public void CustomTester_TestMultiPayloads()
{
TrafficViewerFile mockSite = new TrafficViewerFile();
CustomTestDef def = new CustomTestDef("BlindSQLABC", "Blind SQL",
@"a\,,b,c", "");
TestJob job = new TestJob("x", "y", RequestLocation.Query, def);
CustomTestsFile file = GetCustomTestFile();
Tester tester = new Tester(new MockTestController(mockSite), file);
var list = tester.GeneratePayloadListFromMutation("GET /x=y HTTP/1.1\r\n", job, false, "don't care");
Assert.IsNotNull(list);
Assert.AreEqual(3, list.Count);
Assert.AreEqual("a,", list[0]);
Assert.AreEqual("b", list[1]);
Assert.AreEqual("c", list[2]);
}
public void CustomTester_TestMultiPayloadsWithTicks()
{
TrafficViewerFile mockSite = new TrafficViewerFile();
CustomTestDef def = new CustomTestDef("BlindSQLABC", "Blind SQL",
@"__dynamic_value__ticks__,__dynamic_value__ticks__,__dynamic_value__ticks__", "");
TestJob job = new TestJob("x", "y", RequestLocation.Query, def);
CustomTestsFile file = GetCustomTestFile();
Tester tester = new Tester(new MockTestController(mockSite), file);
var entity_string = tester.GetEntityString("GET /x=y HTTP/1.1\r\n", new Uri("http://localhost/x=y"), "x", "y");
var entity_id = tester.GetEntityId(new Uri("http://localhost/x=y"), "x");
var list = tester.GenerateMutatedRequestList("GET /x=y HTTP/1.1\r\n", job, entity_string, entity_id);
Assert.IsNotNull(list);
Assert.AreEqual(3, list.Count);
Assert.AreNotEqual(list[0], list[1]);
Assert.AreNotEqual(list[1], list[2]);
}
private static CustomTestsFile GetCustomTestFile()
{
CustomTestsFile testFile = new CustomTestsFile();
var customTests = testFile.GetCustomTests();
customTests.Clear();
customTests.Add("Path Traversal", new CustomTestDef("Path Traversal", "Path Traversal", "$original" + MockTestController.PATH_TRAVERSAL, "root\\:"));
testFile.SetCustomTests(customTests);
testFile.LoginBeforeTests = false;
testFile.TestOnlyParameters = true;
var targetList = testFile.GetAttackTargetList();
targetList.Add("all", new AttackTarget("all", "Enabled", ".*"));
testFile.SetAttackTargetList(targetList);
return(testFile);
}
public void CustomTestProxy_TestJSValidation()
{
MockProxy mockSite = new MockProxy();
string testReq = "GET /r1?p1=test HTTP/1.1\r\n";
mockSite.MockSite.AddRequestResponse(testReq, "HTTP/1.1 200 OK\r\n\r\nFound user test");
mockSite.Start();
CustomTestsFile testFile = GetCustomTestFile();
var tests = testFile.GetCustomTests();
tests.Clear();
tests.Add("PathTraversal",
new CustomTestDef("PathTraversal", "Path Traversal",
"$original/" + MockTestController.PATH_TRAVERSAL,
"$js_code=function Callback(response){var found = false; if(response.indexOf('root')>-1) found=true; return found;}"));
testFile.SetCustomTests(tests);
testFile.Save();
TrafficViewerFile testDataStore = new TrafficViewerFile();
MockTestController mockTestController = new MockTestController(mockSite.MockSite);
var targetList = new Dictionary <string, AttackTarget>();
targetList.Add("r1", new AttackTarget("r1", "Enabled", "r1"));
testFile.SetAttackTargetList(targetList);
DriveByAttackProxy testProxy = new DriveByAttackProxy(mockTestController, testFile, testDataStore);
testProxy.Start();
SendRequestThroughTestProxy(testReq, testProxy, mockSite);
Thread.Sleep(100);
testProxy.Stop();
Assert.IsTrue(mockTestController.IssuesFound.ContainsKey("p1"));
}
private void LoadFile(string path)
{
bool loaded = true;
_testFile = new CustomTestsFile();
if (File.Exists(path))
{
loaded = _testFile.Load(path);
}
if (!loaded)
{
ErrorBox.ShowDialog("Could not load file");
return;
}
_grid.SetValues((List <string>)_testFile.GetOption(CUSTOM_TESTS));
runAutomaticallyToolStripMenuItem.Checked = _testFile.AutoRunTests;
_testRunner.SetTestFile(_testFile);
}
public void CustomTester_EmptyQueryParamUnitTest()
{
TrafficViewerFile mockSite = new TrafficViewerFile();
mockSite.AddRequestResponse(String.Format("GET /search.jsp?query={0} HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n", MockTestController.PATH_TRAVERSAL),
MockTestController.PATH_TRAVERSAL_RESPONSE);
MockTestController mockTestController = new MockTestController(mockSite);
string testRequest = "GET /search.jsp?query= HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n";
string paramName = "query";
CustomTestsFile file = GetCustomTestFile();
Tester tester = new Tester(mockTestController, file);
CustomTestDef def = file.GetCustomTests()["Path Traversal"];
HttpRequestInfo original = new HttpRequestInfo(testRequest, true);
Uri uri = new Uri(original.FullUrl);
tester.ExecuteTests(testRequest, "", uri, paramName, null, RequestLocation.Query, def);
Assert.IsTrue(mockTestController.IssuesFound.ContainsKey(paramName));
}
public void CustomTester_DynamicValue()
{
MockTestController mockTestController = new MockTestController();
string testRequest = "GET /search.jsp?query= HTTP/1.1\r\nDyn:__dynamic_value__ticks__\r\nHost: 127.0.0.1\r\n\r\n";
string paramName = "query";
CustomTestsFile file = GetCustomTestFile();
Tester tester = new Tester(mockTestController, file);
CustomTestDef def = file.GetCustomTests()["Path Traversal"];
HttpRequestInfo original = new HttpRequestInfo(testRequest, true);
Uri uri = new Uri(original.FullUrl);
tester.ExecuteTests(testRequest, "", uri, paramName, null, RequestLocation.Query, def);
Assert.IsTrue(mockTestController.IssuesFound.ContainsKey(paramName));
Assert.AreEqual(1, mockTestController.MutatedRequests.Count, "Incorrect number of mutated requests");
HttpRequestInfo mutatedRequest = new HttpRequestInfo(mockTestController.MutatedRequests[0]);
Assert.IsTrue(Utils.IsMatch(mutatedRequest.Headers["Dyn"], "\\d+"), "Incorrect dynamic header value");
}
public void CustomTester_TestScriptingRuleManyAs()
{
TrafficViewerFile mockSite = new TrafficViewerFile();
CustomTestDef def = new CustomTestDef("ManyAs", "Buffer Overflow",
"$js_code=function Callback(){var ret = ''; for(var i=0;i<100;i++){ret+='A';} return ret;}", "");
TestJob job = new TestJob("x", "y", RequestLocation.Query, def);
CustomTestsFile file = GetCustomTestFile();
Tester tester = new Tester(new MockTestController(mockSite), file);
var list = tester.GeneratePayloadListFromMutation("GET /x=y HTTP/1.1\r\n", job, false, "bla");
Assert.IsNotNull(list);
Assert.AreEqual(1, list.Count);
string expected = "";
for (int i = 0; i < 100; i++)
{
expected += "A";
}
Assert.AreEqual(expected, list[0]);
}
public void CustomTestProxy_500Error()
{
MockProxy mockSite = new MockProxy();
string first = "GET / HTTP/1.1\r\n";
string second = Resources.IdeasPmc;
string third = "POST /r2 HTTP/1.1\r\n\r\np2=1234\r\n\r\n";
mockSite.MockSite.AddRequestResponse(first, "HTTP/1.1 200 OK\r\n\r\nbla");
mockSite.MockSite.AddRequestResponse(second, "HTTP/1.1 200 OK\r\n\r\nroot:0:0");
mockSite.MockSite.AddRequestResponse(third, "HTTP/1.1 200 OK\r\n\r\nbla");
mockSite.Start();
CustomTestsFile testFile = GetCustomTestFile();
TrafficViewerFile testDataStore = new TrafficViewerFile();
MockTestController mockTestController = new MockTestController();
SequentialAttackProxy testProxy = new SequentialAttackProxy(mockTestController, testFile, testDataStore);
testFile.PatternOfFirstRequestToTest = ".*pmc";
testProxy.Start();
HttpResponseInfo respInfo;
for (int i = 0; i < 2; i++)
{
respInfo = SendRequestThroughTestProxy(first, testProxy, mockSite);
Assert.AreNotEqual(500, respInfo.Status);
SendRequestThroughTestProxy(second, testProxy, mockSite);
Assert.AreNotEqual(500, respInfo.Status);
SendRequestThroughTestProxy(third, testProxy, mockSite);
Assert.AreNotEqual(500, respInfo.Status);
}
testProxy.Stop();
Assert.IsFalse(mockTestController.IssuesFound.ContainsKey("p2"));
Assert.IsTrue(mockTestController.IssuesFound.ContainsKey("itoken"));
}
public HttpResponseInfo CustomTestUnitExecution(string request, MockTestController mockTestController, SequentialAttackProxy testProxy = null, MockProxy mockSite = null)
{
bool shouldStopMockSite = false;
if (mockSite == null)
{
shouldStopMockSite = true;
mockSite = new MockProxy(request, "HTTP/1.1 200 OK\r\n\r\nroot:0:0");
mockSite.Start();
}
CustomTestsFile testFile = GetCustomTestFile();
bool shouldStopTestProxy = false;
if (testProxy == null)
{
shouldStopTestProxy = true;
TrafficViewerFile testDataStore = new TrafficViewerFile();
testProxy = new SequentialAttackProxy(mockTestController, testFile, testDataStore);
testProxy.Start();
}
var response = SendRequestThroughTestProxy(request, testProxy, mockSite);
if (shouldStopMockSite)
{
mockSite.Stop();
}
if (shouldStopTestProxy)
{
testProxy.Stop();
}
return(response);
}
public void CustomTester_Fuzz()
{
TrafficViewerFile mockSite = new TrafficViewerFile();
MockTestController mockTestController = new MockTestController(mockSite);
string testRequest = "GET /search.aspx?txtSearch=(" + Constants.FUZZ_STRING + ") HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n";
string paramName = "txtSearch";
CustomTestsFile file = GetCustomTestFile();
Tester tester = new Tester(mockTestController, file);
CustomTestDef def = file.GetCustomTests()["Path Traversal"];
HttpRequestInfo original = new HttpRequestInfo(testRequest, true);
Uri uri = new Uri(original.FullUrl);
string entityId = tester.GetEntityId(uri, paramName);
string entityString = tester.GetEntityString(testRequest, uri, paramName, original.QueryVariables[paramName]);
TestJob testJob = new TestJob(paramName, original.QueryVariables[paramName], RequestLocation.Query, def);
string mutatedRequest = tester.GenerateMutatedRequestList(testRequest, testJob, entityString, entityId)[0];
HttpRequestInfo mutatedReqInfo = new HttpRequestInfo(mutatedRequest, true);
Assert.IsTrue(mutatedReqInfo.QueryVariables.ContainsKey(paramName), "Could no longer find parameter");
Assert.AreEqual("(" + MockTestController.PATH_TRAVERSAL + ")", mutatedReqInfo.QueryVariables[paramName], "Incorrect test value");
}
public void SetTestFile(CustomTestsFile testFile)
{
_testFile = testFile;
}
public AttackTargetsSetup(CustomTestsFile file)
{
_testFile = file;
InitializeComponent();
}
public void SetTestFile(CustomTestsFile testFile)
{
_testFile = testFile;
_verbose = testFile.Verbose;
}
public ActionBasedMultiStepSetup(CustomTestsFile file)
{
_testFile = file;
InitializeComponent();
}
public TestOptions(CustomTestsFile testFile)
{
_testFile = testFile;
InitializeComponent();
}
private HttpResponseInfo StartProxy(HttpRequestInfo requestInfo)
{
IHttpProxy proxy;
//get the port from the url
string portString = null;
requestInfo.QueryVariables.TryGetValue("port", out portString);
//optional secret to protect the recording session
string secret = null;
requestInfo.QueryVariables.TryGetValue("secret", out secret);
//the host to record traffic for
string targetHost = null;
requestInfo.QueryVariables.TryGetValue("targetHost", out targetHost);
//whether to execute inline tests
string test = null;
requestInfo.QueryVariables.TryGetValue("test", out test);
int port;
if (int.TryParse(portString, out port) && port >= 0 && port <= 65535)
{
if (CollectorProxyList.Instance.ProxyList.ContainsKey(port))
{
return(GetResponse(400, "Bad Request", "Port in use."));
}
if (targetHost == null)
{
return(GetResponse(400, "Bad Request", "'targetHost' parameter is not specified."));
}
if (!Utils.IsMatch(targetHost, "^[\\w._-]+$") || !Utils.IsMatch(targetHost, TrafficCollectorSettings.Instance.AllowedHostsPattern))
{
return(GetResponse(400, "Bad Request", "Invalid target host!"));
}
try
{
TrafficViewerFile trafficFile = new TrafficViewerFile();
trafficFile.Profile = ParsingOptions.GetRawProfile();
//optional secret to prevent others stopping the recording
if (!String.IsNullOrWhiteSpace(secret))
{
trafficFile.Profile.SetSingleValueOption("secret", secret);
}
trafficFile.Profile.SetSingleValueOption("targetHost", targetHost);
if (test != null && test.Equals("true"))
{
CustomTestsFile testsFile = new CustomTestsFile();
testsFile.Load(TrafficCollectorSettings.Instance.TestFile);
Dictionary <string, AttackTarget> targetDef = new Dictionary <string, AttackTarget>();
targetDef.Add("targetHost", new AttackTarget("targetHost", "Enabled", String.Format("Host:\\s*{0}", targetHost)));
testsFile.SetAttackTargetList(targetDef);
proxy = new DriveByAttackProxy(new TestController(trafficFile), testsFile, trafficFile, TrafficCollectorSettings.Instance.Ip, port);
}
else
{
proxy = new AdvancedExploreProxy(TrafficCollectorSettings.Instance.Ip, port, trafficFile);
}
proxy.NetworkSettings.CertificateValidationCallback = new RemoteCertificateValidationCallback(CollectorAPIController.ValidateServerCertificate);
proxy.NetworkSettings.WebProxy = HttpWebRequest.GetSystemWebProxy();
proxy.Start();
CollectorProxyList.Instance.ProxyList.Add(proxy.Port, proxy);
}
catch (Exception ex)
{
return(GetResponse(500, "Unexpected error.", ex.Message));
}
}
else
{
return(GetResponse(400, "Bad Request", "Invalid 'port' parameter."));
}
return(GetResponse(200, "OK", "Proxy is listening on port: {0}.", proxy.Port));
}
