private void AddSSLRelatedVulnerability(WSDescriberForReport WSItemVulnerabilities, int vulnId) { VulnerabilityForReport sslVuln = new VulnerabilityForReport(); sslVuln.Vuln = vulnerabilities.Vulnerability.Where(v => v.id == vulnId).FirstOrDefault(); sslVuln.VulnerableMethodName = ""; sslVuln.VulnerableParamName = ""; sslVuln.Payload = ""; sslVuln.Response = ""; sslVuln.StatusCode = ""; WSItemVulnerabilities.Vulns.Add(sslVuln); }
public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags) { if (vuln.id == 1) // check authentication { CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } else { CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } }
public void SetSoapFaultException(WSOperation operation, SoapException soapEx, WSDescriberForReport WSItemVulnerabilities, bool isDebug) { if (WSItemVulnerabilities.Vulns.Where(v => v.VulnerableMethodName.Equals(operation.MethodName) && v.Vuln.id == 7).Count() <= 0) // aynı method için sadece 1 tane soap fault zafiyeti yaz { mainForm.Log(" Soap Exception: " + soapEx.ToString(), FontStyle.Regular, isDebug); VulnerabilityForReport soapFaultVuln = new VulnerabilityForReport(); soapFaultVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 7).FirstOrDefault(); soapFaultVuln.VulnerableMethodName = operation.MethodName; soapFaultVuln.VulnerableParamName = ""; soapFaultVuln.Payload = ""; soapFaultVuln.Response = soapEx.Message; soapFaultVuln.StatusCode = ""; WSItemVulnerabilities.Vulns.Add(soapFaultVuln); } }
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags) { for (int j = 0; j < operation.Parameters.Count; j++) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } catch (SoapException soapEx) { //throw ex; SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code is not 401, no redirect { VulnerabilityForReport authVuln = new VulnerabilityForReport(); authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault(); authVuln.VulnerableMethodName = operation.MethodName; authVuln.VulnerableParamName = ""; authVuln.Payload = ""; authVuln.Response = wsInvoker.ResultString; authVuln.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(authVuln); mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true); } }
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr) { mainForm.Log(logStr, FontStyle.Bold, true); VulnerabilityForReport vulnRep = new VulnerabilityForReport(); vulnRep.Vuln = vuln; vulnRep.VulnerableMethodName = operation.MethodName; vulnRep.VulnerableParamName = paramName; vulnRep.Payload = payload; vulnRep.Response = wsInvoker.ResultString; vulnRep.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(vulnRep); }
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags) { int paramIndexToTest = 0; for (int i = 0; i < operation.Parameters.Count; i++) { if (i == paramIndexToTest) { foreach (string payload in vuln.request) { bool vulnFoundForParam = false; wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim()); for (int j = 0; j < operation.Parameters.Count; j++) { if (j != paramIndexToTest) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } catch (SoapException soapEx) { SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug); mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug); if (!string.IsNullOrEmpty(vuln.statusCode)) { if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) { if (vuln.response == null || vuln.response.Count() == 0) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; } else { foreach (string text in vuln.response) { if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; break; } } } } } else { foreach (string text in vuln.response) { //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase)) if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { // Vulnerability Found SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text); vulnFoundForParam = true; break; } } } if (vulnFoundForParam) { break; } } } paramIndexToTest++; } }
private void btnScan_Click(object sender, EventArgs e) { if (services != null && services.Count > 0) { lvResult.Items.Clear(); scanDirectory = DirectoryHelper.GetScanDirectoryName(); DirectoryHelper.CreateScanDirectory(scanDirectory); ReportObject reportObject = new ReportObject(); reportObject.ScanStartDate = DateTime.Now; reportObject.WsDescs = new List<WSDescriberForReport>(); reportObject.TotalRequestCount = 0; Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true); foreach (WSDescriber wsDesc in services) { WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport(); WSItemVulnerabilities.WsDesc = wsDesc; WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>(); WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>(); WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>(); Log("WSDL Address: " + wsDesc.WSDLAddress, FontStyle.Bold, true); Log("Parsing WSDL...", FontStyle.Regular, true); List<Param> respHeader = new List<Param>(); bool untrustedSSLSecureChannel = false; Parser parser = new Parser(wsDesc, ref untrustedSSLSecureChannel, ref respHeader); if (chkStaticScan.Checked) { Log("Static Analysis Started", FontStyle.Regular, true); StaticVulnerabilityScanner svs = new StaticVulnerabilityScanner(); foreach (StaticVulnerabilitiesStaticVulnerability staticVuln in staticVulnerabilities.StaticVulnerability) { Log(" Testing: " + staticVuln.title, FontStyle.Regular, chkDebug.Checked); string staticScanRes = svs.ScanIt(staticVuln, parser.rawWSDL); if (!string.IsNullOrEmpty(staticScanRes)) { Log(" " + staticVuln.title + " Vulnerability Found: " + staticScanRes, FontStyle.Bold, true); StaticVulnerabilityForReport vulnRep = new StaticVulnerabilityForReport(); vulnRep.Vuln = staticVuln; vulnRep.XMLLine = staticScanRes; WSItemVulnerabilities.StaticVulns.Add(vulnRep); } } Log("Static Analysis Finished", FontStyle.Regular, true); } if (chkDynamicScan.Checked) { Log("Getting Methods...", FontStyle.Regular, true); List<WSOperation> operations = parser.GetOperations(); WebServiceToInvoke wsInvoker = new WebServiceToInvoke(wsDesc.WSDLAddress.Replace("?WSDL", "")); if (!wsDesc.WSUri.Scheme.Equals("https")) { Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + wsDesc.WSUri.Scheme, FontStyle.Bold, true); AddSSLRelatedVulnerability(WSItemVulnerabilities, 0); } else { if (untrustedSSLSecureChannel) { Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true); AddSSLRelatedVulnerability(WSItemVulnerabilities, -1); } } DynamicVulnerabilityScanner dynScn = new DynamicVulnerabilityScanner(this); foreach (WSOperation operation in operations) { Log("Method: " + operation.MethodName, FontStyle.Regular, chkDebug.Checked); foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability) { if (vuln.id != 0 && vuln.id != 7) // 0 for insecure transport - ssl not used , 7 for verbose soap fault message { wsInvoker.PreInvoke(); Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked); Log(" Parameter Count: " + operation.Parameters.Count, FontStyle.Regular, chkDebug.Checked); try { dynScn.ScanVulnerabilities(wsInvoker, operation, vuln, parser.TargetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, txtCustomSoapHeaderTags.Text.Trim(), txtCustomSoapBodyTags.Text.Trim()); } catch (System.Web.Services.Protocols.SoapException soapEx) { dynScn.SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, chkDebug.Checked); } catch (Exception ex) { Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked); } } } } } if (chkInfoDisclosure.Checked) { Log("Information Disclosure Analysis Started", FontStyle.Regular, true); InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this); foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability) { Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked); string infoScanRes = idvs.ScanIt(infoVuln, respHeader); if (!string.IsNullOrEmpty(infoScanRes)) { Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true); DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport(); vulnRep.Vuln = infoVuln; vulnRep.Value = infoScanRes; WSItemVulnerabilities.InfoVulns.Add(vulnRep); } } Log("Information Disclosure Analysis Finished", FontStyle.Regular, true); } reportObject.WsDescs.Add(WSItemVulnerabilities); } reportObject.ScanEndDate = DateTime.Now; Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true); string reportFilePath = scanDirectory + @"\Report\Report.html"; ReportHelper.CreateHTMLReport(reportObject, System.AppDomain.CurrentDomain.BaseDirectory + @"\ReportTemplates\HTMLReportTemplate.html", reportFilePath); Process.Start(reportFilePath); } else { MessageBox.Show("Please Select WSDL List File!!!"); } }
private static string GetHtmlRowForWsdl(WSDescriberForReport wsDesc, ref List<Param> allVulns) { StringBuilder result = new StringBuilder(); result.Append("<table style='border-style:solid;width:100%' id='tbl4' class='wsdl'>"); result.Append("<tr class='accordion'><td><b>WSDL Address: " + wsDesc.WsDesc.WSDLAddress + "</b> Vulnerability Count:" + (wsDesc.StaticVulns.Count + wsDesc.Vulns.Count).ToString() + "</td><td><div class='arrow'></div></td></tr>"); foreach (StaticVulnerabilityForReport vuln in wsDesc.StaticVulns) { result.Append("<tr><td colspan='2'><ul>"); result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Static</i></li>"); result.Append("<li>Line:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.XMLLine) + "</pre></b></li>"); result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>"); result.Append("</ul></td></tr>"); result.Append("<tr><td><hr /></td></tr>"); AddToAllVuln("Stat" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity); } foreach (VulnerabilityForReport vuln in wsDesc.Vulns) { result.Append("<tr><td colspan='2'><ul>"); result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Dynamic</i></li>"); result.Append("<li>Method Name:<b>" + vuln.VulnerableMethodName + "</b></li>"); result.Append("<li>Parameter Name:<b>" + vuln.VulnerableParamName + "</b></li>"); result.Append("<li>Payload:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Payload) + "</pre></b></li>"); result.Append("<li>Status Code:<br /><b><pre>" + vuln.StatusCode + "</pre></b></li>"); result.Append("<li>Response:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Response) + "</pre></b></li>"); result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>"); result.Append("</ul></td></tr>"); result.Append("<tr><td><hr /></td></tr>"); AddToAllVuln("Dyn" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity); } foreach (DisclosureVulnerabilityForReport vuln in wsDesc.InfoVulns) { result.Append("<tr><td colspan='2'><ul>"); result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Information Disclosure</i></li>"); result.Append("<li>Value:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Value) + "</pre></b></li>"); result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>"); result.Append("</ul></td></tr>"); result.Append("<tr><td><hr /></td></tr>"); AddToAllVuln("Info" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity); } result.Append("</table>"); return result.ToString(); }