public void CheckXSTVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customRequestHeader) { CheckWebServerVulns(wsDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customRequestHeader, "Cross Site Tracing", "TRACE"); }
public void CheckHTTPOptionsVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customRequestHeader) { CheckWebServerVulns(wsDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customRequestHeader, "HTTP OPTIONS", "OPTIONS"); }
private void CheckVulnsExceptAuth(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { CheckVulnsForURLParams(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); CheckVulnsForPostParams(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); }
private void CheckUnAuthenticatedMethod(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { HttpWebResponseWrapper response = null; try { reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponseWithDefaultParams(restDesc, false, ref respHeader, customRequestHeader); } catch (WebException wEx) { //if (wEx.Response.s) bool authErrorReceived = false; try { HttpWebResponse wr = (HttpWebResponse)wEx.Response; if (vuln.statusCode.Equals(((int)wr.StatusCode).ToString())) { authErrorReceived = true; } } catch { } if (!authErrorReceived) { SetWebException(restDesc.NormalizedURL, wEx, WSItemVulnerabilities, "Web Exception During Authentication Check", isDebug); } } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { if (!vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code != 401, no redirection { VulnerabilityForReport authVuln = new VulnerabilityForReport(); authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault(); authVuln.VulnerableMethodName = restDesc.Url.AbsoluteUri; authVuln.VulnerableParamName = ""; authVuln.Payload = ""; authVuln.Response = response.ResponseBody; authVuln.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(authVuln); mainForm.Log(" Auth Vulnerability Found: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false); } } }
private void CheckVulnsForURLParams(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { //CheckVulnsForParams(restDesc.NormalizedURL, restDesc.UrlParameters, vuln, WSItemVulnerabilities, // reportObject, isDebug, ref respHeader); if (restDesc.UrlParameters != null && restDesc.UrlParameters.Count > 0) { string postDataWithDefault = HttpHelper.GetDefaultValuesForParam(restDesc.NormalizedPostData, restDesc.PostParameters, true); for (int i = 0; i < restDesc.UrlParameters.Count; i++) { if (i == restDesc.UrlParameters[i].Index) { foreach (string payload in vuln.request) { bool vulnFoundForParam = false; string newUrl = restDesc.NormalizedURL.Replace("{" + i + "}", payload.Trim()); newUrl = SetParameterDefaultValue(newUrl, restDesc.UrlParameters, restDesc.UrlParameters[i].Index, isDebug, false); HttpWebResponseWrapper response = null; try { reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponse(restDesc, newUrl, postDataWithDefault, true, ref respHeader, customRequestHeader); } catch (WebException wEx) { SetWebException(newUrl, wEx, WSItemVulnerabilities, payload, isDebug); } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { SearcForVuln(response, WSItemVulnerabilities, vuln, payload, ref vulnFoundForParam, newUrl, isDebug, restDesc.UrlParameters[i].Index); } if (vulnFoundForParam) { break; } } } } } }
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr) { mainForm.Log(logStr, FontStyle.Bold, true, false); VulnerabilityForReport vulnRep = new VulnerabilityForReport(); vulnRep.Vuln = vuln; vulnRep.VulnerableMethodName = operation.MethodName; vulnRep.VulnerableParamName = paramName; vulnRep.Payload = payload; vulnRep.Response = wsInvoker.ResultString; vulnRep.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(vulnRep); }
public void ScanVulnerabilities(VulnerabilitiesVulnerability vuln, RESTApi restDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { if (vuln.id == 1) // check authentication { CheckUnAuthenticatedMethod(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); } else { CheckVulnsExceptAuth(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); } }
private void SetVuln(HttpWebResponseWrapper response, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, string methodName, string payload, int paramIndex, string logStr) { mainForm.Log(logStr, FontStyle.Bold, true, false); VulnerabilityForReport vulnRep = new VulnerabilityForReport(); vulnRep.Vuln = vuln; vulnRep.VulnerableMethodName = methodName; vulnRep.VulnerableParamName = paramIndex.ToString(); vulnRep.Payload = payload; vulnRep.Response = response.ResponseBody; vulnRep.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(vulnRep); }
private void SearcForVuln(HttpWebResponseWrapper response, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, string payload, ref bool vulnFoundForParam, string whereStr, bool isDebug, int paramIndex) { mainForm.Log(" StatusCode: " + response.WebResponse.StatusCode, FontStyle.Regular, isDebug, false); mainForm.Log(" Result: " + response.ResponseBody, FontStyle.Regular, isDebug, false); if (!string.IsNullOrEmpty(vuln.statusCode)) { if (vuln.statusCode.Equals(response.WebResponse.StatusCode.ToString())) { if (vuln.response == null || vuln.response.Count() == 0) { SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; } else { foreach (string text in vuln.response) { if (response.ResponseBody.Trim().Contains(text.Trim())) { SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; break; } } } } } else { foreach (string text in vuln.response) { //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase)) if (response.ResponseBody.Trim().Contains(text.Trim())) { // Vulnerability Found SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Response Text Contains: " + text); vulnFoundForParam = true; break; } } } }
private void CheckWebServerVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customRequestHeader, string methodName, string httpMethodName) { HttpWebResponseWrapper response = null; try { RestHTTPHelper HttpHelper = new RestHTTPHelper(); reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponseForWebServerVuln(wsDesc.WSUri.Scheme + "://" + wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port, wsDesc.BasicAuthentication, ref respHeader, customRequestHeader, httpMethodName); } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { if (vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code == 200 { VulnerabilityForReport optionsVuln = new VulnerabilityForReport(); optionsVuln.Vuln = vuln; optionsVuln.VulnerableMethodName = wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port; optionsVuln.VulnerableParamName = ""; optionsVuln.Payload = ""; optionsVuln.Response = response.ResponseBody; optionsVuln.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(optionsVuln); mainForm.Log(" " + methodName + " is enabled: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false); } } }
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader) { int paramIndexToTest = 0; for (int i = 0; i < operation.Parameters.Count; i++) { if (i == paramIndexToTest) { foreach (string payload in vuln.request) { bool vulnFoundForParam = false; wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim()); for (int j = 0; j < operation.Parameters.Count; j++) { if (j != paramIndexToTest) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } catch (SoapException soapEx) { SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug, false); mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug, false); if (!string.IsNullOrEmpty(vuln.statusCode)) { if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) { if (vuln.response == null || vuln.response.Count() == 0) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; } else { foreach (string text in vuln.response) { if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; break; } } } } } else { foreach (string text in vuln.response) { //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase)) if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { // Vulnerability Found SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text); vulnFoundForParam = true; break; } } } if (vulnFoundForParam) { break; } } } paramIndexToTest++; } }
public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader) { if (vuln.id == 1) // check authentication { CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } else { CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } }
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader) { for (int j = 0; j < operation.Parameters.Count; j++) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } catch (SoapException soapEx) { //throw ex; SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code != 401, no redirection { VulnerabilityForReport authVuln = new VulnerabilityForReport(); authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault(); authVuln.VulnerableMethodName = operation.MethodName; authVuln.VulnerableParamName = ""; authVuln.Payload = ""; authVuln.Response = wsInvoker.ResultString; authVuln.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(authVuln); mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true, false); } }
private void btnScan_Click(object sender, EventArgs e) { if (services != null && services.Count > 0) { lvResult.Items.Clear(); scanDirectory = DirectoryHelper.GetScanDirectoryName(); DirectoryHelper.CreateScanDirectory(scanDirectory); ReportObject reportObject = new ReportObject(); reportObject.ScanStartDate = DateTime.Now; reportObject.WsDescs = new List<WSDescriberForReport>(); reportObject.TotalRequestCount = 0; Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); foreach (WSDescriber wsDesc in services) { WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport(); WSItemVulnerabilities.WsDesc = wsDesc; WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>(); WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>(); WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>(); Log("WSDL Address: " + wsDesc.WSDLAddress, FontStyle.Bold, true, false); Log("Parsing WSDL...", FontStyle.Regular, true, false); List<Param> respHeader = new List<Param>(); bool untrustedSSLSecureChannel = false; Parser parser = null; try { parser = new Parser(wsDesc, ref untrustedSSLSecureChannel, ref respHeader, CustomRequestHeader); } catch (Exception parseEx) { Log("WSDL Parsing Exception: " + parseEx.Message, FontStyle.Regular, true, false); } if (chkStaticScan.Checked && parser != null) { Log("Static Analysis Started", FontStyle.Regular, true, false); StaticVulnerabilityScanner svs = new StaticVulnerabilityScanner(); foreach (StaticVulnerabilitiesStaticVulnerability staticVuln in staticVulnerabilities.StaticVulnerability) { Log(" Testing: " + staticVuln.title, FontStyle.Regular, chkDebug.Checked, false); string staticScanRes = svs.ScanIt(staticVuln, parser.rawWSDL); if (!string.IsNullOrEmpty(staticScanRes)) { Log(" " + staticVuln.title + " Vulnerability Found: " + staticScanRes, FontStyle.Bold, true, false); StaticVulnerabilityForReport vulnRep = new StaticVulnerabilityForReport(); vulnRep.Vuln = staticVuln; vulnRep.XMLLine = staticScanRes; WSItemVulnerabilities.StaticVulns.Add(vulnRep); } } Log("Static Analysis Finished", FontStyle.Regular, true, false); } if (chkDynamicScan.Checked && parser != null) { Log("Getting Methods...", FontStyle.Regular, true, false); List<WSOperation> operations = parser.GetOperations(); WebServiceToInvoke wsInvoker = new WebServiceToInvoke(wsDesc.WSDLAddress.Replace("?WSDL", "")); if (!wsDesc.WSUri.Scheme.Equals("https")) { Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + wsDesc.WSUri.Scheme, FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, 0); } else { if (untrustedSSLSecureChannel) { Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, -1); } } DynamicVulnerabilityScanner dynScn = new DynamicVulnerabilityScanner(this); foreach (WSOperation operation in operations) { Log("Method: " + operation.MethodName, FontStyle.Regular, chkDebug.Checked, false); foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability) { if (vuln.type == 1 || vuln.type == 3) // 1: soap specific , 3: common for soap & rest { if (vuln.id != 0 && vuln.id != 7 && vuln.id != 9 && vuln.id != 10) // 0 for insecure transport - ssl not used , 7 for verbose soap fault message , 9 for HTTP Options , 10 for XST { wsInvoker.PreInvoke(); Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked, false); Log(" Parameter Count: " + operation.Parameters.Count, FontStyle.Regular, chkDebug.Checked, false); try { dynScn.ScanVulnerabilities(wsInvoker, operation, vuln, parser.TargetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, CustomSoapHeaderTags.Trim(), CustomSoapBodyTags.Trim(), CustomRequestHeader.Trim()); } catch (System.Web.Services.Protocols.SoapException soapEx) { dynScn.SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, chkDebug.Checked); } catch (Exception ex) { Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } } } } try { VulnerabilitiesVulnerability optionsVuln = vulnerabilities.Vulnerability.Where(v => v.id == 9).FirstOrDefault(); if (optionsVuln != null) { dynScn.CheckHTTPOptionsVulns(wsDesc, optionsVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckHTTPOptionsVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } try { VulnerabilitiesVulnerability xstVuln = vulnerabilities.Vulnerability.Where(v => v.id == 10).FirstOrDefault(); if (xstVuln != null) { dynScn.CheckXSTVulns(wsDesc, xstVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckXSTVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } if (chkInfoDisclosure.Checked) { Log("Information Disclosure Analysis Started", FontStyle.Regular, true, false); InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this); foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability) { Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked, false); string infoScanRes = idvs.ScanIt(infoVuln, respHeader); if (!string.IsNullOrEmpty(infoScanRes)) { Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true, false); DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport(); vulnRep.Vuln = infoVuln; vulnRep.Value = infoScanRes; WSItemVulnerabilities.InfoVulns.Add(vulnRep); } } Log("Information Disclosure Analysis Finished", FontStyle.Regular, true, false); } reportObject.WsDescs.Add(WSItemVulnerabilities); } reportObject.ScanEndDate = DateTime.Now; Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); string reportFilePath = scanDirectory + @"\Report\Report.html"; string xmlFilePath = scanDirectory + @"\Report\Report.xml"; string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory + @"\ReportTemplates\HTMLReportTemplate.html"; ReportHelper.CreateHTMLReport(reportObject, reportTemplatePath, reportFilePath, chkXMLReport.Checked, xmlFilePath); //if (chkXMLReport.Checked) //{ // Process.Start("cmd.exe /c notepad.exe " + xmlFilePath); //} Process.Start(reportFilePath); } else { MessageBox.Show("Please Select WSDL List File!!!"); } }
public void ScanRESTApi() { if (RestAPIDesc != null) { lvResult.Items.Clear(); scanDirectory = DirectoryHelper.GetScanDirectoryName(); DirectoryHelper.CreateScanDirectory(scanDirectory); ReportObject reportObject = new ReportObject(); reportObject.ScanStartDate = DateTime.Now; reportObject.WsDescs = new List<WSDescriberForReport>(); reportObject.TotalRequestCount = 0; Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport(); WSItemVulnerabilities.RestAPI = RestAPIDesc; WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>(); WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>(); WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>(); Log("API Address: " + RestAPIDesc.Url.AbsoluteUri, FontStyle.Bold, true, false); Log("Parsing API...", FontStyle.Regular, true, false); List<Param> respHeader = new List<Param>(); bool untrustedSSLSecureChannel = false; RestParser restParser = new RestParser(ref RestAPIDesc); if (chkDynamicScan.Checked) { RestHTTPHelper HttpHelper = new RestHTTPHelper(ref RestAPIDesc, ref untrustedSSLSecureChannel, ref respHeader, CustomRequestHeader); if (!RestAPIDesc.Url.Scheme.Equals("https")) { Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + RestAPIDesc.Url.Scheme, FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, 0); } else { if (untrustedSSLSecureChannel) { Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, -1); } } int paramCount = 0; paramCount = RestAPIDesc.UrlParameters != null ? RestAPIDesc.UrlParameters.Count : 0; paramCount += RestAPIDesc.PostParameters != null ? RestAPIDesc.PostParameters.Count : 0; RestDynamicVulnerabilityScanner restDynScn = new RestDynamicVulnerabilityScanner(this); foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability) { if (vuln.type == 2 || vuln.type == 3) // 2: rest specific , 3: common for soap & rest { if (vuln.id != 0 && vuln.id != 9 && vuln.id != 10) // 0 for insecure transport - ssl not used , 9 for HTTP Options , 10 for XST { Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked, false); Log(" Parameter Count: " + (paramCount), FontStyle.Regular, chkDebug.Checked, false); try { restDynScn.ScanVulnerabilities(vuln, RestAPIDesc, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader); } catch (Exception ex) { Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } } } try { VulnerabilitiesVulnerability optionsVuln = vulnerabilities.Vulnerability.Where(v => v.id == 9).FirstOrDefault(); if (optionsVuln != null) { restDynScn.CheckHTTPOptionsVulns(RestAPIDesc, optionsVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckHTTPOptionsVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } try { VulnerabilitiesVulnerability xstVuln = vulnerabilities.Vulnerability.Where(v => v.id == 10).FirstOrDefault(); if (xstVuln != null) { restDynScn.CheckXSTVulns(RestAPIDesc, xstVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckXSTVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } if (chkInfoDisclosure.Checked) { Log("Information Disclosure Analysis Started", FontStyle.Regular, true, false); InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this); foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability) { Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked, false); string infoScanRes = idvs.ScanIt(infoVuln, respHeader); if (!string.IsNullOrEmpty(infoScanRes)) { Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true, false); DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport(); vulnRep.Vuln = infoVuln; vulnRep.Value = infoScanRes; WSItemVulnerabilities.InfoVulns.Add(vulnRep); } } Log("Information Disclosure Analysis Finished", FontStyle.Regular, true, false); } reportObject.WsDescs.Add(WSItemVulnerabilities); reportObject.ScanEndDate = DateTime.Now; Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); string reportFilePath = scanDirectory + @"\Report\Report.html"; string xmlFilePath = scanDirectory + @"\Report\Report.xml"; //string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\ReportTemplates\HTMLReportTemplate.html"; string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory + @"\ReportTemplates\HTMLReportTemplate.html"; ReportHelper.CreateHTMLReport(reportObject, reportTemplatePath, reportFilePath, chkXMLReport.Checked, xmlFilePath); Process.Start(reportFilePath); //if (chkXMLReport.Checked) Process.Start(xmlFilePath); } else { MessageBox.Show("Please Enter API Info!!!"); } }