public void CheckXSTVulns(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
CheckWebServerVulns(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug,
ref respHeader, HttpHelper, customRequestHeader, "Cross Site Tracing", "TRACE");
}
public void CheckHTTPOptionsVulns(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
CheckWebServerVulns(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug,
ref respHeader, HttpHelper, customRequestHeader, "HTTP OPTIONS", "OPTIONS");
}
private void CheckVulnsExceptAuth(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
CheckVulnsForURLParams(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
CheckVulnsForPostParams(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
}
private void CheckUnAuthenticatedMethod(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
HttpWebResponseWrapper response = null;
try
{
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponseWithDefaultParams(restDesc, false, ref respHeader, customRequestHeader);
}
catch (WebException wEx)
{
//if (wEx.Response.s)
bool authErrorReceived = false;
try
{
HttpWebResponse wr = (HttpWebResponse)wEx.Response;
if (vuln.statusCode.Equals(((int)wr.StatusCode).ToString()))
{
authErrorReceived = true;
}
}
catch { }
if (!authErrorReceived)
{
SetWebException(restDesc.NormalizedURL, wEx, WSItemVulnerabilities, "Web Exception During Authentication Check", isDebug);
}
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
if (!vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code != 401, no redirection
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = restDesc.Url.AbsoluteUri;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = response.ResponseBody;
authVuln.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
}
public void ScanVulnerabilities(VulnerabilitiesVulnerability vuln, RESTApi restDesc,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
if (vuln.id == 1) // check authentication
{
CheckUnAuthenticatedMethod(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
}
else
{
CheckVulnsExceptAuth(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
}
}
private void CheckWebServerVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, string customRequestHeader, string methodName, string httpMethodName)
{
HttpWebResponseWrapper response = null;
try
{
RestHTTPHelper HttpHelper = new RestHTTPHelper();
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponseForWebServerVuln(wsDesc.WSUri.Scheme + "://" + wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port,
wsDesc.BasicAuthentication, ref respHeader, customRequestHeader, httpMethodName);
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
if (vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code == 200
{
VulnerabilityForReport optionsVuln = new VulnerabilityForReport();
optionsVuln.Vuln = vuln;
optionsVuln.VulnerableMethodName = wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port;
optionsVuln.VulnerableParamName = "";
optionsVuln.Payload = "";
optionsVuln.Response = response.ResponseBody;
optionsVuln.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(optionsVuln);
mainForm.Log(" " + methodName + " is enabled: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
}
private void CheckVulnsForURLParams(RESTApi restDesc,
VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
//CheckVulnsForParams(restDesc.NormalizedURL, restDesc.UrlParameters, vuln, WSItemVulnerabilities,
// reportObject, isDebug, ref respHeader);
if (restDesc.UrlParameters != null && restDesc.UrlParameters.Count > 0)
{
string postDataWithDefault = HttpHelper.GetDefaultValuesForParam(restDesc.NormalizedPostData, restDesc.PostParameters, true);
for (int i = 0; i < restDesc.UrlParameters.Count; i++)
{
if (i == restDesc.UrlParameters[i].Index)
{
foreach (string payload in vuln.request)
{
bool vulnFoundForParam = false;
string newUrl = restDesc.NormalizedURL.Replace("{" + i + "}", payload.Trim());
newUrl = SetParameterDefaultValue(newUrl, restDesc.UrlParameters, restDesc.UrlParameters[i].Index, isDebug, false);
HttpWebResponseWrapper response = null;
try
{
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponse(restDesc, newUrl, postDataWithDefault, true, ref respHeader, customRequestHeader);
}
catch (WebException wEx)
{
SetWebException(newUrl, wEx, WSItemVulnerabilities, payload, isDebug);
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
SearcForVuln(response, WSItemVulnerabilities, vuln, payload,
ref vulnFoundForParam, newUrl, isDebug, restDesc.UrlParameters[i].Index);
}
if (vulnFoundForParam)
{
break;
}
}
}
}
}
}
