def validate_resp(self, res): res1 = request(self.target) res2 = request(self.target) result = diff(res1, res2, res) if result: return False else: return True
def no_verify_detect(self, token): # CSRF token in query. if 'query' in token: #if token.has_key('query'): repart = urlparse(self.target1['url']) #print(repart) query = parse_qs(repart.query) for key, value in token['query'].items(): #print(self.mutation_csrf_value(value)) query[key] = self.mutation_csrf_value(value).split(' ') #print(query) new_query = '' for key, value in query.items(): if key == 'redirect_uri': value[0] = quote(value[0]) if new_query == '': new_query = new_query + key + '=' + value[0] else: new_query = new_query + '&' + key + '=' + value[0] #print(new_query) new_url = repart._replace(query=new_query).geturl() #print(new_url) target = self.target1 target['url'] = new_url # CSRF token in headers if 'headers' in token: #if token.has_key('headers'): header = self.target1['headers'] for key, value in header.items(): #key = token['headers'].keys()[0] #value = token['headers'][key] header[key] = self.mutation_csrf_value(value) target = self.target1 target['headers'] = header # CSRF token in body. if 'body' in token: #if token.has_key('body'): body = self.target['body'] for key, value in body.items(): #key = token['body'].keys()[0] #value = token['body'][key] body[key] = self.mutation_csrf_value(value) target = self.target1 target['body'] = body res1 = request(self.target1) res2 = request(self.target1) res3 = request(target) # Judge whether it is vulnerable. result = diff(res2, res3, res1) if not result: return True return False
def run(self): for _ in self.scope: muri= self.mutate(_) #muri = self.merge(mredirect) target = self.target target['url'] = muri res1 = request(self.target) res2 = request(self.target) res3 = request(target) result = diff(res1,res2,res3) return muri,result
def remove_token_detect(self, token): if 'query' in token: #if token.has_key('query'): repart = urlparse(self.target1['url']) query = parse_qs(repart.query) key = '' for key1, value1 in token['query'].items(): key = key1 del query[key] new_query = '' for key, value in query.items(): if key == 'redirect_uri': value[0] = quote(value[0]) if new_query == '': new_query = new_query + key + '=' + value[0] else: new_query = new_query + '&' + key + '=' + value[0] new_url = repart._replace(query=new_query).geturl() target = self.target1 target['url'] = new_url if 'headers' in token: #if token.has_key('headers'): header = self.target1['headers'] for key1, value1 in token['headers'].items(): key = key1 del header[key] target = self.target1 target['headers'] = header # CSRF token in body. if 'body' in token: #if token.has_key('body'): body = self.target1['body'] for key1, value1 in token['body'].items(): key = key1 del body[key] target = self.target1 target['body'] = body res1 = request(self.target1) res2 = request(self.target1) res3 = request(target) # Judge whether it is vulnerable. result = diff(res1, res2, res3) if not result: return True return False
def detect(self, muri, scanid): target = self.target target['url'] = muri res = request(target) if self.check_cookie(): result = self.validate_code(res) if result: code = result print("%s[+]Target is vulnerable to open redirect attack. %s" % (self.logger.Y, self.logger.W)) data = {"scanid": scanid, "type": self.type, "payload": muri} self.db.insert_record("Redirection", data) return True else: return False else: result = self.validate_resp(res) if result: print("%s[+]Target is vulnerable to open redirect attack. %s" % (self.logger.Y, self.logger.W)) data = {"scanid": scanid, "type": self.type, "payload": muri} self.db.insert_record("Redirection", data) return True else: return False
def extract_urls_from_homepage(self): rep = urlparse(self.redirect) val = tldextract.extract(self.redirect) domain = "{0}://{1}.{2}".format(rep.scheme, val.domain, val.suffix) target = {} target['url'] = domain res = request(target) urls = urlextract(self.redirect, res) return urls
def scan(self): if check_redirect(): for _ in self.redirect: uri = merge(_) res = request(uri) if res.status_code[0] == '3': if res.headers['Location'].startswith(_) is True: return uri else: # Add self.target = self.target + "?url=" for _ in self.redirect: uri = merge(_) res = request(uri) if res.status_code[0] == '3': if res.headers['Location'].startswith(_) is True: return uri return False
def detect(self, muri, scanid): target = self.target target['url'] = muri res = request(target) if self.check_cookie(): result = self.validate_code(res) if result: code = result return True else: return False else: result = self.validate_resp(res) if result: return True else: return False
def detect(self, scanid): main = self.fetch_main() res = self.craw_uri(main) if res: for _ in res: muri = self.merge(_) result = request(muri) if self.check_cookie(): result = self.validate_code(res) if result: code = result print( "%s[+]Target is vulnerable to SOM redirect attack. " % (self.logger.Y, self.logger.W)) data = { "scanid": scanid, "type": self.type, "payload": muri } db.insert_record("Redirection", data) return True else: return False else: result = self.validate_resp(res) if result: print( "%s[+]Target is vulnerable to SOM redirect attack. " % (self.logger.Y, self.logger.W)) data = { "scanid": scanid, "type": self.type, "payload": muri } db.insert_record("Redirection", data) return True else: return False return False