public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags) { if (vuln.id == 1) // check authentication { CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } else { CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } }
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags) { for (int j = 0; j < operation.Parameters.Count; j++) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } catch (SoapException soapEx) { //throw ex; SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code is not 401, no redirect { VulnerabilityForReport authVuln = new VulnerabilityForReport(); authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault(); authVuln.VulnerableMethodName = operation.MethodName; authVuln.VulnerableParamName = ""; authVuln.Payload = ""; authVuln.Response = wsInvoker.ResultString; authVuln.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(authVuln); mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true); } }
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities, VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr) { mainForm.Log(logStr, FontStyle.Bold, true); VulnerabilityForReport vulnRep = new VulnerabilityForReport(); vulnRep.Vuln = vuln; vulnRep.VulnerableMethodName = operation.MethodName; vulnRep.VulnerableParamName = paramName; vulnRep.Payload = payload; vulnRep.Response = wsInvoker.ResultString; vulnRep.StatusCode = wsInvoker.StatusCode.ToString(); WSItemVulnerabilities.Vulns.Add(vulnRep); }
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln, string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags) { int paramIndexToTest = 0; for (int i = 0; i < operation.Parameters.Count; i++) { if (i == paramIndexToTest) { foreach (string payload in vuln.request) { bool vulnFoundForParam = false; wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim()); for (int j = 0; j < operation.Parameters.Count; j++) { if (j != paramIndexToTest) { SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug); } } try { try { reportObject.TotalRequestCount++; wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags); } catch (SoapException soapEx) { SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug); } catch (Exception ex) { throw ex; } } finally { wsInvoker.PosInvoke(); } mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug); mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug); if (!string.IsNullOrEmpty(vuln.statusCode)) { if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) { if (vuln.response == null || vuln.response.Count() == 0) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; } else { foreach (string text in vuln.response) { if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode); vulnFoundForParam = true; break; } } } } } else { foreach (string text in vuln.response) { //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase)) if (wsInvoker.ResultString.Trim().Contains(text.Trim())) { // Vulnerability Found SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text); vulnFoundForParam = true; break; } } } if (vulnFoundForParam) { break; } } } paramIndexToTest++; } }