/// <summary>
/// The check for vulnerabilities.
/// </summary>
/// <param name="browser">
/// The browser.
/// </param>
/// <param name="testCase">
/// The testCase.
/// </param>
/// <param name="testValue">
/// The tested val.
/// </param>
private void CheckForVulnerabilities(
BrowserAbstract browser,
TestCase testCase,
string testValue)
{
// waiting for page to load
browser.WaitForPageLoad(5000);
string alertText;
browser.DismissedIfAlertDisplayed(out alertText);
if (browser.AlertMessageDisplayed.Contains(TestBaseHelper.AttackSignature))
{
// since we use the same browser instance clear the alerts after the issue has been logged
browser.AlertMessageDisplayed.Clear();
// we found one issue
this.vulnerabilityFound = true;
Vulnerabilities.Enqueue(new Vulnerability
{
Title = testCase.TestName,
Level = (int)VulnerabilityLevelEnum.High,
TestedParam = string.Empty,
TestedVal = testValue,
Evidence = "Found by {0}".FormatIc(browser.BrowserType.ToString()),
MatchString = testCase.MatchString,
TestPlugin = GetType().Name
});
}
}
/// <summary>
/// Overriding the Check Vulnerability implementation because we just want to look in the response headers.
/// </summary>
/// <param name="webRequestContext">
/// The web Request Context.
/// </param>
/// <param name="testcase">
/// The test case.
/// </param>
/// <param name="testedParam">
/// The tested Parameter.
/// </param>
/// <param name="testValue">
/// The tested Val.
/// </param>
/// <seealso cref="M:BackScatterScannerLib.Engine.TestBase.CheckForVuln(WebRequestContext,TestCase,string,string)"/>
protected override void CheckForVulnerabilities(
WebRequestContext webRequestContext,
TestCase testcase,
string testedParam,
string testValue)
{
HttpWebResponseHolder response = webRequestContext.ResponseHolder;
var fromHeaderValue = response.Headers["From"];
if (response.Headers == null ||
string.IsNullOrWhiteSpace(fromHeaderValue))
{
return;
}
// Have we injected a from header and does it contain the domain we are attempting to redirect to?
if (fromHeaderValue.IndexOf("*****@*****.**", StringComparison.InvariantCultureIgnoreCase) > -1)
{
Vulnerabilities.Enqueue(new Vulnerability
{
Title = "HTTP Response Splitting - Newline Injection",
Level = (int)VulnerabilityLevelEnum.High,
TestedParam = testedParam,
TestedVal = testValue,
HttpResponse = response,
Evidence = $"From : {fromHeaderValue}",
MatchString = testcase.MatchString,
TestPlugin = GetType().Name
});
}
}
/// <inheritdoc/>
protected override void CheckForVulnerabilities(
WebRequestContext webRequestContext,
TestCase testcase,
string testedParam,
string testValue)
{
if (webRequestContext.Browser.AlertMessageDisplayed.Contains(TestBaseHelper.AttackSignature))
{
Vulnerabilities.Enqueue(new Vulnerability
{
Title = testcase.TestName,
Level = (int)VulnerabilityLevelEnum.High,
TestedParam = testedParam,
TestedVal = testValue,
HttpResponse = webRequestContext.ResponseHolder,
Evidence = $"Found by {webRequestContext.Browser.BrowserType}",
MatchString = testcase.MatchString,
TestPlugin = GetType().Name
});
}
}
/// <summary>
/// The inspect response.
/// </summary>
/// <param name="requestTarget">
/// The request target.
/// </param>
/// <param name="responseTarget">
/// The response target.
/// </param>
/// <param name="response">
/// The current response.
/// </param>
/// <param name="plugIn">
/// The plug in.
/// </param>
/// <param name="testCase">
/// The test case.
/// </param>
/// <param name="testParameter">
/// The tested parameter.
/// </param>
/// <param name="testValue">
/// The tested val.
/// </param>
public override void InspectResponse(
ITarget requestTarget,
ITarget responseTarget,
HttpWebResponseHolder response,
string plugIn,
TestCase testCase,
string testParameter,
string testValue)
{
string accessControlAllowOrigin = response.Headers["Access-Control-Allow-Origin"];
if (!string.IsNullOrWhiteSpace(accessControlAllowOrigin) &&
accessControlAllowOrigin.IndexOf("*", StringComparison.InvariantCultureIgnoreCase) != -1)
{
bool matchFound = false;
foreach (string allowedDomain in this.whiteListDomains)
{
if (Regex.Match(accessControlAllowOrigin, allowedDomain).Success)
{
matchFound = true;
break;
}
}
if (!matchFound)
{
Vulnerabilities.Enqueue(new Vulnerability
{
TestPlugin = GetType().Name + " (via " + plugIn + ")",
Title = "Access-Control-Allow-Origin has wildcard for domain not in WebSec white list",
Level = (int)VulnerabilityLevelEnum.Low,
Evidence = accessControlAllowOrigin,
HttpResponse = response
});
}
}
}
/// <summary>
/// The inspect response.
/// </summary>
/// <param name="requestTarget">
/// The request target.
/// </param>
/// <param name="responseTarget">
/// The response target.
/// </param>
/// <param name="response">
/// The current response.
/// </param>
/// <param name="plugIn">
/// The plug in.
/// </param>
/// <param name="testCase">
/// The test case.
/// </param>
/// <param name="testParameter">
/// The tested parameter.
/// </param>
/// <param name="testValue">
/// The tested val.
/// </param>
public override void InspectResponse(
ITarget requestTarget,
ITarget responseTarget,
HttpWebResponseHolder response,
string plugIn,
TestCase testCase,
string testParameter,
string testValue)
{
string accessControlAllowMethods = response.Headers["Access-Control-Allow-Methods"];
if (!string.IsNullOrWhiteSpace(accessControlAllowMethods) &&
accessControlAllowMethods.ContainsAnyOi(new[] { "put", "delete", "options" }))
{
Vulnerabilities.Enqueue(new Vulnerability
{
TestPlugin = GetType().Name + " (via " + plugIn + ")",
Title = "Access-Control-Allow-Methods allows methods other than GET and POST",
Level = (int)VulnerabilityLevelEnum.Low,
Evidence = accessControlAllowMethods,
HttpResponse = response
});
}
}