public void CheckXSTVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customRequestHeader) { CheckWebServerVulns(wsDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customRequestHeader, "Cross Site Tracing", "TRACE"); }
public void CheckHTTPOptionsVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customRequestHeader) { CheckWebServerVulns(wsDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customRequestHeader, "HTTP OPTIONS", "OPTIONS"); }
private void CheckVulnsExceptAuth(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { CheckVulnsForURLParams(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); CheckVulnsForPostParams(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); }
private void CheckUnAuthenticatedMethod(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { HttpWebResponseWrapper response = null; try { reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponseWithDefaultParams(restDesc, false, ref respHeader, customRequestHeader); } catch (WebException wEx) { //if (wEx.Response.s) bool authErrorReceived = false; try { HttpWebResponse wr = (HttpWebResponse)wEx.Response; if (vuln.statusCode.Equals(((int)wr.StatusCode).ToString())) { authErrorReceived = true; } } catch { } if (!authErrorReceived) { SetWebException(restDesc.NormalizedURL, wEx, WSItemVulnerabilities, "Web Exception During Authentication Check", isDebug); } } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { if (!vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code != 401, no redirection { VulnerabilityForReport authVuln = new VulnerabilityForReport(); authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault(); authVuln.VulnerableMethodName = restDesc.Url.AbsoluteUri; authVuln.VulnerableParamName = ""; authVuln.Payload = ""; authVuln.Response = response.ResponseBody; authVuln.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(authVuln); mainForm.Log(" Auth Vulnerability Found: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false); } } }
private void AddSSLRelatedVulnerability(WSDescriberForReport WSItemVulnerabilities, int vulnId) { VulnerabilityForReport sslVuln = new VulnerabilityForReport(); sslVuln.Vuln = vulnerabilities.Vulnerability.Where(v => v.id == vulnId).FirstOrDefault(); sslVuln.VulnerableMethodName = ""; sslVuln.VulnerableParamName = ""; sslVuln.Payload = ""; sslVuln.Response = ""; sslVuln.StatusCode = ""; WSItemVulnerabilities.Vulns.Add(sslVuln); }
private void CheckVulnsForURLParams(RESTApi restDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { //CheckVulnsForParams(restDesc.NormalizedURL, restDesc.UrlParameters, vuln, WSItemVulnerabilities, // reportObject, isDebug, ref respHeader); if (restDesc.UrlParameters != null && restDesc.UrlParameters.Count > 0) { string postDataWithDefault = HttpHelper.GetDefaultValuesForParam(restDesc.NormalizedPostData, restDesc.PostParameters, true); for (int i = 0; i < restDesc.UrlParameters.Count; i++) { if (i == restDesc.UrlParameters[i].Index) { foreach (string payload in vuln.request) { bool vulnFoundForParam = false; string newUrl = restDesc.NormalizedURL.Replace("{" + i + "}", payload.Trim()); newUrl = SetParameterDefaultValue(newUrl, restDesc.UrlParameters, restDesc.UrlParameters[i].Index, isDebug, false); HttpWebResponseWrapper response = null; try { reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponse(restDesc, newUrl, postDataWithDefault, true, ref respHeader, customRequestHeader); } catch (WebException wEx) { SetWebException(newUrl, wEx, WSItemVulnerabilities, payload, isDebug); } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { SearcForVuln(response, WSItemVulnerabilities, vuln, payload, ref vulnFoundForParam, newUrl, isDebug, restDesc.UrlParameters[i].Index); } if (vulnFoundForParam) { break; } } } } } }
public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader) { if (vuln.id == 1) // check authentication { CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } else { CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } }
private static string GetHtmlRowForWsdl(WSDescriberForReport wsDesc, ref List <Param> allVulns) { StringBuilder result = new StringBuilder(); result.Append("<table style='border-style:solid;width:100%' id='tbl4' class='wsdl'>"); result.Append("<tr class='accordion'><td><b>WSDL Address: " + wsDesc.WsDesc.WSDLAddress + "</b> Vulnerability Count:" + (wsDesc.StaticVulns.Count + wsDesc.Vulns.Count).ToString() + "</td><td><div class='arrow'></div></td></tr>"); foreach (StaticVulnerabilityForReport vuln in wsDesc.StaticVulns) { result.Append("<tr><td colspan='2'><ul>"); result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Static</i></li>"); result.Append("<li>Line:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.XMLLine) + "</pre></b></li>"); result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>"); result.Append("</ul></td></tr>"); result.Append("<tr><td><hr /></td></tr>"); AddToAllVuln("Stat" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity); } foreach (VulnerabilityForReport vuln in wsDesc.Vulns) { result.Append("<tr><td colspan='2'><ul>"); result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Dynamic</i></li>"); result.Append("<li>Method Name:<b>" + vuln.VulnerableMethodName + "</b></li>"); result.Append("<li>Parameter Name:<b>" + vuln.VulnerableParamName + "</b></li>"); result.Append("<li>Payload:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Payload) + "</pre></b></li>"); result.Append("<li>Status Code:<br /><b><pre>" + vuln.StatusCode + "</pre></b></li>"); result.Append("<li>Response:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Response) + "</pre></b></li>"); result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>"); result.Append("</ul></td></tr>"); result.Append("<tr><td><hr /></td></tr>"); AddToAllVuln("Dyn" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity); } foreach (DisclosureVulnerabilityForReport vuln in wsDesc.InfoVulns) { result.Append("<tr><td colspan='2'><ul>"); result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Information Disclosure</i></li>"); result.Append("<li>Value:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Value) + "</pre></b></li>"); result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>"); result.Append("</ul></td></tr>"); result.Append("<tr><td><hr /></td></tr>"); AddToAllVuln("Info" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity); } result.Append("</table>"); return(result.ToString()); }
public void ScanVulnerabilities(VulnerabilitiesVulnerability vuln, RESTApi restDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader) { if (vuln.id == 1) // check authentication { CheckUnAuthenticatedMethod(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); } else { CheckVulnsExceptAuth(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader); } }
private void SetVuln(HttpWebResponseWrapper response, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, string methodName, string payload, int paramIndex, string logStr) { mainForm.Log(logStr, FontStyle.Bold, true, false); VulnerabilityForReport vulnRep = new VulnerabilityForReport(); vulnRep.Vuln = vuln; vulnRep.VulnerableMethodName = methodName; vulnRep.VulnerableParamName = paramIndex.ToString(); vulnRep.Payload = payload; vulnRep.Response = response.ResponseBody; vulnRep.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(vulnRep); }
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr) { mainForm.Log(logStr, FontStyle.Bold, true, false); VulnerabilityForReport vulnRep = new VulnerabilityForReport(); vulnRep.Vuln = vuln; vulnRep.VulnerableMethodName = operation.MethodName; vulnRep.VulnerableParamName = paramName; vulnRep.Payload = payload; vulnRep.Response = wsInvoker.ResultString; vulnRep.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(vulnRep); }
public void SetWebException(string method, WebException wEx, WSDescriberForReport WSItemVulnerabilities, string payload, bool isDebug) { if (WSItemVulnerabilities.Vulns.Where(v => v.Vuln.id == 8).Count() <= 0) // add only one web fault vulnerability { mainForm.Log(" Web Exception: " + wEx.ToString(), FontStyle.Regular, isDebug, false); VulnerabilityForReport webExceptionVuln = new VulnerabilityForReport(); webExceptionVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 8).FirstOrDefault(); webExceptionVuln.VulnerableMethodName = method; webExceptionVuln.VulnerableParamName = ""; webExceptionVuln.Payload = payload; webExceptionVuln.Response = wEx.Message; webExceptionVuln.StatusCode = ""; WSItemVulnerabilities.Vulns.Add(webExceptionVuln); } }
private void SearcForVuln(HttpWebResponseWrapper response, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, string payload, ref bool vulnFoundForParam, string whereStr, bool isDebug, int paramIndex) { mainForm.Log(" StatusCode: " + response.WebResponse.StatusCode, FontStyle.Regular, isDebug, false); mainForm.Log(" Result: " + response.ResponseBody, FontStyle.Regular, isDebug, false); if (!string.IsNullOrEmpty(vuln.statusCode)) { if (vuln.statusCode.Equals(response.WebResponse.StatusCode.ToString())) { if (vuln.response == null || vuln.response.Count() == 0) { SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; } else { foreach (string text in vuln.response) { if (response.ResponseBody.Trim().Contains(text.Trim())) { SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; break; } } } } } else { foreach (string text in vuln.response) { //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase)) if (response.ResponseBody.Trim().Contains(text.Trim())) { // Vulnerability Found SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Response Text Contains: " + text); vulnFoundForParam = true; break; } } } }
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader) { for (int j = 0; j < operation.Parameters.Count; j++) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } catch (SoapException soapEx) { //throw ex; SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code != 401, no redirection { VulnerabilityForReport authVuln = new VulnerabilityForReport(); authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault(); authVuln.VulnerableMethodName = operation.MethodName; authVuln.VulnerableParamName = ""; authVuln.Payload = ""; authVuln.Response = wsInvoker.ResultString; authVuln.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(authVuln); mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true, false); } }
private void CheckWebServerVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customRequestHeader, string methodName, string httpMethodName) { HttpWebResponseWrapper response = null; try { RestHTTPHelper HttpHelper = new RestHTTPHelper(); reportObject.TotalRequestCount++; response = HttpHelper.GetHttpWebResponseForWebServerVuln(wsDesc.WSUri.Scheme + "://" + wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port, wsDesc.BasicAuthentication, ref respHeader, customRequestHeader, httpMethodName); } catch (Exception ex) { throw ex; } if (response != null && response.WebResponse != null) { if (vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code == 200 { VulnerabilityForReport optionsVuln = new VulnerabilityForReport(); optionsVuln.Vuln = vuln; optionsVuln.VulnerableMethodName = wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port; optionsVuln.VulnerableParamName = ""; optionsVuln.Payload = ""; optionsVuln.Response = response.ResponseBody; optionsVuln.StatusCode = response.WebResponse.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(optionsVuln); mainForm.Log(" " + methodName + " is enabled: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false); } } }
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader) { int paramIndexToTest = 0; for (int i = 0; i < operation.Parameters.Count; i++) { if (i == paramIndexToTest) { foreach (string payload in vuln.request) { bool vulnFoundForParam = false; wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim()); for (int j = 0; j < operation.Parameters.Count; j++) { if (j != paramIndexToTest) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader); } catch (SoapException soapEx) { SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug, false); mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug, false); if (!string.IsNullOrEmpty(vuln.statusCode)) { if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) { if (vuln.response == null || vuln.response.Count() == 0) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; } else { foreach (string text in vuln.response) { if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; break; } } } } } else { foreach (string text in vuln.response) { //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase)) if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { // Vulnerability Found SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text); vulnFoundForParam = true; break; } } } if (vulnFoundForParam) { break; } } } paramIndexToTest++; } }
public void SetSoapFaultException(WSOperation operation, SoapException soapEx, WSDescriberForReport WSItemVulnerabilities, bool isDebug) { if (WSItemVulnerabilities.Vulns.Where(v => v.VulnerableMethodName.Equals(operation.MethodName) && v.Vuln.id == 7).Count() <= 0) // aynı method için sadece 1 tane soap fault zafiyeti yaz { mainForm.Log(" Soap Exception: " + soapEx.ToString(), FontStyle.Regular, isDebug, false); VulnerabilityForReport soapFaultVuln = new VulnerabilityForReport(); soapFaultVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 7).FirstOrDefault(); soapFaultVuln.VulnerableMethodName = operation.MethodName; soapFaultVuln.VulnerableParamName = ""; soapFaultVuln.Payload = ""; soapFaultVuln.Response = soapEx.Message; soapFaultVuln.StatusCode = ""; WSItemVulnerabilities.Vulns.Add(soapFaultVuln); } }
public void ScanRESTApi() { if (RestAPIDesc != null) { lvResult.Items.Clear(); scanDirectory = DirectoryHelper.GetScanDirectoryName(); DirectoryHelper.CreateScanDirectory(scanDirectory); ReportObject reportObject = new ReportObject(); reportObject.ScanStartDate = DateTime.Now; reportObject.WsDescs = new List<WSDescriberForReport>(); reportObject.TotalRequestCount = 0; Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport(); WSItemVulnerabilities.RestAPI = RestAPIDesc; WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>(); WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>(); WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>(); Log("API Address: " + RestAPIDesc.Url.AbsoluteUri, FontStyle.Bold, true, false); Log("Parsing API...", FontStyle.Regular, true, false); List<Param> respHeader = new List<Param>(); bool untrustedSSLSecureChannel = false; RestParser restParser = new RestParser(ref RestAPIDesc); if (chkDynamicScan.Checked) { RestHTTPHelper HttpHelper = new RestHTTPHelper(ref RestAPIDesc, ref untrustedSSLSecureChannel, ref respHeader, CustomRequestHeader); if (!RestAPIDesc.Url.Scheme.Equals("https")) { Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + RestAPIDesc.Url.Scheme, FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, 0); } else { if (untrustedSSLSecureChannel) { Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, -1); } } int paramCount = 0; paramCount = RestAPIDesc.UrlParameters != null ? RestAPIDesc.UrlParameters.Count : 0; paramCount += RestAPIDesc.PostParameters != null ? RestAPIDesc.PostParameters.Count : 0; RestDynamicVulnerabilityScanner restDynScn = new RestDynamicVulnerabilityScanner(this); foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability) { if (vuln.type == 2 || vuln.type == 3) // 2: rest specific , 3: common for soap & rest { if (vuln.id != 0 && vuln.id != 9 && vuln.id != 10) // 0 for insecure transport - ssl not used , 9 for HTTP Options , 10 for XST { Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked, false); Log(" Parameter Count: " + (paramCount), FontStyle.Regular, chkDebug.Checked, false); try { restDynScn.ScanVulnerabilities(vuln, RestAPIDesc, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader); } catch (Exception ex) { Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } } } try { VulnerabilitiesVulnerability optionsVuln = vulnerabilities.Vulnerability.Where(v => v.id == 9).FirstOrDefault(); if (optionsVuln != null) { restDynScn.CheckHTTPOptionsVulns(RestAPIDesc, optionsVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckHTTPOptionsVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } try { VulnerabilitiesVulnerability xstVuln = vulnerabilities.Vulnerability.Where(v => v.id == 10).FirstOrDefault(); if (xstVuln != null) { restDynScn.CheckXSTVulns(RestAPIDesc, xstVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckXSTVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } if (chkInfoDisclosure.Checked) { Log("Information Disclosure Analysis Started", FontStyle.Regular, true, false); InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this); foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability) { Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked, false); string infoScanRes = idvs.ScanIt(infoVuln, respHeader); if (!string.IsNullOrEmpty(infoScanRes)) { Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true, false); DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport(); vulnRep.Vuln = infoVuln; vulnRep.Value = infoScanRes; WSItemVulnerabilities.InfoVulns.Add(vulnRep); } } Log("Information Disclosure Analysis Finished", FontStyle.Regular, true, false); } reportObject.WsDescs.Add(WSItemVulnerabilities); reportObject.ScanEndDate = DateTime.Now; Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); string reportFilePath = scanDirectory + @"\Report\Report.html"; string xmlFilePath = scanDirectory + @"\Report\Report.xml"; //string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\ReportTemplates\HTMLReportTemplate.html"; string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory + @"\ReportTemplates\HTMLReportTemplate.html"; ReportHelper.CreateHTMLReport(reportObject, reportTemplatePath, reportFilePath, chkXMLReport.Checked, xmlFilePath); Process.Start(reportFilePath); //if (chkXMLReport.Checked) Process.Start(xmlFilePath); } else { MessageBox.Show("Please Enter API Info!!!"); } }
private void btnScan_Click(object sender, EventArgs e) { if (services != null && services.Count > 0) { lvResult.Items.Clear(); scanDirectory = DirectoryHelper.GetScanDirectoryName(); DirectoryHelper.CreateScanDirectory(scanDirectory); ReportObject reportObject = new ReportObject(); reportObject.ScanStartDate = DateTime.Now; reportObject.WsDescs = new List<WSDescriberForReport>(); reportObject.TotalRequestCount = 0; Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); foreach (WSDescriber wsDesc in services) { WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport(); WSItemVulnerabilities.WsDesc = wsDesc; WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>(); WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>(); WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>(); Log("WSDL Address: " + wsDesc.WSDLAddress, FontStyle.Bold, true, false); Log("Parsing WSDL...", FontStyle.Regular, true, false); List<Param> respHeader = new List<Param>(); bool untrustedSSLSecureChannel = false; Parser parser = null; try { parser = new Parser(wsDesc, ref untrustedSSLSecureChannel, ref respHeader, CustomRequestHeader); } catch (Exception parseEx) { Log("WSDL Parsing Exception: " + parseEx.Message, FontStyle.Regular, true, false); } if (chkStaticScan.Checked && parser != null) { Log("Static Analysis Started", FontStyle.Regular, true, false); StaticVulnerabilityScanner svs = new StaticVulnerabilityScanner(); foreach (StaticVulnerabilitiesStaticVulnerability staticVuln in staticVulnerabilities.StaticVulnerability) { Log(" Testing: " + staticVuln.title, FontStyle.Regular, chkDebug.Checked, false); string staticScanRes = svs.ScanIt(staticVuln, parser.rawWSDL); if (!string.IsNullOrEmpty(staticScanRes)) { Log(" " + staticVuln.title + " Vulnerability Found: " + staticScanRes, FontStyle.Bold, true, false); StaticVulnerabilityForReport vulnRep = new StaticVulnerabilityForReport(); vulnRep.Vuln = staticVuln; vulnRep.XMLLine = staticScanRes; WSItemVulnerabilities.StaticVulns.Add(vulnRep); } } Log("Static Analysis Finished", FontStyle.Regular, true, false); } if (chkDynamicScan.Checked && parser != null) { Log("Getting Methods...", FontStyle.Regular, true, false); List<WSOperation> operations = parser.GetOperations(); WebServiceToInvoke wsInvoker = new WebServiceToInvoke(wsDesc.WSDLAddress.Replace("?WSDL", "")); if (!wsDesc.WSUri.Scheme.Equals("https")) { Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + wsDesc.WSUri.Scheme, FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, 0); } else { if (untrustedSSLSecureChannel) { Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true, false); AddSSLRelatedVulnerability(WSItemVulnerabilities, -1); } } DynamicVulnerabilityScanner dynScn = new DynamicVulnerabilityScanner(this); foreach (WSOperation operation in operations) { Log("Method: " + operation.MethodName, FontStyle.Regular, chkDebug.Checked, false); foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability) { if (vuln.type == 1 || vuln.type == 3) // 1: soap specific , 3: common for soap & rest { if (vuln.id != 0 && vuln.id != 7 && vuln.id != 9 && vuln.id != 10) // 0 for insecure transport - ssl not used , 7 for verbose soap fault message , 9 for HTTP Options , 10 for XST { wsInvoker.PreInvoke(); Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked, false); Log(" Parameter Count: " + operation.Parameters.Count, FontStyle.Regular, chkDebug.Checked, false); try { dynScn.ScanVulnerabilities(wsInvoker, operation, vuln, parser.TargetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, CustomSoapHeaderTags.Trim(), CustomSoapBodyTags.Trim(), CustomRequestHeader.Trim()); } catch (System.Web.Services.Protocols.SoapException soapEx) { dynScn.SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, chkDebug.Checked); } catch (Exception ex) { Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } } } } try { VulnerabilitiesVulnerability optionsVuln = vulnerabilities.Vulnerability.Where(v => v.id == 9).FirstOrDefault(); if (optionsVuln != null) { dynScn.CheckHTTPOptionsVulns(wsDesc, optionsVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckHTTPOptionsVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } try { VulnerabilitiesVulnerability xstVuln = vulnerabilities.Vulnerability.Where(v => v.id == 10).FirstOrDefault(); if (xstVuln != null) { dynScn.CheckXSTVulns(wsDesc, xstVuln, WSItemVulnerabilities, reportObject, chkDebug.Checked, ref respHeader, CustomRequestHeader); } } catch (Exception ex) { Log(" CheckXSTVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true); } } if (chkInfoDisclosure.Checked) { Log("Information Disclosure Analysis Started", FontStyle.Regular, true, false); InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this); foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability) { Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked, false); string infoScanRes = idvs.ScanIt(infoVuln, respHeader); if (!string.IsNullOrEmpty(infoScanRes)) { Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true, false); DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport(); vulnRep.Vuln = infoVuln; vulnRep.Value = infoScanRes; WSItemVulnerabilities.InfoVulns.Add(vulnRep); } } Log("Information Disclosure Analysis Finished", FontStyle.Regular, true, false); } reportObject.WsDescs.Add(WSItemVulnerabilities); } reportObject.ScanEndDate = DateTime.Now; Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false); string reportFilePath = scanDirectory + @"\Report\Report.html"; string xmlFilePath = scanDirectory + @"\Report\Report.xml"; string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory + @"\ReportTemplates\HTMLReportTemplate.html"; ReportHelper.CreateHTMLReport(reportObject, reportTemplatePath, reportFilePath, chkXMLReport.Checked, xmlFilePath); //if (chkXMLReport.Checked) //{ // Process.Start("cmd.exe /c notepad.exe " + xmlFilePath); //} Process.Start(reportFilePath); } else { MessageBox.Show("Please Select WSDL List File!!!"); } }
private static XmlNode GetXMLForWS(WSDescriberForReport wsDesc, ref XmlDocument doc) { XmlNode wsNode = doc.CreateElement("WebService"); string url = string.Empty; string postData = string.Empty; string method = string.Empty; string contentType = string.Empty; if (wsDesc.WsDesc != null) { url = wsDesc.WsDesc.WSDLAddress; } else { url = wsDesc.RestAPI.Url.AbsoluteUri; if (!string.IsNullOrEmpty(wsDesc.RestAPI.PostData)) { postData = wsDesc.RestAPI.PostData; } method = wsDesc.RestAPI.Method; contentType = wsDesc.RestAPI.ContentType; } wsNode.Attributes.Append(GetXMLAttribute(doc, "Url", url)); wsNode.Attributes.Append(GetXMLAttribute(doc, "VulnCount", (wsDesc.StaticVulns.Count + wsDesc.Vulns.Count + wsDesc.InfoVulns.Count).ToString())); if (!string.IsNullOrEmpty(postData)) { wsNode.Attributes.Append(GetXMLAttribute(doc, "PostData", postData)); } if (!string.IsNullOrEmpty(method)) { wsNode.Attributes.Append(GetXMLAttribute(doc, "Method", method)); } if (!string.IsNullOrEmpty(contentType)) { wsNode.Attributes.Append(GetXMLAttribute(doc, "ContentType", contentType)); } XmlNode vulnerabilitiesNode = doc.CreateElement("Vulnerabilities"); XmlNode staticVulnerabilitiesNode = doc.CreateElement("Static"); foreach (StaticVulnerabilityForReport vuln in wsDesc.StaticVulns) { XmlNode vulnNode = doc.CreateElement("Vulnerability"); vulnNode.AppendChild(GetXMLNode(doc, "Title", vuln.Vuln.title)); vulnNode.AppendChild(GetXMLNode(doc, "Severity", vuln.Vuln.severity)); vulnNode.AppendChild(GetXMLNode(doc, "Line", System.Web.HttpUtility.HtmlEncode(vuln.XMLLine))); vulnNode.AppendChild(GetXMLNode(doc, "Description", System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description))); vulnNode.AppendChild(GetXMLNode(doc, "Link", vuln.Vuln.link)); staticVulnerabilitiesNode.AppendChild(vulnNode); } vulnerabilitiesNode.AppendChild(staticVulnerabilitiesNode); XmlNode dynamicVulnerabilitiesNode = doc.CreateElement("Dynamic"); foreach (VulnerabilityForReport vuln in wsDesc.Vulns) { XmlNode vulnNode = doc.CreateElement("Vulnerability"); vulnNode.AppendChild(GetXMLNode(doc, "Title", vuln.Vuln.title)); vulnNode.AppendChild(GetXMLNode(doc, "Severity", vuln.Vuln.severity)); if (wsDesc.WsDesc != null) { vulnNode.AppendChild(GetXMLNode(doc, "MethodName", System.Web.HttpUtility.HtmlEncode(vuln.VulnerableMethodName))); vulnNode.AppendChild(GetXMLNode(doc, "ParameterName", System.Web.HttpUtility.HtmlEncode(vuln.VulnerableParamName))); } else { vulnNode.AppendChild(GetXMLNode(doc, "UrlOrPostData", System.Web.HttpUtility.HtmlEncode(vuln.VulnerableMethodName))); } vulnNode.AppendChild(GetXMLCDataNode(doc, "Payload", vuln.Payload)); vulnNode.AppendChild(GetXMLNode(doc, "StatusCode", System.Web.HttpUtility.HtmlEncode(vuln.StatusCode))); vulnNode.AppendChild(GetXMLCDataNode(doc, "Response", System.Web.HttpUtility.HtmlEncode(vuln.Response))); vulnNode.AppendChild(GetXMLNode(doc, "Description", System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description))); vulnNode.AppendChild(GetXMLNode(doc, "Link", vuln.Vuln.link)); dynamicVulnerabilitiesNode.AppendChild(vulnNode); } vulnerabilitiesNode.AppendChild(dynamicVulnerabilitiesNode); XmlNode infoVulnerabilitiesNode = doc.CreateElement("Informational"); foreach (DisclosureVulnerabilityForReport vuln in wsDesc.InfoVulns) { XmlNode vulnNode = doc.CreateElement("Vulnerability"); vulnNode.AppendChild(GetXMLNode(doc, "Title", vuln.Vuln.title)); vulnNode.AppendChild(GetXMLNode(doc, "Severity", vuln.Vuln.severity)); vulnNode.AppendChild(GetXMLNode(doc, "Value", System.Web.HttpUtility.HtmlEncode(vuln.Value))); vulnNode.AppendChild(GetXMLNode(doc, "Description", System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description))); vulnNode.AppendChild(GetXMLNode(doc, "Link", vuln.Vuln.link)); infoVulnerabilitiesNode.AppendChild(vulnNode); } vulnerabilitiesNode.AppendChild(infoVulnerabilitiesNode); wsNode.AppendChild(vulnerabilitiesNode); return(wsNode); }