/// <summary> /// The check for vulnerabilities. /// </summary> /// <param name="browser"> /// The browser. /// </param> /// <param name="testCase"> /// The testCase. /// </param> /// <param name="testValue"> /// The tested val. /// </param> private void CheckForVulnerabilities( BrowserAbstract browser, TestCase testCase, string testValue) { // waiting for page to load browser.WaitForPageLoad(5000); string alertText; browser.DismissedIfAlertDisplayed(out alertText); if (browser.AlertMessageDisplayed.Contains(TestBaseHelper.AttackSignature)) { // since we use the same browser instance clear the alerts after the issue has been logged browser.AlertMessageDisplayed.Clear(); // we found one issue this.vulnerabilityFound = true; Vulnerabilities.Enqueue(new Vulnerability { Title = testCase.TestName, Level = (int)VulnerabilityLevelEnum.High, TestedParam = string.Empty, TestedVal = testValue, Evidence = "Found by {0}".FormatIc(browser.BrowserType.ToString()), MatchString = testCase.MatchString, TestPlugin = GetType().Name }); } }
/// <summary> /// Overriding the Check Vulnerability implementation because we just want to look in the response headers. /// </summary> /// <param name="webRequestContext"> /// The web Request Context. /// </param> /// <param name="testcase"> /// The test case. /// </param> /// <param name="testedParam"> /// The tested Parameter. /// </param> /// <param name="testValue"> /// The tested Val. /// </param> /// <seealso cref="M:BackScatterScannerLib.Engine.TestBase.CheckForVuln(WebRequestContext,TestCase,string,string)"/> protected override void CheckForVulnerabilities( WebRequestContext webRequestContext, TestCase testcase, string testedParam, string testValue) { HttpWebResponseHolder response = webRequestContext.ResponseHolder; var fromHeaderValue = response.Headers["From"]; if (response.Headers == null || string.IsNullOrWhiteSpace(fromHeaderValue)) { return; } // Have we injected a from header and does it contain the domain we are attempting to redirect to? if (fromHeaderValue.IndexOf("*****@*****.**", StringComparison.InvariantCultureIgnoreCase) > -1) { Vulnerabilities.Enqueue(new Vulnerability { Title = "HTTP Response Splitting - Newline Injection", Level = (int)VulnerabilityLevelEnum.High, TestedParam = testedParam, TestedVal = testValue, HttpResponse = response, Evidence = $"From : {fromHeaderValue}", MatchString = testcase.MatchString, TestPlugin = GetType().Name }); } }
/// <inheritdoc/> protected override void CheckForVulnerabilities( WebRequestContext webRequestContext, TestCase testcase, string testedParam, string testValue) { if (webRequestContext.Browser.AlertMessageDisplayed.Contains(TestBaseHelper.AttackSignature)) { Vulnerabilities.Enqueue(new Vulnerability { Title = testcase.TestName, Level = (int)VulnerabilityLevelEnum.High, TestedParam = testedParam, TestedVal = testValue, HttpResponse = webRequestContext.ResponseHolder, Evidence = $"Found by {webRequestContext.Browser.BrowserType}", MatchString = testcase.MatchString, TestPlugin = GetType().Name }); } }
/// <summary> /// The inspect response. /// </summary> /// <param name="requestTarget"> /// The request target. /// </param> /// <param name="responseTarget"> /// The response target. /// </param> /// <param name="response"> /// The current response. /// </param> /// <param name="plugIn"> /// The plug in. /// </param> /// <param name="testCase"> /// The test case. /// </param> /// <param name="testParameter"> /// The tested parameter. /// </param> /// <param name="testValue"> /// The tested val. /// </param> public override void InspectResponse( ITarget requestTarget, ITarget responseTarget, HttpWebResponseHolder response, string plugIn, TestCase testCase, string testParameter, string testValue) { string accessControlAllowOrigin = response.Headers["Access-Control-Allow-Origin"]; if (!string.IsNullOrWhiteSpace(accessControlAllowOrigin) && accessControlAllowOrigin.IndexOf("*", StringComparison.InvariantCultureIgnoreCase) != -1) { bool matchFound = false; foreach (string allowedDomain in this.whiteListDomains) { if (Regex.Match(accessControlAllowOrigin, allowedDomain).Success) { matchFound = true; break; } } if (!matchFound) { Vulnerabilities.Enqueue(new Vulnerability { TestPlugin = GetType().Name + " (via " + plugIn + ")", Title = "Access-Control-Allow-Origin has wildcard for domain not in WebSec white list", Level = (int)VulnerabilityLevelEnum.Low, Evidence = accessControlAllowOrigin, HttpResponse = response }); } } }
/// <summary> /// The inspect response. /// </summary> /// <param name="requestTarget"> /// The request target. /// </param> /// <param name="responseTarget"> /// The response target. /// </param> /// <param name="response"> /// The current response. /// </param> /// <param name="plugIn"> /// The plug in. /// </param> /// <param name="testCase"> /// The test case. /// </param> /// <param name="testParameter"> /// The tested parameter. /// </param> /// <param name="testValue"> /// The tested val. /// </param> public override void InspectResponse( ITarget requestTarget, ITarget responseTarget, HttpWebResponseHolder response, string plugIn, TestCase testCase, string testParameter, string testValue) { string accessControlAllowMethods = response.Headers["Access-Control-Allow-Methods"]; if (!string.IsNullOrWhiteSpace(accessControlAllowMethods) && accessControlAllowMethods.ContainsAnyOi(new[] { "put", "delete", "options" })) { Vulnerabilities.Enqueue(new Vulnerability { TestPlugin = GetType().Name + " (via " + plugIn + ")", Title = "Access-Control-Allow-Methods allows methods other than GET and POST", Level = (int)VulnerabilityLevelEnum.Low, Evidence = accessControlAllowMethods, HttpResponse = response }); } }