def check(data): """ This function checks the website for SQL injection. @param data: The data object of the program. @type data: Classes.Data @return: None """ sqli_results = Classes.CheckResults("SQL Injection", COLOR) try: data.mutex.acquire() pages = data.pages # Achieving the pages. aggressive = data.aggressive data.mutex.release() for page in pages: # Getting the forms of each page. forms = filter_forms(page) if forms and not aggressive: # The user did not specified his agreement. # and there is a vulnerable page. sqli_results.warning = "The plugin check routine requires injecting text boxes," \ " read about (-A) in our manual and try again." break for form in forms: try: sql_injection(page, form, data) except Exception: continue except Exception as e: sqli_results.error = "Something went wrong..." non_blind_problem.problem = "These text inputs *may* have allowed SQL injection," \ " the plugin has detected an error message that " \ f"may indicate about a SQL vulnerability,\n" \ f"while using the query '{query}'." sqli_results.results.append(non_blind_problem) blind_problem.problem = "These text inputs allowed blind SQL injection, " \ f"the query '{query}' has slowed down the server's response." sqli_results.results.append(blind_problem) sqli_results.conclusion = f"You can validate the input from the " \ f"vulnerable parameters, by checking for " \ f"vulnerable characters or wrong input type." data.mutex.acquire() data.results_queue.put(sqli_results) # Adding the results to the queue. data.mutex.release()
def check(data): """ This function checks the website for CSRF. @param data: The data object of the program. @type data: Classes.Data @return: None """ csrf_results = Classes.CheckResults("CSRF", COLOR) try: data.mutex.acquire() pages = data.pages # Achieving the pages. aggressive = data.aggressive data.mutex.release() for page in pages: # Getting the forms of each page. forms = filter_forms(page) if forms and not aggressive: # The user did not specified his agreement. # and there is a vulnerable page. csrf_results.warning = "The plugin check routine requires injecting text boxes," \ " read about (-A) in our manual and try again." break for form in forms: try: csrf(page, form, data) except Exception: continue except Exception as e: csrf_results.error = "Something went wrong..." if problem_get.page_results or problem_referer.page_results: # Found a vulnerability. csrf_results.warning = "WARNING: The CSRF vulnerability is relevant only for action" \ " forms that involve the user's data." csrf_results.success = success_message csrf_results.results.append(problem_get) csrf_results.results.append(problem_referer) csrf_results.conclusion = "The best way to prevent CSRF vulnerability is to use CSRF Tokens, " \ "read more about it in: 'https://portswigger.net/web-security/csrf/tokens'." data.mutex.acquire() data.results_queue.put(csrf_results) # Adding the results to the queue. data.mutex.release()
def check(data): """ This function checks the website for blind/non-blind OS injection. @param data: The data object of the program. @type data: Classes.Data @return: None """ ci_results = Classes.CheckResults("Command Injection", COLOR) try: data.mutex.acquire() pages = data.pages # Achieving the pages. aggressive = data.aggressive data.mutex.release() for page in pages: # Getting the forms of each page. forms = filter_forms(page) if forms and not aggressive: # The user did not specified his agreement. # and there is a vulnerable page. ci_results.warning = "The plugin check routine requires injecting text boxes," \ " read about (-A) in our manual and try again." break for form in forms: try: command_injection(page, form, data) except Exception: continue except Exception as e: ci_results.error = "Something went wrong..." ci_results.results.append(blind_problem) ci_results.results.append(non_blind_problem) ci_results.conclusion = f"You can validate the input from the " \ f"vulnerable parameters, by checking for " \ f"vulnerable characters or wrong input type." data.mutex.acquire() data.results_queue.put( ci_results) # Adding the results to the data object. data.mutex.release()
def check(data: Classes.Data): domxss_result: Classes.CheckResult = check_dom(data) xss_result: Classes.CheckResult = Classes.CheckResult( XSS_PROBLEM_STR, XSS_SOLUTION_STR, XSS_EXPLANATION_STR) stored_xss_result: Classes.CheckResult = Classes.CheckResult( STORED_XSS_PROBLEM_STR, STORED_XSS_SOLUTION_STR, STORED_XSS_EXPLANATION_STR) all_xss_results: Classes.CheckResults = Classes.CheckResults("XSS", COLOR) data.mutex.acquire() aggressive = data.aggressive pages = data.pages data.mutex.release() if not aggressive: all_xss_results.warning = "Unfortunately this plugin cannot perform any aggressive checks since the -A flag was not checked, please use -h to learn more about this flag.\n" vulnerable_pages = [] for page in pages: # Only check html pages. if 'html' not in page.type: continue # Get Content Security Policy Information. csp_info: dict = csp_check(page) if csp_info is not None: # Get information about the script CSP info. allowed_script_sources: dict = {} for key, value in csp_info['allow_scripts']: if value: allowed_script_sources[key] = value # Get information about the img CSP info. allowed_image_sources: dict = {} for key, value in csp_info['allow_images']: if value: allowed_image_sources[key] = value # Show conclusion of the Content Security Policy evaluation. if '*' not in allowed_script_sources.keys( ) and not '*' in allowed_image_sources.keys(): problem_str = "Page is protected by 'Content-Security-Policy' Headers and therefor is protected from general xss vulnerabilities.\nYou should still check for 'Content-Security-Policy' bypass vulnerabilities.\n" if len(allowed_script_sources.keys()) > 0: problem_str += f"Please also note that some interesting `script-src` CSP Headers were also found: {allowed_script_sources.keys()}\n" if len(allowed_image_sources.keys()) > 0: problem_str += f"Please also note that some interesting `img-src` CSP Headers were also found: {allowed_image_sources.keys()}\n" xss_result.add_page_result( Classes.PageResult(page, problem_str)) continue csp_conclusion = "The XSS plugin has checked the 'Content-Security-Policy' Headers.\n" str_to_add = str( "The response headers did not contain any Content-Security-Policy Headers and therefor all XSS payloads might be effective!\n" if csp_info is None else f"The 'Content-Security-Policy' Headers that were found were in `script-src` {allowed_script_sources.keys()} and in `img-src` {allowed_image_sources.keys()}\n" ) csp_conclusion += str_to_add xss_result.add_page_result(Classes.PageResult(page, csp_conclusion)) # Do not perform this aggressive method if the aggressive flag is not checked. if not aggressive: # Skip this page. continue else: # Perform payload injection and check for stored xss. # Use the Content Security Policy information to select the appropriate payloads. allowed_sources: tuple = (True, True) if csp_info is not None: allowed_sources = ('*' in allowed_script_sources.keys(), '*' in allowed_image_sources.keys()) # Select appropriate payloads according to the CSP information. allowed_payloads = select_payloads(allowed_sources) # Try to trigger an alert with all the selected available payloads. vulnerable_forms: dict = brute_force_alert(data, page, allowed_payloads) if vulnerable_forms is None: continue # Page has no forms and therefor we do not check it. for vulnerable_form_id in vulnerable_forms.keys(): # Get information about successful attack. vulnerable_form = vulnerable_forms[vulnerable_form_id][0] vulnerable_input = vulnerable_forms[vulnerable_form_id][1] successful_payload = vulnerable_forms[vulnerable_form_id][2] special_string = vulnerable_forms[vulnerable_form_id][3] xss_result.add_page_result( Classes.PageResult( page, f"Found a form that had caused an alert to pop from the following payload: '{successful_payload}'.\nThe Vulnerable Form is (Form Index [{vulnerable_form_id}]):\n{vulnerable_form}\nThe Vulnerable Input is:\n{vulnerable_input}\n" )) vulnerable_pages.append( (page, special_string )) # Will be used by the stored xss checks later. # Check each of the already vulnerable pages for stored xss. vulnerable_stored: list = check_for_stored(data, vulnerable_pages) if vulnerable_stored is not None and len(vulnerable_stored) != 0: for page_with_stored in vulnerable_stored: stored_xss_result.add_page_result( Classes.PageResult( page_with_stored, f"This page had shown an alert after refreshing it which strongly indicates it may vulnerable to stored xss.\n" )) # Deliver Analysis. all_xss_results.results.append(xss_result) all_xss_results.results.append(domxss_result) all_xss_results.results.append(stored_xss_result) data.mutex.acquire() data.results_queue.put(all_xss_results) data.mutex.release()