public void CheckXSTVulns(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { CheckWebServerVulns(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader, "Cross Site Tracing", "TRACE"); }
public void CheckHTTPOptionsVulns(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { CheckWebServerVulns(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader, "HTTP OPTIONS", "OPTIONS"); }
private void CheckVulnsExceptAuth(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { CheckVulnsForURLParams(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); CheckVulnsForPostParams(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); }
private void CheckUnAuthenticatedMethod(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { HttpWebResponseWrapper response = null; try { reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponseWithDefaultParams(restDesc, false, ref respHeader, customRequestHeader); } catch (WebException wEx) { //if (wEx.Response.s) bool authErrorReceived = false; try { HttpWebResponse wr = (HttpWebResponse)wEx.Response; if (vuln.statusCode.Equals(((int)wr.StatusCode).ToString())) { authErrorReceived = true; } } catch { } if (!authErrorReceived) { SetWebException(restDesc.NormalizedURL, wEx, WSItemVulnerabilities, "Web Exception During Authentication Check", isDebug); } } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { if (!vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code != 401, no redirection { VulnerabilityForReport authVuln = new VulnerabilityForReport(); authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault(); authVuln.VulnerableMethodName = restDesc.Url.AbsoluteUri; authVuln.VulnerableParamName = ""; authVuln.Payload = ""; authVuln.Response = response.ResponseBody; authVuln.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(authVuln); mainForm.Log(" Auth Vulnerability Found: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false); } } }
public void ScanVulnerabilities(VulnerabilitiesVulnerability vuln, RESTApi restDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { if (vuln.id == 1) // check authentication { CheckUnAuthenticatedMethod(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); } else { CheckVulnsExceptAuth(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); } }
private void CheckWebServerVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customRequestHeader, string methodName, string httpMethodName) { HttpWebResponseWrapper response = null; try { RestHTTPHelper HttpHelper = new RestHTTPHelper(); reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponseForWebServerVuln(wsDesc.WSUri.Scheme + "://" + wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port, wsDesc.BasicAuthentication, ref respHeader, customRequestHeader, httpMethodName); } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { if (vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code == 200 { VulnerabilityForReport optionsVuln = new VulnerabilityForReport(); optionsVuln.Vuln = vuln; optionsVuln.VulnerableMethodName = wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port; optionsVuln.VulnerableParamName = ""; optionsVuln.Payload = ""; optionsVuln.Response = response.ResponseBody; optionsVuln.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(optionsVuln); mainForm.Log(" " + methodName + " is enabled: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false); } } }
private void CheckVulnsForURLParams(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { //CheckVulnsForParams(restDesc.NormalizedURL, restDesc.UrlParameters, vuln, WSItemVulnerabilities, // reportObject, isDebug, ref respHeader); if (restDesc.UrlParameters != null && restDesc.UrlParameters.Count > 0) { string postDataWithDefault = HttpHelper.GetDefaultValuesForParam(restDesc.NormalizedPostData, restDesc.PostParameters, true); for (int i = 0; i < restDesc.UrlParameters.Count; i++) { if (i == restDesc.UrlParameters[i].Index) { foreach (string payload in vuln.request) { bool vulnFoundForParam = false; string newUrl = restDesc.NormalizedURL.Replace("{" + i + "}", payload.Trim()); newUrl = SetParameterDefaultValue(newUrl, restDesc.UrlParameters, restDesc.UrlParameters[i].Index, isDebug, false); HttpWebResponseWrapper response = null; try { reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponse(restDesc, newUrl, postDataWithDefault, true, ref respHeader, customRequestHeader); } catch (WebException wEx) { SetWebException(newUrl, wEx, WSItemVulnerabilities, payload, isDebug); } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { SearcForVuln(response, WSItemVulnerabilities, vuln, payload, ref vulnFoundForParam, newUrl, isDebug, restDesc.UrlParameters[i].Index); } if (vulnFoundForParam) { break; } } } } } }