Exemplo n.º 1
0
 public void CheckXSTVulns(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
                           WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
                           ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
 {
     CheckWebServerVulns(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug,
                         ref respHeader, HttpHelper, customRequestHeader, "Cross Site Tracing", "TRACE");
 }
Exemplo n.º 2
0
 public void CheckHTTPOptionsVulns(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
                                   WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
                                   ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
 {
     CheckWebServerVulns(restDesc, vuln, WSItemVulnerabilities, reportObject, isDebug,
                         ref respHeader, HttpHelper, customRequestHeader, "HTTP OPTIONS", "OPTIONS");
 }
Exemplo n.º 3
0
 private void CheckVulnsExceptAuth(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
                                   WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
                                   bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
 {
     CheckVulnsForURLParams(restDesc, vuln, WSItemVulnerabilities,
                            reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
     CheckVulnsForPostParams(restDesc, vuln, WSItemVulnerabilities,
                             reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
 }
Exemplo n.º 4
0
        private void CheckUnAuthenticatedMethod(RESTApi restDesc, VulnerabilitiesVulnerability vuln,
                                                WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
                                                ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
        {
            HttpWebResponseWrapper response = null;

            try
            {
                reportObject.TotalRequestCount++;
                response = HttpHelper.GetHttpWebResponseWithDefaultParams(restDesc, false, ref respHeader, customRequestHeader);
            }
            catch (WebException wEx)
            {
                //if (wEx.Response.s)
                bool authErrorReceived = false;
                try
                {
                    HttpWebResponse wr = (HttpWebResponse)wEx.Response;

                    if (vuln.statusCode.Equals(((int)wr.StatusCode).ToString()))
                    {
                        authErrorReceived = true;
                    }
                }
                catch { }

                if (!authErrorReceived)
                {
                    SetWebException(restDesc.NormalizedURL, wEx, WSItemVulnerabilities, "Web Exception During Authentication Check", isDebug);
                }
            }
            catch (Exception ex)
            {
                throw ex;
            }

            if (response != null && response.WebResponse != null)
            {
                if (!vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code != 401, no redirection
                {
                    VulnerabilityForReport authVuln = new VulnerabilityForReport();
                    authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
                    authVuln.VulnerableMethodName = restDesc.Url.AbsoluteUri;
                    authVuln.VulnerableParamName  = "";
                    authVuln.Payload    = "";
                    authVuln.Response   = response.ResponseBody;
                    authVuln.StatusCode = response.WebResponse.StatusCode.ToString();

                    WSItemVulnerabilities.Vulns.Add(authVuln);

                    mainForm.Log("   Auth Vulnerability Found: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
                }
            }
        }
Exemplo n.º 5
0
 public void ScanVulnerabilities(VulnerabilitiesVulnerability vuln, RESTApi restDesc,
                                 WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
                                 bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
 {
     if (vuln.id == 1) // check authentication
     {
         CheckUnAuthenticatedMethod(restDesc, vuln, WSItemVulnerabilities,
                                    reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
     }
     else
     {
         CheckVulnsExceptAuth(restDesc, vuln, WSItemVulnerabilities,
                              reportObject, isDebug, ref respHeader, HttpHelper, customRequestHeader);
     }
 }
Exemplo n.º 6
0
        private void CheckWebServerVulns(WSDescriber wsDesc, VulnerabilitiesVulnerability vuln,
                                         WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject, bool isDebug,
                                         ref List <Param> respHeader, string customRequestHeader, string methodName, string httpMethodName)
        {
            HttpWebResponseWrapper response = null;

            try
            {
                RestHTTPHelper HttpHelper = new RestHTTPHelper();
                reportObject.TotalRequestCount++;

                response = HttpHelper.GetHttpWebResponseForWebServerVuln(wsDesc.WSUri.Scheme + "://" + wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port,
                                                                         wsDesc.BasicAuthentication, ref respHeader, customRequestHeader, httpMethodName);
            }
            catch (Exception ex)
            {
                throw ex;
            }

            if (response != null && response.WebResponse != null)
            {
                if (vuln.statusCode.Equals(((int)response.WebResponse.StatusCode).ToString())) // status code == 200
                {
                    VulnerabilityForReport optionsVuln = new VulnerabilityForReport();
                    optionsVuln.Vuln = vuln;
                    optionsVuln.VulnerableMethodName = wsDesc.WSUri.Host + ":" + wsDesc.WSUri.Port;
                    optionsVuln.VulnerableParamName  = "";
                    optionsVuln.Payload    = "";
                    optionsVuln.Response   = response.ResponseBody;
                    optionsVuln.StatusCode = response.WebResponse.StatusCode.ToString();

                    WSItemVulnerabilities.Vulns.Add(optionsVuln);

                    mainForm.Log("   " + methodName + " is enabled: " + response.ResponseBody + " - status code is : " + response.WebResponse.StatusCode.ToString(), FontStyle.Bold, true, false);
                }
            }
        }
Exemplo n.º 7
0
        private void CheckVulnsForURLParams(RESTApi restDesc,
                                            VulnerabilitiesVulnerability vuln, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
                                            bool isDebug, ref List <Param> respHeader, RestHTTPHelper HttpHelper, string customRequestHeader)
        {
            //CheckVulnsForParams(restDesc.NormalizedURL, restDesc.UrlParameters, vuln, WSItemVulnerabilities,
            //        reportObject, isDebug, ref respHeader);

            if (restDesc.UrlParameters != null && restDesc.UrlParameters.Count > 0)
            {
                string postDataWithDefault = HttpHelper.GetDefaultValuesForParam(restDesc.NormalizedPostData, restDesc.PostParameters, true);

                for (int i = 0; i < restDesc.UrlParameters.Count; i++)
                {
                    if (i == restDesc.UrlParameters[i].Index)
                    {
                        foreach (string payload in vuln.request)
                        {
                            bool vulnFoundForParam = false;

                            string newUrl = restDesc.NormalizedURL.Replace("{" + i + "}", payload.Trim());
                            newUrl = SetParameterDefaultValue(newUrl, restDesc.UrlParameters, restDesc.UrlParameters[i].Index, isDebug, false);

                            HttpWebResponseWrapper response = null;
                            try
                            {
                                reportObject.TotalRequestCount++;

                                response = HttpHelper.GetHttpWebResponse(restDesc, newUrl, postDataWithDefault, true, ref respHeader, customRequestHeader);
                            }
                            catch (WebException wEx)
                            {
                                SetWebException(newUrl, wEx, WSItemVulnerabilities, payload, isDebug);
                            }
                            catch (Exception ex)
                            {
                                throw ex;
                            }

                            if (response != null && response.WebResponse != null)
                            {
                                SearcForVuln(response, WSItemVulnerabilities, vuln, payload,
                                             ref vulnFoundForParam, newUrl, isDebug, restDesc.UrlParameters[i].Index);
                            }
                            if (vulnFoundForParam)
                            {
                                break;
                            }
                        }
                    }
                }
            }
        }