public TimeBasedCheckResults DoTimeDelayBasedCheck(PayloadGenerator PayloadGen, object OtherInfo, int AverageBaseRoundTrip)
{
TimeBasedCheckResults TimeCheckResults = new TimeBasedCheckResults();
TimeCheckResults.Success = false;
int DelayTime = 5000;
if (AverageBaseRoundTrip * 2 > DelayTime)
{
DelayTime = AverageBaseRoundTrip * 2;
}
string DelayPayload = PayloadGen(DelayTime, OtherInfo);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", DelayPayload));
Response DelayRes = this.Scnr.Inject(DelayPayload);
if (DelayRes.RoundTrip < DelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
return TimeCheckResults;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
this.Scnr.Trace("<i<b>>Doing further checks to determine if this delay was valid or a false positive<i</b>>");
}
List<int> SmallDelays = new List<int>();
List<int> BigDelays = new List<int>();
int BiggestDelay = 0;
Request DelayRequest=null;
Response DelayResponse=null;
int SmallDelayTime = 1000;
string SmallDelayPayload = PayloadGen(SmallDelayTime, OtherInfo);
foreach (int i in new int[] { 0, 1, 2 })
{
Thread.Sleep(2000);//To help the server recover from big delay
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", SmallDelayPayload));
SmallDelays.Add(this.Scnr.Inject(SmallDelayPayload).RoundTrip);
if (SmallDelays[i] < SmallDelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
return TimeCheckResults;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
}
Thread.Sleep(1000);//To help the server recover from small delay
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", DelayPayload));
Response Res = this.Scnr.Inject(DelayPayload);
if (Res.RoundTrip >= BiggestDelay)
{
BiggestDelay = Res.RoundTrip;
DelayRequest = this.Scnr.InjectedRequest.GetClone();
DelayResponse = Res;
}
BigDelays.Add(Res.RoundTrip);
if (BigDelays[i] < DelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
return TimeCheckResults;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
}
}
//Analyze small delays to confirm if this is vulnerable
int SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - DelayTime) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses for the payload that induced a delay of {0}ms consistently took atleast {1}ms less than the 3 responses for the payload that induced a delay of {2}ms.<i</cr>>", SmallDelayTime, DelayTime - SmallDelayTime ,DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.High;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return TimeCheckResults;
//Time delay successful high confidence
}
SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - (DelayTime - 1000)) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, DelayTime - 1000 - SmallDelayTime, DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.Medium;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return TimeCheckResults;
//Time delay successful medium confidence
}
SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - DelayTime / 2) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, (DelayTime/2)-SmallDelayTime, DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.Low;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return TimeCheckResults;
//Time delay successful low confidence
}
this.Scnr.Trace("<i<b>>There were no consistent delays based on the injected payloads, so concluding that the earlier delays were false positives.<i</b>>");
return TimeCheckResults;
}
public TimeBasedCheckResults DoTimeDelayBasedCheck(PayloadGenerator PayloadGen, object OtherInfo)
{
if (this.AvgBaseRoundTrip < 0)
{
this.Scnr.Trace("<i<b>>Sending two requests to find out the normal roundtrip time to be used as baseline<i</b>>");
//Let's first check the time taken for non-delay payloads
string NonDelayPayload = PayloadGen(0, OtherInfo);
Response BaseRes1 = this.Scnr.Inject(NonDelayPayload);
Response BaseRes2 = this.Scnr.Inject(NonDelayPayload);
this.AvgBaseRoundTrip = (BaseRes1.RoundTrip + BaseRes2.RoundTrip) / 2;
this.Scnr.Trace(string.Format("<i<b>>The roundtrip values of the two requests were {0}ms and {1}ms. Their average {2}ms is being used as baseline.<i</b>>", BaseRes1.RoundTrip, BaseRes2.RoundTrip, this.AvgBaseRoundTrip));
}
return DoTimeDelayBasedCheck(PayloadGen, OtherInfo, this.AvgBaseRoundTrip);
}
public int FindNum(PayloadGenerator PayGenFunction, object Info, Fuzzer F)
{
int UpperLimit = 0;
int LowerLimit = 1;
string Payload = "";
bool IsZero = false;
bool IsOne = false;
if (IsPayloadResponseTrue(F, PayGenFunction(Info, "=", "0")))
{
IsZero = true;
}
if (IsPayloadResponseTrue(F, PayGenFunction(Info, "=", "1")))
{
IsOne = true;
}
if (IsOne && IsZero)
{
throw new Exception("Injection does not work");
}
else if (IsOne)
{
return(1);
}
else if (IsZero)
{
return(0);
}
for (int i = 0; i < 100; i++)
//while (true)
{
if (i == 20 || i == 40 || i == 60 || i == 80)
{
if (IsPayloadResponseTrue(F, PayGenFunction(Info, "=", "0")))
{
throw new Exception("Injection does not work");
}
}
int ToCheck = 0;
string Operator = "<";
if (UpperLimit == 0)
{
ToCheck = LowerLimit * 10;
}
else if (UpperLimit - LowerLimit == 1)
{
Operator = "=";
ToCheck = LowerLimit;
}
else
{
ToCheck = ((UpperLimit - LowerLimit) / 2) + LowerLimit;
}
Payload = PayGenFunction(Info, Operator, ToCheck.ToString());
if (IsPayloadResponseTrue(F, Payload))
{
if (Operator == "=")
{
return(ToCheck);
}
else
{
UpperLimit = ToCheck;
}
}
else
{
if (Operator == "=" && UpperLimit - LowerLimit == 1)
{
return(-1);
}
else
{
LowerLimit = ToCheck;
}
}
}
return(-1);
}
public AppEncryptionParameterizedTest()
{
payload = PayloadGenerator.CreateDefaultRandomJsonPayload();
}
public MultiThreadedSecretTest()
{
payload = PayloadGenerator.CreateRandomBytePayload(PayloadSizeBytes);
}
private void RunPositiveFunctionTest(ODataFormat format, TestCase testCase)
{
// All of the functions tests use the PlaybackService since the WCF Data Services server doesn't support functions
// The PlaybackService itself will not automatically turn Metadata into an absolute URI, so set that to false on all tests.
// The tests also use absolute URIs for Target, so suppress that as well.
testCase.AddBaseUriToMetadata = false;
testCase.AddBaseUriToTarget = false;
using (TestWebRequest request = TestWebRequest.CreateForInProcessWcf())
using (PlaybackService.ProcessRequestOverride.Restore())
{
request.ServiceType = typeof(AstoriaUnitTests.Stubs.PlaybackService);
request.StartService();
var payloadBuilder = testCase.ResponsePayloadBuilder;
PlaybackService.ProcessRequestOverride.Value = (req) =>
{
string contentType;
if (format == ODataFormat.Json)
{
contentType = UnitTestsUtil.JsonLightMimeType;
payloadBuilder.Metadata = request.BaseUri + "/$metadata#TestService.CustomerEntities/$entity";
}
else
{
contentType = UnitTestsUtil.AtomFormat;
}
req.SetResponseStreamAsText(PayloadGenerator.Generate(payloadBuilder, format));
req.ResponseHeaders.Add("Content-Type", contentType);
req.SetResponseStatusCode(200);
return(req);
};
testCase.AddBaseUriStringToExpectedDescriptors(request.ServiceRoot.OriginalString, format);
Uri uri = new Uri(request.ServiceRoot + "/" + testCase.RequestUriString);
DataServiceContext ctx = new DataServiceContext(request.ServiceRoot, ODataProtocolVersion.V4);
//ctx.EnableAtom = true;
if (format == ODataFormat.Json)
{
string serviceEdmx = GetServiceEdmxWithOperations(payloadBuilder);
JsonLightTestUtil.ConfigureContextForJsonLight(ctx, serviceEdmx);
}
QueryOperationResponse <CustomerEntity> qor = (QueryOperationResponse <CustomerEntity>)ctx.Execute <CustomerEntity>(uri);
Assert.IsNotNull(qor);
Assert.IsNull(qor.Error);
IEnumerator <CustomerEntity> entities = qor.GetEnumerator();
int expectedDescriptorsPerEntity = 0;
while (entities.MoveNext())
{
CustomerEntity c = entities.Current;
EntityDescriptor ed = ctx.GetEntityDescriptor(c);
IEnumerable <OperationDescriptor> actualDescriptors = ed.OperationDescriptors;
TestEquality(actualDescriptors, testCase.GetExpectedDescriptors(format)[expectedDescriptorsPerEntity++]);
}
}
}