def validate_resp(self, res):
res1 = request(self.target)
res2 = request(self.target)
result = diff(res1, res2, res)
if result:
return False
else:
return True
def no_verify_detect(self, token):
# CSRF token in query.
if 'query' in token:
#if token.has_key('query'):
repart = urlparse(self.target1['url'])
#print(repart)
query = parse_qs(repart.query)
for key, value in token['query'].items():
#print(self.mutation_csrf_value(value))
query[key] = self.mutation_csrf_value(value).split(' ')
#print(query)
new_query = ''
for key, value in query.items():
if key == 'redirect_uri':
value[0] = quote(value[0])
if new_query == '':
new_query = new_query + key + '=' + value[0]
else:
new_query = new_query + '&' + key + '=' + value[0]
#print(new_query)
new_url = repart._replace(query=new_query).geturl()
#print(new_url)
target = self.target1
target['url'] = new_url
# CSRF token in headers
if 'headers' in token:
#if token.has_key('headers'):
header = self.target1['headers']
for key, value in header.items():
#key = token['headers'].keys()[0]
#value = token['headers'][key]
header[key] = self.mutation_csrf_value(value)
target = self.target1
target['headers'] = header
# CSRF token in body.
if 'body' in token:
#if token.has_key('body'):
body = self.target['body']
for key, value in body.items():
#key = token['body'].keys()[0]
#value = token['body'][key]
body[key] = self.mutation_csrf_value(value)
target = self.target1
target['body'] = body
res1 = request(self.target1)
res2 = request(self.target1)
res3 = request(target)
# Judge whether it is vulnerable.
result = diff(res2, res3, res1)
if not result:
return True
return False
def run(self): for _ in self.scope: muri= self.mutate(_) #muri = self.merge(mredirect) target = self.target target['url'] = muri res1 = request(self.target) res2 = request(self.target) res3 = request(target) result = diff(res1,res2,res3) return muri,result
def remove_token_detect(self, token):
if 'query' in token:
#if token.has_key('query'):
repart = urlparse(self.target1['url'])
query = parse_qs(repart.query)
key = ''
for key1, value1 in token['query'].items():
key = key1
del query[key]
new_query = ''
for key, value in query.items():
if key == 'redirect_uri':
value[0] = quote(value[0])
if new_query == '':
new_query = new_query + key + '=' + value[0]
else:
new_query = new_query + '&' + key + '=' + value[0]
new_url = repart._replace(query=new_query).geturl()
target = self.target1
target['url'] = new_url
if 'headers' in token:
#if token.has_key('headers'):
header = self.target1['headers']
for key1, value1 in token['headers'].items():
key = key1
del header[key]
target = self.target1
target['headers'] = header
# CSRF token in body.
if 'body' in token:
#if token.has_key('body'):
body = self.target1['body']
for key1, value1 in token['body'].items():
key = key1
del body[key]
target = self.target1
target['body'] = body
res1 = request(self.target1)
res2 = request(self.target1)
res3 = request(target)
# Judge whether it is vulnerable.
result = diff(res1, res2, res3)
if not result:
return True
return False
def detect(self, muri, scanid):
target = self.target
target['url'] = muri
res = request(target)
if self.check_cookie():
result = self.validate_code(res)
if result:
code = result
print("%s[+]Target is vulnerable to open redirect attack. %s" %
(self.logger.Y, self.logger.W))
data = {"scanid": scanid, "type": self.type, "payload": muri}
self.db.insert_record("Redirection", data)
return True
else:
return False
else:
result = self.validate_resp(res)
if result:
print("%s[+]Target is vulnerable to open redirect attack. %s" %
(self.logger.Y, self.logger.W))
data = {"scanid": scanid, "type": self.type, "payload": muri}
self.db.insert_record("Redirection", data)
return True
else:
return False
def extract_urls_from_homepage(self):
rep = urlparse(self.redirect)
val = tldextract.extract(self.redirect)
domain = "{0}://{1}.{2}".format(rep.scheme, val.domain, val.suffix)
target = {}
target['url'] = domain
res = request(target)
urls = urlextract(self.redirect, res)
return urls
def scan(self): if check_redirect(): for _ in self.redirect: uri = merge(_) res = request(uri) if res.status_code[0] == '3': if res.headers['Location'].startswith(_) is True: return uri else: # Add self.target = self.target + "?url=" for _ in self.redirect: uri = merge(_) res = request(uri) if res.status_code[0] == '3': if res.headers['Location'].startswith(_) is True: return uri return False
def detect(self, muri, scanid):
target = self.target
target['url'] = muri
res = request(target)
if self.check_cookie():
result = self.validate_code(res)
if result:
code = result
return True
else:
return False
else:
result = self.validate_resp(res)
if result:
return True
else:
return False
def detect(self, scanid):
main = self.fetch_main()
res = self.craw_uri(main)
if res:
for _ in res:
muri = self.merge(_)
result = request(muri)
if self.check_cookie():
result = self.validate_code(res)
if result:
code = result
print(
"%s[+]Target is vulnerable to SOM redirect attack. "
% (self.logger.Y, self.logger.W))
data = {
"scanid": scanid,
"type": self.type,
"payload": muri
}
db.insert_record("Redirection", data)
return True
else:
return False
else:
result = self.validate_resp(res)
if result:
print(
"%s[+]Target is vulnerable to SOM redirect attack. "
% (self.logger.Y, self.logger.W))
data = {
"scanid": scanid,
"type": self.type,
"payload": muri
}
db.insert_record("Redirection", data)
return True
else:
return False
return False
