
                else
                {
                    ToCheck = ((UpperLimit - LowerLimit) / 2) + LowerLimit;
                }
                Payload = PayGenFunction(Info, Operator, ToCheck.ToString());
                if (IsPayloadResponseTrue(F, Payload))
                {
                    if (Operator == "=")
                    {
                        return(ToCheck);
                    }
                    else
                    {
                        UpperLimit = ToCheck;
                    }
                }
                else
                {
                    if (Operator == "=" && UpperLimit - LowerLimit == 1)
                    {
                        return(-1);
                    }
                    else
                    {
                        LowerLimit = ToCheck;
                    }
                }
            }
            return(-1);
        }
Exemple #4
0
 public AppEncryptionParameterizedTest()
 {
     payload = PayloadGenerator.CreateDefaultRandomJsonPayload();
 }
Exemple #5
0
 public MultiThreadedSecretTest()
 {
     payload = PayloadGenerator.CreateRandomBytePayload(PayloadSizeBytes);
 }
Exemple #6
0
        private void RunPositiveFunctionTest(ODataFormat format, TestCase testCase)
        {
            // All of the functions tests use the PlaybackService since the WCF Data Services server doesn't support functions
            // The PlaybackService itself will not automatically turn Metadata into an absolute URI, so set that to false on all tests.
            // The tests also use absolute URIs for Target, so suppress that as well.
            testCase.AddBaseUriToMetadata = false;
            testCase.AddBaseUriToTarget   = false;

            using (TestWebRequest request = TestWebRequest.CreateForInProcessWcf())
                using (PlaybackService.ProcessRequestOverride.Restore())
                {
                    request.ServiceType = typeof(AstoriaUnitTests.Stubs.PlaybackService);
                    request.StartService();

                    var payloadBuilder = testCase.ResponsePayloadBuilder;
                    PlaybackService.ProcessRequestOverride.Value = (req) =>
                    {
                        string contentType;
                        if (format == ODataFormat.Json)
                        {
                            contentType             = UnitTestsUtil.JsonLightMimeType;
                            payloadBuilder.Metadata = request.BaseUri + "/$metadata#TestService.CustomerEntities/$entity";
                        }
                        else
                        {
                            contentType = UnitTestsUtil.AtomFormat;
                        }

                        req.SetResponseStreamAsText(PayloadGenerator.Generate(payloadBuilder, format));
                        req.ResponseHeaders.Add("Content-Type", contentType);
                        req.SetResponseStatusCode(200);
                        return(req);
                    };

                    testCase.AddBaseUriStringToExpectedDescriptors(request.ServiceRoot.OriginalString, format);

                    Uri uri = new Uri(request.ServiceRoot + "/" + testCase.RequestUriString);
                    DataServiceContext ctx = new DataServiceContext(request.ServiceRoot, ODataProtocolVersion.V4);
                    //ctx.EnableAtom = true;

                    if (format == ODataFormat.Json)
                    {
                        string serviceEdmx = GetServiceEdmxWithOperations(payloadBuilder);
                        JsonLightTestUtil.ConfigureContextForJsonLight(ctx, serviceEdmx);
                    }

                    QueryOperationResponse <CustomerEntity> qor = (QueryOperationResponse <CustomerEntity>)ctx.Execute <CustomerEntity>(uri);
                    Assert.IsNotNull(qor);
                    Assert.IsNull(qor.Error);

                    IEnumerator <CustomerEntity> entities = qor.GetEnumerator();

                    int expectedDescriptorsPerEntity = 0;

                    while (entities.MoveNext())
                    {
                        CustomerEntity   c  = entities.Current;
                        EntityDescriptor ed = ctx.GetEntityDescriptor(c);
                        IEnumerable <OperationDescriptor> actualDescriptors = ed.OperationDescriptors;
                        TestEquality(actualDescriptors, testCase.GetExpectedDescriptors(format)[expectedDescriptorsPerEntity++]);
                    }
                }
        }