public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
if (vuln.id == 1) // check authentication
{
CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
else
{
CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
}
public Parser(WSDescriber wsDesc, ref bool untrustedSSLSecureChannel, ref List<Param> respHeader)
{
HttpWebRequest wr = GetHttpWebReq(wsDesc);
HttpWebResponse wres = null;
try
{
wres = (HttpWebResponse)wr.GetResponse();
}
catch (WebException wex)
{
if (wex.Status == WebExceptionStatus.TrustFailure)
{
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
wr = GetHttpWebReq(wsDesc);
wres = (HttpWebResponse)wr.GetResponse();
untrustedSSLSecureChannel = true;
}
}
if (wres != null)
{
for (int i = 0; i < wres.Headers.Count; ++i)
{
respHeader.Add(new Param() { Name = wres.Headers.Keys[i].ToLowerInvariant(), Value = wres.Headers[i].ToLowerInvariant() });
}
StreamReader streamReader = new StreamReader(wres.GetResponseStream());
rawWSDL = XDocument.Parse(streamReader.ReadToEnd());
TextReader myTextReader = new StringReader(rawWSDL.ToString());
serviceDescription = ServiceDescription.Read(myTextReader);
TargetNameSpace = serviceDescription.TargetNamespace;
bindColl = serviceDescription.Bindings;
portTypColl = serviceDescription.PortTypes;
msgColl = serviceDescription.Messages;
types = serviceDescription.Types;
schemas = types.Schemas;
}
}
private HttpWebRequest GetHttpWebReq(WSDescriber wsDesc)
{
HttpWebRequest wr = (HttpWebRequest)HttpWebRequest.Create(wsDesc.WSDLAddress);
wr.Proxy = WebRequest.DefaultWebProxy;
wr.Credentials = System.Net.CredentialCache.DefaultCredentials;
wr.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
if (!string.IsNullOrEmpty(wsDesc.Username))
{
wr.Credentials = new NetworkCredential(wsDesc.Username, wsDesc.Password);
}
return wr;
}
private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
int paramIndexToTest = 0;
for (int i = 0; i < operation.Parameters.Count; i++)
{
if (i == paramIndexToTest)
{
foreach (string payload in vuln.request)
{
bool vulnFoundForParam = false;
wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim());
for (int j = 0; j < operation.Parameters.Count; j++)
{
if (j != paramIndexToTest)
{
SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
}
}
try
{
try
{
reportObject.TotalRequestCount++;
wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
catch (SoapException soapEx)
{
SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
}
catch (Exception ex)
{
throw ex;
}
}
finally { wsInvoker.PosInvoke(); }
mainForm.Log(" StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug);
mainForm.Log(" Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug);
if (!string.IsNullOrEmpty(vuln.statusCode))
{
if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString()))
{
if (vuln.response == null || vuln.response.Count() == 0)
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
}
else
{
foreach (string text in vuln.response)
{
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
vulnFoundForParam = true;
break;
}
}
}
}
}
else
{
foreach (string text in vuln.response)
{
//if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
{
// Vulnerability Found
SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, " " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text);
vulnFoundForParam = true;
break;
}
}
}
if (vulnFoundForParam)
{
break;
}
}
}
paramIndexToTest++;
}
}
public void InvokeMethod(string methodName, string targetNameSpace, WSDescriber wsDesc, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
InvokeMethod(methodName, true, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
}
private void InvokeMethod(string methodName, bool encode, string targetNameSpace, WSDescriber wsDesc,
ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
{
AssertCanInvoke(methodName);
string soapStr =
@"<?xml version=""1.0"" encoding=""utf-8""?>
<soap:Envelope xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance""
xmlns:xsd=""http://www.w3.org/2001/XMLSchema""
xmlns:soap=""http://schemas.xmlsoap.org/soap/envelope/"">
<soap:Header>{2}</soap:Header>
<soap:Body>
<{0} xmlns=""http://tempuri.org/"">
{1}
</{0}>
</soap:Body>
</soap:Envelope>";
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(Url);
string strSlash = string.Empty;
if (!targetNameSpace.EndsWith("/")) strSlash = "/";
req.Headers.Add("SOAPAction", "\"" + targetNameSpace + strSlash + methodName + "\"");
req.ContentType = "text/xml;charset=\"utf-8\"";
req.Accept = "text/xml";
req.Method = "POST";
if (wsDesc != null && !string.IsNullOrEmpty(wsDesc.Username))
{
SetBasicAuthHeader(req, wsDesc.Username, wsDesc.Password);
}
using (Stream stm = req.GetRequestStream())
{
string postValues = "";
foreach (Param param in Params)
{
if (encode) postValues += string.Format("<{0}>{1}</{0}>", HttpUtility.HtmlEncode(param.Name), HttpUtility.HtmlEncode(param.Value));
else postValues += string.Format("<{0}>{1}</{0}>", param.Name, param.Value);
}
if (!string.IsNullOrEmpty(customSoapBodyTags))
{
postValues = customSoapBodyTags + postValues;
}
soapStr = string.Format(soapStr, methodName, postValues, customSoapHeaderTags);
using (StreamWriter stmw = new StreamWriter(stm))
{
stmw.Write(soapStr);
}
}
try
{
HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
SetHeader(resp, ref respHeader);
StatusCode = (int)resp.StatusCode;
using (StreamReader responseReader = new StreamReader(resp.GetResponseStream()))
{
string result = responseReader.ReadToEnd();
ResponseSOAP = XDocument.Parse(result);
ExtractResult(methodName, targetNameSpace);
}
}
catch (WebException wex)
{
if (wex.Response != null)
{
HttpWebResponse resp = (HttpWebResponse)wex.Response;
SetHeader(resp, ref respHeader);
StatusCode = (int)(resp).StatusCode;
ResultString = new StreamReader(wex.Response.GetResponseStream())
.ReadToEnd();
}
else
{
if (wex.Status == WebExceptionStatus.Timeout)
{
ResultString = "The operation has timed out.";
StatusCode = 408;
}
}
ThrowIfSoapFault(ResultString);
}
catch (Exception ex)
{
throw ex;
}
finally {
}
}
private void btnOpenFile_Click(object sender, EventArgs e)
{
DialogResult result = openFileDialog1.ShowDialog(); // Show the dialog.
if (result == DialogResult.OK) // Test result.
{
services = new List<WSDescriber>();
string line;
StreamReader file = null;
try
{
file = new StreamReader(openFileDialog1.FileName);
while ((line = file.ReadLine()) != null)
{
if (!string.IsNullOrEmpty(line))
{
if (!line.StartsWith("#"))
{
WSDescriber wsDesc = new WSDescriber();
string[] arr = line.Split('|');
wsDesc.WSDLAddress = arr[0].Trim();
wsDesc.WSUri = new Uri(arr[0].Trim());
if (arr.Length > 1)
{
wsDesc.Username = arr[1].Trim();
wsDesc.Password = arr[2].Trim();
}
services.Add(wsDesc);
}
}
}
}
catch
{
}
finally {
if (file != null)
{
file.Close();
}
}
lblSelectedFileName.Text = openFileDialog1.FileName;
}
}
