public void CheckXSTVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, string customRequestHeader)
{
CheckWebServerVulns(wsDesc, vuln, WSItemVulnerabilities, reportObject, isDebug,
ref respHeader, customRequestHeader, "Cross Site Tracing", "TRACE");
}
public void CheckHTTPOptionsVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, string customRequestHeader)
{
CheckWebServerVulns(wsDesc, vuln, WSItemVulnerabilities, reportObject, isDebug,
ref respHeader, customRequestHeader, "HTTP OPTIONS", "OPTIONS");
}
private void CheckVulnsExceptAuth(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
CheckVulnsForURLParams(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
CheckVulnsForPostParams(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
}
private void CheckUnAuthenticatedMethod(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
HttpWebResponseWrapper response = null;
try
{
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponseWithDefaultParams(restDesc, false, ref respHeader, customRequestHeader);
}
catch (WebException wEx)
{
//if (wEx.Response.s)
bool authErrorReceived = false;
try
{
HttpWebResponse wr = (HttpWebResponse)wEx.Response;
if (vuln.statusCode.Equals(((int)wr.StatusCode).ToString()))
{
authErrorReceived = true;
}
}
catch { }
if (!authErrorReceived)
{
SetWebException(restDesc.NormalizedURL, wEx, WSItemVulnerabilities, "Web Exception During Authentication Check", isDebug);
}
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
if (!vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code != 401, no redirection
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = restDesc.Url.AbsoluteUri;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = response.ResponseBody;
authVuln.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
}
private void AddSSLRelatedVulnerability(WSDescriberForReport WSItemVulnerabilities, int vulnId)
{
VulnerabilityForReport sslVuln = new VulnerabilityForReport();
sslVuln.Vuln = vulnerabilities.Vulnerability.Where(v => v.id == vulnId).FirstOrDefault();
sslVuln.VulnerableMethodName = "";
sslVuln.VulnerableParamName = "";
sslVuln.Payload = "";
sslVuln.Response = "";
sslVuln.StatusCode = "";
WSItemVulnerabilities.Vulns.Add(sslVuln);
}
private void CheckVulnsForURLParams(RESTApi restDesc,
VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
//CheckVulnsForParams(restDesc.NormalizedURL, restDesc.UrlParameters, vuln, WSItemVulnerabilities,
// reportObject, isDebug, ref respHeader);
if (restDesc.UrlParameters != null && restDesc.UrlParameters.Count > 0)
{
string postDataWithDefault = HttpHelper.GetDefaultValuesForParam(restDesc.NormalizedPostData, restDesc.PostParameters, true);
for (int i = 0; i < restDesc.UrlParameters.Count; i++)
{
if (i == restDesc.UrlParameters[i].Index)
{
foreach (string payload in vuln.request)
{
bool vulnFoundForParam = false;
string newUrl = restDesc.NormalizedURL.Replace("{" + i + "}", payload.Trim());
newUrl = SetParameterDefaultValue(newUrl, restDesc.UrlParameters, restDesc.UrlParameters[i].Index, isDebug, false);
HttpWebResponseWrapper response = null;
try
{
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponse(restDesc, newUrl, postDataWithDefault, true, ref respHeader, customRequestHeader);
}
catch (WebException wEx)
{
SetWebException(newUrl, wEx, WSItemVulnerabilities, payload, isDebug);
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
SearcForVuln(response, WSItemVulnerabilities, vuln, payload,
ref vulnFoundForParam, newUrl, isDebug, restDesc.UrlParameters[i].Index);
}
if (vulnFoundForParam)
{
break;
}
}
}
}
}
}
public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
{
if (vuln.id == 1) // check authentication
{
CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
else
{
CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
}
private static string GetHtmlRowForWsdl(WSDescriberForReport wsDesc, ref List <Param> allVulns)
{
StringBuilder result = new StringBuilder();
result.Append("<table style='border-style:solid;width:100%' id='tbl4' class='wsdl'>");
result.Append("<tr class='accordion'><td><b>WSDL Address: " + wsDesc.WsDesc.WSDLAddress + "</b> Vulnerability Count:" + (wsDesc.StaticVulns.Count + wsDesc.Vulns.Count).ToString() + "</td><td><div class='arrow'></div></td></tr>");
foreach (StaticVulnerabilityForReport vuln in wsDesc.StaticVulns)
{
result.Append("<tr><td colspan='2'><ul>");
result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Static</i></li>");
result.Append("<li>Line:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.XMLLine) + "</pre></b></li>");
result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>");
result.Append("</ul></td></tr>");
result.Append("<tr><td><hr /></td></tr>");
AddToAllVuln("Stat" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity);
}
foreach (VulnerabilityForReport vuln in wsDesc.Vulns)
{
result.Append("<tr><td colspan='2'><ul>");
result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Dynamic</i></li>");
result.Append("<li>Method Name:<b>" + vuln.VulnerableMethodName + "</b></li>");
result.Append("<li>Parameter Name:<b>" + vuln.VulnerableParamName + "</b></li>");
result.Append("<li>Payload:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Payload) + "</pre></b></li>");
result.Append("<li>Status Code:<br /><b><pre>" + vuln.StatusCode + "</pre></b></li>");
result.Append("<li>Response:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Response) + "</pre></b></li>");
result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>");
result.Append("</ul></td></tr>");
result.Append("<tr><td><hr /></td></tr>");
AddToAllVuln("Dyn" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity);
}
foreach (DisclosureVulnerabilityForReport vuln in wsDesc.InfoVulns)
{
result.Append("<tr><td colspan='2'><ul>");
result.Append("<li>" + vuln.Vuln.title + " - Severity:<b>" + vuln.Vuln.severity + "</b> - <i>Scan Type: Information Disclosure</i></li>");
result.Append("<li>Value:<br /><b><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Value) + "</pre></b></li>");
result.Append("<li><b>Description:</b><br /><pre>" + System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description) + "</pre><br /><a href='" + vuln.Vuln.link + "' target='_blank'>Vulnerability Details</a></li>");
result.Append("</ul></td></tr>");
result.Append("<tr><td><hr /></td></tr>");
AddToAllVuln("Info" + vuln.Vuln.id, ref allVulns, vuln.Vuln.title, vuln.Vuln.severity);
}
result.Append("</table>");
return(result.ToString());
}
public void ScanVulnerabilities(VulnerabilitiesVulnerability vuln, RESTApi restDesc,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
if (vuln.id == 1) // check authentication
{
CheckUnAuthenticatedMethod(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
}
else
{
CheckVulnsExceptAuth(restDesc, vuln, WSItemVulnerabilities,
reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
}
}
private void SetVuln(HttpWebResponseWrapper response, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, string methodName, string payload, int paramIndex, string logStr)
{
mainForm.Log(logStr, FontStyle.Bold, true, false);
VulnerabilityForReport vulnRep = new VulnerabilityForReport();
vulnRep.Vuln = vuln;
vulnRep.VulnerableMethodName = methodName;
vulnRep.VulnerableParamName = paramIndex.ToString();
vulnRep.Payload = payload;
vulnRep.Response = response.ResponseBody;
vulnRep.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(vulnRep);
}
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr)
{
mainForm.Log(logStr, FontStyle.Bold, true, false);
VulnerabilityForReport vulnRep = new VulnerabilityForReport();
vulnRep.Vuln = vuln;
vulnRep.VulnerableMethodName = operation.MethodName;
vulnRep.VulnerableParamName = paramName;
vulnRep.Payload = payload;
vulnRep.Response = wsInvoker.ResultString;
vulnRep.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(vulnRep);
}
public void SetWebException(string method, WebException wEx, WSDescriberForReport WSItemVulnerabilities, string payload, bool isDebug)
{
if (WSItemVulnerabilities.Vulns.Where(v => v.Vuln.id == 8).Count() <= 0) // add only one web fault vulnerability
{
mainForm.Log(" Web Exception: " + wEx.ToString(), FontStyle.Regular, isDebug, false);
VulnerabilityForReport webExceptionVuln = new VulnerabilityForReport();
webExceptionVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 8).FirstOrDefault();
webExceptionVuln.VulnerableMethodName = method;
webExceptionVuln.VulnerableParamName = "";
webExceptionVuln.Payload = payload;
webExceptionVuln.Response = wEx.Message;
webExceptionVuln.StatusCode = "";
WSItemVulnerabilities.Vulns.Add(webExceptionVuln);
}
}
private void SearcForVuln(HttpWebResponseWrapper response, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, string payload,
ref bool vulnFoundForParam, string whereStr, bool isDebug, int paramIndex)
{
mainForm.Log(" StatusCode: " + response.WebResponse.StatusCode, FontStyle.Regular, isDebug, false);
mainForm.Log(" Result: " + response.ResponseBody, FontStyle.Regular, isDebug, false);
if (!string.IsNullOrEmpty(vuln.statusCode))
{
if (vuln.statusCode.Equals(response.WebResponse.StatusCode.ToString()))
{
if (vuln.response == null || vuln.response.Count() == 0)
{
SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
}
else
{
foreach (string text in vuln.response)
{
if (response.ResponseBody.Trim().Contains(text.Trim()))
{
SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
break;
}
}
}
}
}
else
{
foreach (string text in vuln.response)
{
//if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
if (response.ResponseBody.Trim().Contains(text.Trim()))
{
// Vulnerability Found
SetVuln(response, WSItemVulnerabilities, vuln, whereStr, payload, paramIndex, " " + vuln.title + " Vulnerability Found: " + response.ResponseBody + " - Response Text Contains: " + text);
vulnFoundForParam = true;
break;
}
}
}
}
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
{
for (int j = 0; j < operation.Parameters.Count; j++)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
catch (SoapException soapEx)
{
//throw ex;
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code != 401, no redirection
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = operation.MethodName;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = wsInvoker.ResultString;
authVuln.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
private void CheckWebServerVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, string customRequestHeader, string methodName, string httpMethodName)
{
HttpWebResponseWrapper response = null;
try
{
RestHTTPHelper HttpHelper = new RestHTTPHelper();
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponseForWebServerVuln(wsDesc.WSUri.Scheme + "://" + wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port,
wsDesc.BasicAuthentication, ref respHeader, customRequestHeader, httpMethodName);
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
if (vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code == 200
{
VulnerabilityForReport optionsVuln = new VulnerabilityForReport();
optionsVuln.Vuln = vuln;
optionsVuln.VulnerableMethodName = wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port;
optionsVuln.VulnerableParamName = "";
optionsVuln.Payload = "";
optionsVuln.Response = response.ResponseBody;
optionsVuln.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(optionsVuln);
mainForm.Log(" " + methodName + " is enabled: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
}
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
{
int paramIndexToTest = 0;
for (int i = 0; i < operation.Parameters.Count; i++)
{
if (i == paramIndexToTest)
{
foreach (string payload in vuln.request)
{
bool vulnFoundForParam = false;
wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim());
for (int j = 0; j < operation.Parameters.Count; j++)
{
if (j != paramIndexToTest)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
catch (SoapException soapEx)
{
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug, false);
mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug, false);
if (!string.IsNullOrEmpty(vuln.statusCode))
{
if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString()))
{
if (vuln.response == null || vuln.response.Count() == 0)
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
}
else
{
foreach (string text in vuln.response)
{
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
break;
}
}
}
}
}
else
{
foreach (string text in vuln.response)
{
//if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
// Vulnerability Found
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text);
vulnFoundForParam = true;
break;
}
}
}
if (vulnFoundForParam)
{
break;
}
}
}
paramIndexToTest++;
}
}
public void SetSoapFaultException(WSOperation operation, SoapException soapEx, WSDescriberForReport WSItemVulnerabilities, bool isDebug)
{
if (WSItemVulnerabilities.Vulns.Where(v => v.VulnerableMethodName.Equals(operation.MethodName) && v.Vuln.id == 7).Count() <= 0) // aynı method için sadece 1 tane soap fault zafiyeti yaz
{
mainForm.Log(" Soap Exception: " + soapEx.ToString(), FontStyle.Regular, isDebug, false);
VulnerabilityForReport soapFaultVuln = new VulnerabilityForReport();
soapFaultVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 7).FirstOrDefault();
soapFaultVuln.VulnerableMethodName = operation.MethodName;
soapFaultVuln.VulnerableParamName = "";
soapFaultVuln.Payload = "";
soapFaultVuln.Response = soapEx.Message;
soapFaultVuln.StatusCode = "";
WSItemVulnerabilities.Vulns.Add(soapFaultVuln);
}
}
public void ScanRESTApi()
{
if (RestAPIDesc != null)
{
lvResult.Items.Clear();
scanDirectory = DirectoryHelper.GetScanDirectoryName();
DirectoryHelper.CreateScanDirectory(scanDirectory);
ReportObject reportObject = new ReportObject();
reportObject.ScanStartDate = DateTime.Now;
reportObject.WsDescs = new List<WSDescriberForReport>();
reportObject.TotalRequestCount = 0;
Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false);
WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport();
WSItemVulnerabilities.RestAPI = RestAPIDesc;
WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>();
WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>();
WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>();
Log("API Address: " + RestAPIDesc.Url.AbsoluteUri, FontStyle.Bold, true, false);
Log("Parsing API...", FontStyle.Regular, true, false);
List<Param> respHeader = new List<Param>();
bool untrustedSSLSecureChannel = false;
RestParser restParser = new RestParser(ref RestAPIDesc);
if (chkDynamicScan.Checked)
{
RestHTTPHelper HttpHelper = new RestHTTPHelper(ref RestAPIDesc, ref untrustedSSLSecureChannel, ref respHeader, CustomRequestHeader);
if (!RestAPIDesc.Url.Scheme.Equals("https"))
{
Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + RestAPIDesc.Url.Scheme, FontStyle.Bold, true, false);
AddSSLRelatedVulnerability(WSItemVulnerabilities, 0);
}
else
{
if (untrustedSSLSecureChannel)
{
Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true, false);
AddSSLRelatedVulnerability(WSItemVulnerabilities, -1);
}
}
int paramCount = 0;
paramCount = RestAPIDesc.UrlParameters != null ? RestAPIDesc.UrlParameters.Count : 0;
paramCount += RestAPIDesc.PostParameters != null ? RestAPIDesc.PostParameters.Count : 0;
RestDynamicVulnerabilityScanner restDynScn = new RestDynamicVulnerabilityScanner(this);
foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability)
{
if (vuln.type == 2 || vuln.type == 3) // 2: rest specific , 3: common for soap & rest
{
if (vuln.id != 0 && vuln.id != 9 && vuln.id != 10) // 0 for insecure transport - ssl not used , 9 for HTTP Options , 10 for XST
{
Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked, false);
Log(" Parameter Count: " + (paramCount), FontStyle.Regular, chkDebug.Checked, false);
try
{
restDynScn.ScanVulnerabilities(vuln, RestAPIDesc, WSItemVulnerabilities, reportObject,
chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader);
}
catch (Exception ex)
{
Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true);
}
}
}
}
try
{
VulnerabilitiesVulnerability optionsVuln = vulnerabilities.Vulnerability.Where(v => v.id == 9).FirstOrDefault();
if (optionsVuln != null)
{
restDynScn.CheckHTTPOptionsVulns(RestAPIDesc, optionsVuln, WSItemVulnerabilities, reportObject,
chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader);
}
}
catch (Exception ex)
{
Log(" CheckHTTPOptionsVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true);
}
try
{
VulnerabilitiesVulnerability xstVuln = vulnerabilities.Vulnerability.Where(v => v.id == 10).FirstOrDefault();
if (xstVuln != null)
{
restDynScn.CheckXSTVulns(RestAPIDesc, xstVuln, WSItemVulnerabilities, reportObject,
chkDebug.Checked, ref respHeader, HttpHelper, CustomRequestHeader);
}
}
catch (Exception ex)
{
Log(" CheckXSTVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true);
}
}
if (chkInfoDisclosure.Checked)
{
Log("Information Disclosure Analysis Started", FontStyle.Regular, true, false);
InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this);
foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability)
{
Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked, false);
string infoScanRes = idvs.ScanIt(infoVuln, respHeader);
if (!string.IsNullOrEmpty(infoScanRes))
{
Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true, false);
DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport();
vulnRep.Vuln = infoVuln;
vulnRep.Value = infoScanRes;
WSItemVulnerabilities.InfoVulns.Add(vulnRep);
}
}
Log("Information Disclosure Analysis Finished", FontStyle.Regular, true, false);
}
reportObject.WsDescs.Add(WSItemVulnerabilities);
reportObject.ScanEndDate = DateTime.Now;
Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false);
string reportFilePath = scanDirectory + @"\Report\Report.html";
string xmlFilePath = scanDirectory + @"\Report\Report.xml";
//string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory + @"\..\..\ReportTemplates\HTMLReportTemplate.html";
string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory +
@"\ReportTemplates\HTMLReportTemplate.html";
ReportHelper.CreateHTMLReport(reportObject,
reportTemplatePath,
reportFilePath, chkXMLReport.Checked, xmlFilePath);
Process.Start(reportFilePath);
//if (chkXMLReport.Checked) Process.Start(xmlFilePath);
}
else
{
MessageBox.Show("Please Enter API Info!!!");
}
}
private void btnScan_Click(object sender, EventArgs e)
{
if (services != null && services.Count > 0)
{
lvResult.Items.Clear();
scanDirectory = DirectoryHelper.GetScanDirectoryName();
DirectoryHelper.CreateScanDirectory(scanDirectory);
ReportObject reportObject = new ReportObject();
reportObject.ScanStartDate = DateTime.Now;
reportObject.WsDescs = new List<WSDescriberForReport>();
reportObject.TotalRequestCount = 0;
Log("Scan Started: " + reportObject.ScanStartDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false);
foreach (WSDescriber wsDesc in services)
{
WSDescriberForReport WSItemVulnerabilities = new WSDescriberForReport();
WSItemVulnerabilities.WsDesc = wsDesc;
WSItemVulnerabilities.Vulns = new List<VulnerabilityForReport>();
WSItemVulnerabilities.StaticVulns = new List<StaticVulnerabilityForReport>();
WSItemVulnerabilities.InfoVulns = new List<DisclosureVulnerabilityForReport>();
Log("WSDL Address: " + wsDesc.WSDLAddress, FontStyle.Bold, true, false);
Log("Parsing WSDL...", FontStyle.Regular, true, false);
List<Param> respHeader = new List<Param>();
bool untrustedSSLSecureChannel = false;
Parser parser = null;
try
{
parser = new Parser(wsDesc, ref untrustedSSLSecureChannel, ref respHeader, CustomRequestHeader);
}
catch (Exception parseEx)
{
Log("WSDL Parsing Exception: " + parseEx.Message, FontStyle.Regular, true, false);
}
if (chkStaticScan.Checked && parser != null)
{
Log("Static Analysis Started", FontStyle.Regular, true, false);
StaticVulnerabilityScanner svs = new StaticVulnerabilityScanner();
foreach (StaticVulnerabilitiesStaticVulnerability staticVuln in staticVulnerabilities.StaticVulnerability)
{
Log(" Testing: " + staticVuln.title, FontStyle.Regular, chkDebug.Checked, false);
string staticScanRes = svs.ScanIt(staticVuln, parser.rawWSDL);
if (!string.IsNullOrEmpty(staticScanRes))
{
Log(" " + staticVuln.title + " Vulnerability Found: " + staticScanRes, FontStyle.Bold, true, false);
StaticVulnerabilityForReport vulnRep = new StaticVulnerabilityForReport();
vulnRep.Vuln = staticVuln;
vulnRep.XMLLine = staticScanRes;
WSItemVulnerabilities.StaticVulns.Add(vulnRep);
}
}
Log("Static Analysis Finished", FontStyle.Regular, true, false);
}
if (chkDynamicScan.Checked && parser != null)
{
Log("Getting Methods...", FontStyle.Regular, true, false);
List<WSOperation> operations = parser.GetOperations();
WebServiceToInvoke wsInvoker = new WebServiceToInvoke(wsDesc.WSDLAddress.Replace("?WSDL", ""));
if (!wsDesc.WSUri.Scheme.Equals("https"))
{
Log(" Vulnerability Found - SSL Not Used, Uri Schema is " + wsDesc.WSUri.Scheme, FontStyle.Bold, true, false);
AddSSLRelatedVulnerability(WSItemVulnerabilities, 0);
}
else
{
if (untrustedSSLSecureChannel)
{
Log(" Vulnerability Found - Could not establish trust relationship for the SSL/TLS secure channel.", FontStyle.Bold, true, false);
AddSSLRelatedVulnerability(WSItemVulnerabilities, -1);
}
}
DynamicVulnerabilityScanner dynScn = new DynamicVulnerabilityScanner(this);
foreach (WSOperation operation in operations)
{
Log("Method: " + operation.MethodName, FontStyle.Regular, chkDebug.Checked, false);
foreach (VulnerabilitiesVulnerability vuln in vulnerabilities.Vulnerability)
{
if (vuln.type == 1 || vuln.type == 3) // 1: soap specific , 3: common for soap & rest
{
if (vuln.id != 0 && vuln.id != 7 && vuln.id != 9 && vuln.id != 10) // 0 for insecure transport - ssl not used , 7 for verbose soap fault message , 9 for HTTP Options , 10 for XST
{
wsInvoker.PreInvoke();
Log(" Testing: " + vuln.title, FontStyle.Regular, chkDebug.Checked, false);
Log(" Parameter Count: " + operation.Parameters.Count, FontStyle.Regular, chkDebug.Checked, false);
try
{
dynScn.ScanVulnerabilities(wsInvoker, operation, vuln, parser.TargetNameSpace, wsDesc, WSItemVulnerabilities, reportObject,
chkDebug.Checked, ref respHeader, CustomSoapHeaderTags.Trim(), CustomSoapBodyTags.Trim(), CustomRequestHeader.Trim());
}
catch (System.Web.Services.Protocols.SoapException soapEx)
{
dynScn.SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, chkDebug.Checked);
}
catch (Exception ex)
{
Log(" Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true);
}
}
}
}
}
try
{
VulnerabilitiesVulnerability optionsVuln = vulnerabilities.Vulnerability.Where(v => v.id == 9).FirstOrDefault();
if (optionsVuln != null)
{
dynScn.CheckHTTPOptionsVulns(wsDesc, optionsVuln, WSItemVulnerabilities, reportObject,
chkDebug.Checked, ref respHeader, CustomRequestHeader);
}
}
catch (Exception ex)
{
Log(" CheckHTTPOptionsVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true);
}
try
{
VulnerabilitiesVulnerability xstVuln = vulnerabilities.Vulnerability.Where(v => v.id == 10).FirstOrDefault();
if (xstVuln != null)
{
dynScn.CheckXSTVulns(wsDesc, xstVuln, WSItemVulnerabilities, reportObject,
chkDebug.Checked, ref respHeader, CustomRequestHeader);
}
}
catch (Exception ex)
{
Log(" CheckXSTVulns - Exception: " + ex.ToString(), FontStyle.Regular, chkDebug.Checked, true);
}
}
if (chkInfoDisclosure.Checked)
{
Log("Information Disclosure Analysis Started", FontStyle.Regular, true, false);
InformationDisclosureVulnerabilityScanner idvs = new InformationDisclosureVulnerabilityScanner(this);
foreach (InformationDisclosureVulnerability infoVuln in disclosureVulnerabilities.Vulnerability)
{
Log(" Searching Response Header: " + infoVuln.title, FontStyle.Regular, chkDebug.Checked, false);
string infoScanRes = idvs.ScanIt(infoVuln, respHeader);
if (!string.IsNullOrEmpty(infoScanRes))
{
Log(" " + infoVuln.title + " Information Disclosure Found: " + infoScanRes, FontStyle.Bold, true, false);
DisclosureVulnerabilityForReport vulnRep = new DisclosureVulnerabilityForReport();
vulnRep.Vuln = infoVuln;
vulnRep.Value = infoScanRes;
WSItemVulnerabilities.InfoVulns.Add(vulnRep);
}
}
Log("Information Disclosure Analysis Finished", FontStyle.Regular, true, false);
}
reportObject.WsDescs.Add(WSItemVulnerabilities);
}
reportObject.ScanEndDate = DateTime.Now;
Log("Scan Finished: " + reportObject.ScanEndDate.ToString("dd.MM.yyyy HH:mm:ss"), FontStyle.Bold, true, false);
string reportFilePath = scanDirectory + @"\Report\Report.html";
string xmlFilePath = scanDirectory + @"\Report\Report.xml";
string reportTemplatePath = System.AppDomain.CurrentDomain.BaseDirectory +
@"\ReportTemplates\HTMLReportTemplate.html";
ReportHelper.CreateHTMLReport(reportObject,
reportTemplatePath,
reportFilePath, chkXMLReport.Checked, xmlFilePath);
//if (chkXMLReport.Checked)
//{
// Process.Start("cmd.exe /c notepad.exe " + xmlFilePath);
//}
Process.Start(reportFilePath);
}
else
{
MessageBox.Show("Please Select WSDL List File!!!");
}
}
private static XmlNode GetXMLForWS(WSDescriberForReport wsDesc, ref XmlDocument doc)
{
XmlNode wsNode = doc.CreateElement("WebService");
string url = string.Empty;
string postData = string.Empty;
string method = string.Empty;
string contentType = string.Empty;
if (wsDesc.WsDesc != null)
{
url = wsDesc.WsDesc.WSDLAddress;
}
else
{
url = wsDesc.RestAPI.Url.AbsoluteUri;
if (!string.IsNullOrEmpty(wsDesc.RestAPI.PostData))
{
postData = wsDesc.RestAPI.PostData;
}
method = wsDesc.RestAPI.Method;
contentType = wsDesc.RestAPI.ContentType;
}
wsNode.Attributes.Append(GetXMLAttribute(doc, "Url", url));
wsNode.Attributes.Append(GetXMLAttribute(doc, "VulnCount", (wsDesc.StaticVulns.Count + wsDesc.Vulns.Count + wsDesc.InfoVulns.Count).ToString()));
if (!string.IsNullOrEmpty(postData))
{
wsNode.Attributes.Append(GetXMLAttribute(doc, "PostData", postData));
}
if (!string.IsNullOrEmpty(method))
{
wsNode.Attributes.Append(GetXMLAttribute(doc, "Method", method));
}
if (!string.IsNullOrEmpty(contentType))
{
wsNode.Attributes.Append(GetXMLAttribute(doc, "ContentType", contentType));
}
XmlNode vulnerabilitiesNode = doc.CreateElement("Vulnerabilities");
XmlNode staticVulnerabilitiesNode = doc.CreateElement("Static");
foreach (StaticVulnerabilityForReport vuln in wsDesc.StaticVulns)
{
XmlNode vulnNode = doc.CreateElement("Vulnerability");
vulnNode.AppendChild(GetXMLNode(doc, "Title", vuln.Vuln.title));
vulnNode.AppendChild(GetXMLNode(doc, "Severity", vuln.Vuln.severity));
vulnNode.AppendChild(GetXMLNode(doc, "Line", System.Web.HttpUtility.HtmlEncode(vuln.XMLLine)));
vulnNode.AppendChild(GetXMLNode(doc, "Description", System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description)));
vulnNode.AppendChild(GetXMLNode(doc, "Link", vuln.Vuln.link));
staticVulnerabilitiesNode.AppendChild(vulnNode);
}
vulnerabilitiesNode.AppendChild(staticVulnerabilitiesNode);
XmlNode dynamicVulnerabilitiesNode = doc.CreateElement("Dynamic");
foreach (VulnerabilityForReport vuln in wsDesc.Vulns)
{
XmlNode vulnNode = doc.CreateElement("Vulnerability");
vulnNode.AppendChild(GetXMLNode(doc, "Title", vuln.Vuln.title));
vulnNode.AppendChild(GetXMLNode(doc, "Severity", vuln.Vuln.severity));
if (wsDesc.WsDesc != null)
{
vulnNode.AppendChild(GetXMLNode(doc, "MethodName", System.Web.HttpUtility.HtmlEncode(vuln.VulnerableMethodName)));
vulnNode.AppendChild(GetXMLNode(doc, "ParameterName", System.Web.HttpUtility.HtmlEncode(vuln.VulnerableParamName)));
}
else
{
vulnNode.AppendChild(GetXMLNode(doc, "UrlOrPostData", System.Web.HttpUtility.HtmlEncode(vuln.VulnerableMethodName)));
}
vulnNode.AppendChild(GetXMLCDataNode(doc, "Payload", vuln.Payload));
vulnNode.AppendChild(GetXMLNode(doc, "StatusCode", System.Web.HttpUtility.HtmlEncode(vuln.StatusCode)));
vulnNode.AppendChild(GetXMLCDataNode(doc, "Response", System.Web.HttpUtility.HtmlEncode(vuln.Response)));
vulnNode.AppendChild(GetXMLNode(doc, "Description", System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description)));
vulnNode.AppendChild(GetXMLNode(doc, "Link", vuln.Vuln.link));
dynamicVulnerabilitiesNode.AppendChild(vulnNode);
}
vulnerabilitiesNode.AppendChild(dynamicVulnerabilitiesNode);
XmlNode infoVulnerabilitiesNode = doc.CreateElement("Informational");
foreach (DisclosureVulnerabilityForReport vuln in wsDesc.InfoVulns)
{
XmlNode vulnNode = doc.CreateElement("Vulnerability");
vulnNode.AppendChild(GetXMLNode(doc, "Title", vuln.Vuln.title));
vulnNode.AppendChild(GetXMLNode(doc, "Severity", vuln.Vuln.severity));
vulnNode.AppendChild(GetXMLNode(doc, "Value", System.Web.HttpUtility.HtmlEncode(vuln.Value)));
vulnNode.AppendChild(GetXMLNode(doc, "Description", System.Web.HttpUtility.HtmlEncode(vuln.Vuln.description)));
vulnNode.AppendChild(GetXMLNode(doc, "Link", vuln.Vuln.link));
infoVulnerabilitiesNode.AppendChild(vulnNode);
}
vulnerabilitiesNode.AppendChild(infoVulnerabilitiesNode);
wsNode.AppendChild(vulnerabilitiesNode);
return(wsNode);
}
