/// <summary>
/// attack all input fields with xss pattern.
/// </summary>
public void attackAllInputfields(string URL)
{
// get page content
WebCrawler spider = new WebCrawler(URL);
string htmlContent = spider.fetchPage();
HtmlParser p = new HtmlParser(URL,htmlContent);
// fetch forms input fields
List<List<string>> inputFields = p.getFormsInputFields();
//for each form
for (int currentFormID = 0; currentFormID < inputFields.Count; currentFormID++)
{
string currentFormURL = inputFields[currentFormID][0];
string currentFormFieldsHeader = string.Empty;
// for each input field
for (int currentInputFieldID = 1; currentInputFieldID < inputFields[currentFormID].Count; currentInputFieldID++)
{
//xss the current input field only
if (currentFormFieldsHeader != string.Empty) // second param
{
currentFormFieldsHeader += "&" + inputFields[currentFormID][currentInputFieldID] + "=" + xssAttackPattern;
}
else // first param
{
currentFormFieldsHeader += inputFields[currentFormID][currentInputFieldID] + "=" + xssAttackPattern;
}
}
//just for tests
//System.Windows.Forms.MessageBox.Show(currentFormFieldsHeader);
// send the post request here
WebPostRequest myPost = new WebPostRequest(currentFormURL);
myPost.AddParamsToHeader(currentFormFieldsHeader);
string resultHTML = myPost.GetResponse();
//check the results
if (resultHTML.Contains(xssAttackPattern))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " has an XSS vulnerable in one of its form fields \n\r saving the vulnerability for later reviews\n\r");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "XSS", currentFormURL + "\n\r form fields values : " + currentFormFieldsHeader, "Unknown");
}
//else
//{
// // it is safe page againest XSS.
// // it is a vulnerable page !
// SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " form fields are safe againest XSS attacks.\n\r");
//}
}
}
/// <summary>
/// attack each input field with sql injection pattern to know exactly where is the exploit.
/// </summary>
public void attackEachInputfield(string URL)
{
// get page content
WebCrawler spider = new WebCrawler(URL);
string htmlContent = spider.fetchPage();
HtmlParser parser = new HtmlParser(URL, htmlContent);
// fetch forms input fields
List<List<string>> inputFields = parser.getFormsInputFields();
//for each form
for (int currentFormID = 0; currentFormID < inputFields.Count; currentFormID++)
{
string currentFormURL = inputFields[currentFormID][0];
// for each input field
for (int currentInputFieldID = 1; currentInputFieldID < inputFields[currentFormID].Count; currentInputFieldID++)
{
string currentFormFieldsHeader = string.Empty;
//sql injection the current input field only
if (currentFormFieldsHeader != string.Empty) // second param
{
currentFormFieldsHeader += "&" + inputFields[currentFormID][currentInputFieldID] + "=" + sqlAttackPattern;
}
else // first param
{
currentFormFieldsHeader += inputFields[currentFormID][currentInputFieldID] + "=" + sqlAttackPattern;
}
//fill other fields with regular values = for ex '11'.
for (int i = 1; i < inputFields[currentFormID].Count; i++)
{
if (i != currentInputFieldID) // not to add the same param twice
{
//sql injection the current input field only
if (currentFormFieldsHeader != string.Empty) // second param
{
currentFormFieldsHeader += "&" + inputFields[currentFormID][i] + "=11";
}
else // first param
{
currentFormFieldsHeader += inputFields[currentFormID][i] + "=11";
}
}
}
//just for tests
//System.Windows.Forms.MessageBox.Show(currentFormFieldsHeader);
string resultHTML = string.Empty;
try
{
WebPostRequest myPost = new WebPostRequest(currentFormURL);
myPost.AddParamsToHeader(currentFormFieldsHeader);
resultHTML = myPost.GetResponse();
}
catch (WebException exep)
{
SharedVariables.myTestingForm.displayOutputActivity(string.Format("Unknown error : {0}\n\r", exep.Message));
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " maybe has a SQL Injection vulnerable in \"" + inputFields[currentFormID][currentInputFieldID] + "\" form field\n\r saving the vulnerability for later reviews\n\r");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "Maybe SQL Injection", currentFormURL + " \n\r form fields values : " + currentFormFieldsHeader, inputFields[currentFormID][currentInputFieldID]);
}
//check the returned page
foreach (string s in sqlSuccessResult)
{
if (resultHTML.Contains(s))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " has a SQL Injection vulnerable in \"" + inputFields[currentFormID][currentInputFieldID] + "\" form field\n\r saving the vulnerability for later reviews\n\r");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "SQL Injection", currentFormURL + " \n\r form fields values : " + currentFormFieldsHeader, inputFields[currentFormID][currentInputFieldID]);
continue;
}
}
}
}
}