def report(self, msg, flow, identifier):
if identifier not in self.missing_headers:
self.write("\n[VULN] %s - %s" % (msg, flow.request.url),
type="danger")
http_dumper = HTTPDumper(self.report_file, False)
http_dumper.dump("====================================")
http_dumper.dump("%s" % (msg))
http_dumper.dump("====================================")
http_dumper.save_http(flow)
self.missing_headers.append(identifier)
def response_analyzer(flow, options):
meta = flow.metadata["fuzz_pathtraversal"]
res = flow.response
write = options["write"]
if re.findall(b"root:|nobody:", res.content):
write("\n[VULN] Path Traversal via Query Params - %s" %
(flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], False)
http_dumper.dump("====================================")
http_dumper.dump("Path Traversal via Query Params")
http_dumper.dump("====================================")
http_dumper.save_http(flow)
def response_analyzer(flow, options):
"""
Totally Async
Reimplement
print (api_req)
"""
global api_reason, api_code
meta = flow.metadata["fuzz_api"]
res = flow.response
write = options["write"]
api_req = meta["api_rate_limit"]
api_name = meta["api_name"]
#Why 5 we are not sure whats the order
if api_req in [1, 2, 3, 4, 5]:
api_reason[api_name] = flow.response.reason
api_code[api_name] = flow.response.status_code
if api_req == settings.RATELIMIT_REQ_NOS - 1:
if api_reason[api_name] == flow.response.reason or api_code[api_name] == flow.response.status_code:
write("\n[VULN] API may not be rate limited (Requests %s) - %s" %
(str(api_req + 1), flow.request.url), type="danger")
http_dumper = HTTPDumper(options["report_file"], False)
http_dumper.dump("===========================")
http_dumper.dump("API may not be rate limited")
http_dumper.dump("===========================")
http_dumper.save_http(flow)
def error_rep(flow, lang, write, report_file):
write(
"\n[VULN] Possible Deserialization Vulnerability via Error Response in %s - %s"
% (flow.request.url, lang),
type="danger")
http_dumper = HTTPDumper(report_file, False)
http_dumper.dump(
"========================================================================"
)
http_dumper.dump(
"Possible Deserialization Vulnerability via Error Response in %s" %
lang)
http_dumper.dump(
"========================================================================"
)
http_dumper.save_http(flow)
def response_analyzer(flow, options):
meta = flow.metadata["fuzz_xss"]
res = flow.response
write = options["write"]
if meta["payload"] in res.content and "text/html" in get_content_type_lower(res):
write ("\n[VULN] Cross Site Scripting via Query Params - %s" %(flow.request.url), type="danger")
http_dumper = HTTPDumper(options["report_file"], False)
http_dumper.dump("====================================")
http_dumper.dump("Cross Site Scipting via Query Params")
http_dumper.dump("====================================")
http_dumper.save_http(flow)
def response_analyzer(flow, options):
meta = flow.metadata["fuzz_xxe"]
res = flow.response
md5 = meta["md5"]
write = options["write"]
# Reflection XXE
if bytes(settings.VALIDATE_STRING, "utf-8") in res.content:
write(
"\n[VULN] Generic XML External Entity (XXE) via Request Body - %s"
% (flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], False)
http_dumper.dump(
"====================================================")
http_dumper.dump(
"Generic XML External Entity (XXE) Payload Reflection")
http_dumper.dump(
"====================================================")
http_dumper.save_http(flow)
# OOB XXE
oob_validator = OOBValidator(settings.OUT_OF_BAND_SERVER)
if oob_validator.get_status_by_md5(md5):
write("\n[VULN] XML External Entity (XXE) via OOB Hash Method- %s" %
(flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], True)
http_dumper.dump("==============================================")
http_dumper.dump("XML External Entity (XXE) via OOB Hash Method")
http_dumper.dump("==============================================")
http_dumper.save_http(flow)
# Error Based
if any(bytes(exp, "utf-8") in res.content for exp in get_xxe_exceptions()):
write(
"\n[VULN] Possible XML External Entity (XXE) via XML exception- %s"
% (flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], False)
http_dumper.dump(
"====================================================")
http_dumper.dump(
"Possible XML External Entity (XXE) via XML exception")
http_dumper.dump(
"====================================================")
http_dumper.save_http(flow)
def response_analyzer(flow, options):
meta = flow.metadata["fuzz_deserialize"]
res = flow.response
req = flow.request
write = options["write"]
rep_file = options["report_file"]
# Error Based
if re.findall(b"pickle\.|<module>", res.content):
error_rep(flow, "Python", write, rep_file)
elif re.findall(b"incompatible marshal|`load'|control characters|`parse'",
res.content):
error_rep(flow, "Ruby", write, rep_file)
elif re.findall(b"E_NOTICE", res.content):
error_rep(flow, "PHP", write, rep_file)
elif re.findall(b"InvalidClassException|Exception in|at com\.",
res.content):
error_rep(flow, "Java", write, rep_file)
# Response Based Validator
if re.findall(b"root:|nobody:", res.content):
write("\n[VULN] Deserialization Vulnerability by Response - %s" %
(flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], True)
http_dumper.dump("=========================================")
http_dumper.dump("Deserialization Vulnerability by Response")
http_dumper.dump("=========================================")
http_dumper.save_http(flow)
# OOB
oob_validator = OOBValidator(settings.OUT_OF_BAND_SERVER)
if "md5" in meta:
md5 = meta["md5"]
if oob_validator.get_status_by_md5(md5):
write(
"\n[VULN] Deserialization Vulnerability via Body by OOB Method - %s"
% (flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], True)
http_dumper.dump("===========================================")
http_dumper.dump("Deserialization Vulnerability by OOB Method")
http_dumper.dump("===========================================")
http_dumper.save_http(flow)
# Blind
if "blind" in meta:
tms = meta["tms"]
ctms = time.time()
if (ctms - tms) > 8:
write(
"\n[VULN] Deserialization Vulnerability via Body by Blind Sleep Method - %s"
% (flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], False)
http_dumper.dump(
"=====================================================")
http_dumper.dump(
"Deserialization Vulnerability via Blind Sleep Method ")
http_dumper.dump(
"=====================================================")
http_dumper.save_http(flow)
def response_analyzer(flow, options):
meta = flow.metadata["fuzz_ssrf"]
res = flow.response
oob_validator = OOBValidator(settings.OUT_OF_BAND_SERVER)
write = options["write"]
if "url" in meta:
md5 = meta["md5"]
# OOB URL SSRF
if oob_validator.get_status_by_md5(md5):
write("\n[VULN] SSRF via OOB Hash Method - %s" %
(flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], False)
http_dumper.dump("=========================")
http_dumper.dump("SSRF via OOB Hash Method")
http_dumper.dump("=========================")
http_dumper.save_http(flow)
if "ip" in meta:
if oob_validator.get_status_by_ip(flow.request.url):
write("\nVULN] SSRF via OOB IP Method - %s" % (flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], True)
http_dumper.dump("=======================")
http_dumper.dump("SSRF via OOB IP Method")
http_dumper.dump("=======================")
http_dumper.save_http(flow)
if "count" in meta:
if oob_validator.get_status_by_count(9):
write("\n[VULN] SSRF via OOB Request Count Method - %s" %
(flow.request.url),
type="danger")
http_dumper = HTTPDumper(options["report_file"], True)
http_dumper.dump("=================================")
http_dumper.dump("SSRF via OOB Request Count Method")
http_dumper.dump("=================================")
http_dumper.save_http(flow)