private void CheckUnAuthenticatedMethod(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
{
HttpWebResponseWrapper response = null;
try
{
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponseWithDefaultParams(restDesc, false, ref respHeader, customRequestHeader);
}
catch (WebException wEx)
{
//if (wEx.Response.s)
bool authErrorReceived = false;
try
{
HttpWebResponse wr = (HttpWebResponse)wEx.Response;
if (vuln.statusCode.Equals(((int)wr.StatusCode).ToString()))
{
authErrorReceived = true;
}
}
catch { }
if (!authErrorReceived)
{
SetWebException(restDesc.NormalizedURL, wEx, WSItemVulnerabilities, "Web Exception During Authentication Check", isDebug);
}
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
if (!vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code != 401, no redirection
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = restDesc.Url.AbsoluteUri;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = response.ResponseBody;
authVuln.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
}
private void AddSSLRelatedVulnerability(WSDescriberForReport WSItemVulnerabilities, int vulnId)
{
VulnerabilityForReport sslVuln = new VulnerabilityForReport();
sslVuln.Vuln = vulnerabilities.Vulnerability.Where(v => v.id == vulnId).FirstOrDefault();
sslVuln.VulnerableMethodName = "";
sslVuln.VulnerableParamName = "";
sslVuln.Payload = "";
sslVuln.Response = "";
sslVuln.StatusCode = "";
WSItemVulnerabilities.Vulns.Add(sslVuln);
}
private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr)
{
mainForm.Log(logStr, FontStyle.Bold, true, false);
VulnerabilityForReport vulnRep = new VulnerabilityForReport();
vulnRep.Vuln = vuln;
vulnRep.VulnerableMethodName = operation.MethodName;
vulnRep.VulnerableParamName = paramName;
vulnRep.Payload = payload;
vulnRep.Response = wsInvoker.ResultString;
vulnRep.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(vulnRep);
}
private void SetVuln(HttpWebResponseWrapper response, WSDescriberForReport WSItemVulnerabilities,
VulnerabilitiesVulnerability vuln, string methodName, string payload, int paramIndex, string logStr)
{
mainForm.Log(logStr, FontStyle.Bold, true, false);
VulnerabilityForReport vulnRep = new VulnerabilityForReport();
vulnRep.Vuln = vuln;
vulnRep.VulnerableMethodName = methodName;
vulnRep.VulnerableParamName = paramIndex.ToString();
vulnRep.Payload = payload;
vulnRep.Response = response.ResponseBody;
vulnRep.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(vulnRep);
}
public void SetSoapFaultException(WSOperation operation, SoapException soapEx, WSDescriberForReport WSItemVulnerabilities, bool isDebug)
{
if (WSItemVulnerabilities.Vulns.Where(v => v.VulnerableMethodName.Equals(operation.MethodName) && v.Vuln.id == 7).Count() <= 0) // aynı method için sadece 1 tane soap fault zafiyeti yaz
{
mainForm.Log(" Soap Exception: " + soapEx.ToString(), FontStyle.Regular, isDebug, false);
VulnerabilityForReport soapFaultVuln = new VulnerabilityForReport();
soapFaultVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 7).FirstOrDefault();
soapFaultVuln.VulnerableMethodName = operation.MethodName;
soapFaultVuln.VulnerableParamName = "";
soapFaultVuln.Payload = "";
soapFaultVuln.Response = soapEx.Message;
soapFaultVuln.StatusCode = "";
WSItemVulnerabilities.Vulns.Add(soapFaultVuln);
}
}
public void SetWebException(string method, WebException wEx, WSDescriberForReport WSItemVulnerabilities, string payload, bool isDebug)
{
if (WSItemVulnerabilities.Vulns.Where(v => v.Vuln.id == 8).Count() <= 0) // add only one web fault vulnerability
{
mainForm.Log(" Web Exception: " + wEx.ToString(), FontStyle.Regular, isDebug, false);
VulnerabilityForReport webExceptionVuln = new VulnerabilityForReport();
webExceptionVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 8).FirstOrDefault();
webExceptionVuln.VulnerableMethodName = method;
webExceptionVuln.VulnerableParamName = "";
webExceptionVuln.Payload = payload;
webExceptionVuln.Response = wEx.Message;
webExceptionVuln.StatusCode = "";
WSItemVulnerabilities.Vulns.Add(webExceptionVuln);
}
}
private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List <Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags, string customRequestHeader)
{
for (int j = 0; j < operation.Parameters.Count; j++)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags, customRequestHeader);
}
catch (SoapException soapEx)
{
//throw ex;
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code != 401, no redirection
{
VulnerabilityForReport authVuln = new VulnerabilityForReport();
authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
authVuln.VulnerableMethodName = operation.MethodName;
authVuln.VulnerableParamName = "";
authVuln.Payload = "";
authVuln.Response = wsInvoker.ResultString;
authVuln.StatusCode = wsInvoker.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(authVuln);
mainForm.Log(" Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
private void CheckWebServerVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln,
WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
ref List <Param> respHeader, string customRequestHeader, string methodName, string httpMethodName)
{
HttpWebResponseWrapper response = null;
try
{
RestHTTPHelper HttpHelper = new RestHTTPHelper();
reportObject.TotalRequestCount++;
response = HttpHelper.GetHttpWebResponseForWebServerVuln(wsDesc.WSUri.Scheme + "://" + wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port,
wsDesc.BasicAuthentication, ref respHeader, customRequestHeader, httpMethodName);
}
catch (Exception ex)
{
throw ex;
}
if (response != null && response.WebResponse != null)
{
if (vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code == 200
{
VulnerabilityForReport optionsVuln = new VulnerabilityForReport();
optionsVuln.Vuln = vuln;
optionsVuln.VulnerableMethodName = wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port;
optionsVuln.VulnerableParamName = "";
optionsVuln.Payload = "";
optionsVuln.Response = response.ResponseBody;
optionsVuln.StatusCode = response.WebResponse.StatusCode.ToString();
WSItemVulnerabilities.Vulns.Add(optionsVuln);
mainForm.Log(" " + methodName + " is enabled: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
}
}
}
