def check(data):
"""
This function checks the website for SQL injection.
@param data: The data object of the program.
@type data: Classes.Data
@return: None
"""
sqli_results = Classes.CheckResults("SQL Injection", COLOR)
try:
data.mutex.acquire()
pages = data.pages # Achieving the pages.
aggressive = data.aggressive
data.mutex.release()
for page in pages:
# Getting the forms of each page.
forms = filter_forms(page)
if forms and not aggressive:
# The user did not specified his agreement.
# and there is a vulnerable page.
sqli_results.warning = "The plugin check routine requires injecting text boxes," \
" read about (-A) in our manual and try again."
break
for form in forms:
try:
sql_injection(page, form, data)
except Exception:
continue
except Exception as e:
sqli_results.error = "Something went wrong..."
non_blind_problem.problem = "These text inputs *may* have allowed SQL injection," \
" the plugin has detected an error message that " \
f"may indicate about a SQL vulnerability,\n" \
f"while using the query '{query}'."
sqli_results.results.append(non_blind_problem)
blind_problem.problem = "These text inputs allowed blind SQL injection, " \
f"the query '{query}' has slowed down the server's response."
sqli_results.results.append(blind_problem)
sqli_results.conclusion = f"You can validate the input from the " \
f"vulnerable parameters, by checking for " \
f"vulnerable characters or wrong input type."
data.mutex.acquire()
data.results_queue.put(sqli_results) # Adding the results to the queue.
data.mutex.release()
def check(data):
"""
This function checks the website for CSRF.
@param data: The data object of the program.
@type data: Classes.Data
@return: None
"""
csrf_results = Classes.CheckResults("CSRF", COLOR)
try:
data.mutex.acquire()
pages = data.pages # Achieving the pages.
aggressive = data.aggressive
data.mutex.release()
for page in pages:
# Getting the forms of each page.
forms = filter_forms(page)
if forms and not aggressive:
# The user did not specified his agreement.
# and there is a vulnerable page.
csrf_results.warning = "The plugin check routine requires injecting text boxes," \
" read about (-A) in our manual and try again."
break
for form in forms:
try:
csrf(page, form, data)
except Exception:
continue
except Exception as e:
csrf_results.error = "Something went wrong..."
if problem_get.page_results or problem_referer.page_results:
# Found a vulnerability.
csrf_results.warning = "WARNING: The CSRF vulnerability is relevant only for action" \
" forms that involve the user's data."
csrf_results.success = success_message
csrf_results.results.append(problem_get)
csrf_results.results.append(problem_referer)
csrf_results.conclusion = "The best way to prevent CSRF vulnerability is to use CSRF Tokens, " \
"read more about it in: 'https://portswigger.net/web-security/csrf/tokens'."
data.mutex.acquire()
data.results_queue.put(csrf_results) # Adding the results to the queue.
data.mutex.release()
def check(data):
"""
This function checks the website for blind/non-blind OS injection.
@param data: The data object of the program.
@type data: Classes.Data
@return: None
"""
ci_results = Classes.CheckResults("Command Injection", COLOR)
try:
data.mutex.acquire()
pages = data.pages # Achieving the pages.
aggressive = data.aggressive
data.mutex.release()
for page in pages:
# Getting the forms of each page.
forms = filter_forms(page)
if forms and not aggressive:
# The user did not specified his agreement.
# and there is a vulnerable page.
ci_results.warning = "The plugin check routine requires injecting text boxes," \
" read about (-A) in our manual and try again."
break
for form in forms:
try:
command_injection(page, form, data)
except Exception:
continue
except Exception as e:
ci_results.error = "Something went wrong..."
ci_results.results.append(blind_problem)
ci_results.results.append(non_blind_problem)
ci_results.conclusion = f"You can validate the input from the " \
f"vulnerable parameters, by checking for " \
f"vulnerable characters or wrong input type."
data.mutex.acquire()
data.results_queue.put(
ci_results) # Adding the results to the data object.
data.mutex.release()
def check(data: Classes.Data):
domxss_result: Classes.CheckResult = check_dom(data)
xss_result: Classes.CheckResult = Classes.CheckResult(
XSS_PROBLEM_STR, XSS_SOLUTION_STR, XSS_EXPLANATION_STR)
stored_xss_result: Classes.CheckResult = Classes.CheckResult(
STORED_XSS_PROBLEM_STR, STORED_XSS_SOLUTION_STR,
STORED_XSS_EXPLANATION_STR)
all_xss_results: Classes.CheckResults = Classes.CheckResults("XSS", COLOR)
data.mutex.acquire()
aggressive = data.aggressive
pages = data.pages
data.mutex.release()
if not aggressive:
all_xss_results.warning = "Unfortunately this plugin cannot perform any aggressive checks since the -A flag was not checked, please use -h to learn more about this flag.\n"
vulnerable_pages = []
for page in pages:
# Only check html pages.
if 'html' not in page.type:
continue
# Get Content Security Policy Information.
csp_info: dict = csp_check(page)
if csp_info is not None:
# Get information about the script CSP info.
allowed_script_sources: dict = {}
for key, value in csp_info['allow_scripts']:
if value:
allowed_script_sources[key] = value
# Get information about the img CSP info.
allowed_image_sources: dict = {}
for key, value in csp_info['allow_images']:
if value:
allowed_image_sources[key] = value
# Show conclusion of the Content Security Policy evaluation.
if '*' not in allowed_script_sources.keys(
) and not '*' in allowed_image_sources.keys():
problem_str = "Page is protected by 'Content-Security-Policy' Headers and therefor is protected from general xss vulnerabilities.\nYou should still check for 'Content-Security-Policy' bypass vulnerabilities.\n"
if len(allowed_script_sources.keys()) > 0:
problem_str += f"Please also note that some interesting `script-src` CSP Headers were also found: {allowed_script_sources.keys()}\n"
if len(allowed_image_sources.keys()) > 0:
problem_str += f"Please also note that some interesting `img-src` CSP Headers were also found: {allowed_image_sources.keys()}\n"
xss_result.add_page_result(
Classes.PageResult(page, problem_str))
continue
csp_conclusion = "The XSS plugin has checked the 'Content-Security-Policy' Headers.\n"
str_to_add = str(
"The response headers did not contain any Content-Security-Policy Headers and therefor all XSS payloads might be effective!\n"
if csp_info is None else
f"The 'Content-Security-Policy' Headers that were found were in `script-src` {allowed_script_sources.keys()} and in `img-src` {allowed_image_sources.keys()}\n"
)
csp_conclusion += str_to_add
xss_result.add_page_result(Classes.PageResult(page, csp_conclusion))
# Do not perform this aggressive method if the aggressive flag is not checked.
if not aggressive:
# Skip this page.
continue
else:
# Perform payload injection and check for stored xss.
# Use the Content Security Policy information to select the appropriate payloads.
allowed_sources: tuple = (True, True)
if csp_info is not None:
allowed_sources = ('*' in allowed_script_sources.keys(), '*'
in allowed_image_sources.keys())
# Select appropriate payloads according to the CSP information.
allowed_payloads = select_payloads(allowed_sources)
# Try to trigger an alert with all the selected available payloads.
vulnerable_forms: dict = brute_force_alert(data, page,
allowed_payloads)
if vulnerable_forms is None:
continue # Page has no forms and therefor we do not check it.
for vulnerable_form_id in vulnerable_forms.keys():
# Get information about successful attack.
vulnerable_form = vulnerable_forms[vulnerable_form_id][0]
vulnerable_input = vulnerable_forms[vulnerable_form_id][1]
successful_payload = vulnerable_forms[vulnerable_form_id][2]
special_string = vulnerable_forms[vulnerable_form_id][3]
xss_result.add_page_result(
Classes.PageResult(
page,
f"Found a form that had caused an alert to pop from the following payload: '{successful_payload}'.\nThe Vulnerable Form is (Form Index [{vulnerable_form_id}]):\n{vulnerable_form}\nThe Vulnerable Input is:\n{vulnerable_input}\n"
))
vulnerable_pages.append(
(page, special_string
)) # Will be used by the stored xss checks later.
# Check each of the already vulnerable pages for stored xss.
vulnerable_stored: list = check_for_stored(data, vulnerable_pages)
if vulnerable_stored is not None and len(vulnerable_stored) != 0:
for page_with_stored in vulnerable_stored:
stored_xss_result.add_page_result(
Classes.PageResult(
page_with_stored,
f"This page had shown an alert after refreshing it which strongly indicates it may vulnerable to stored xss.\n"
))
# Deliver Analysis.
all_xss_results.results.append(xss_result)
all_xss_results.results.append(domxss_result)
all_xss_results.results.append(stored_xss_result)
data.mutex.acquire()
data.results_queue.put(all_xss_results)
data.mutex.release()
