def get_script_body(urls, requests, request_headers, response_data): js_body_rows = [] js_body_path = [] js_comment_rows = [] js_comment_path = [] hash_group = [] for i in xrange(0, requests): protocol = urls[i]["protocol"] domain = urls[i]["url"] path = urls[i]["path"] params = urls[i]["params"] query = urls[i]["query"] full_path = protocol + "://" + domain + path body_js = re.findall(r'(?s)<script.+?</script>', response_data[i]) comment_js = re.findall(r'(?s)/\*.+?\*/', str(body_js)) for script in body_js: if utils.md5_object(full_path + script) not in hash_group: if full_path not in js_body_path: content = jsbeautifier.js_beautify(script, "") content = utils.syntaxhighlighter( "js", rpt.href(full_path), utils.html_escape(content)) js_body_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "body") + "</td>") hash_group.append(utils.md5_object(full_path + script)) js_body_path.append(full_path) else: content = jsbeautifier.js_beautify(script, "") content = utils.syntaxhighlighter( "js", rpt.href(full_path), utils.html_escape(content)) rpt.make_module_report_file(content, str(i) + "body") for comment in comment_js: if utils.md5_object(full_path + comment) not in hash_group: if full_path not in js_comment_path: content = utils.syntaxhighlighter( "js", rpt.href(full_path), utils.html_escape(comment)) js_comment_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "comment") + "</td>") hash_group.append(utils.md5_object(full_path + comment)) js_comment_path.append(full_path) else: content = utils.syntaxhighlighter( "js", rpt.href(full_path), utils.html_escape(comment)) rpt.make_module_report_file(content, str(i) + "comment") js_body = [js_body_rows, js_comment_rows] return js_body
def xml_analys(urls, requests, response_body, response_headers): url = urls xml_full_path = [] xml_rows = [] for i in xrange(0, requests): protocol = url[i]["protocol"] domain = url[i]["url"] path = url[i]["path"] params = url[i]["params"] query = url[i]["query"] full_path = protocol + "://" + domain + path if response_headers[i].has_key("Content-Type"): if "xml" in str(response_headers[i]["Content-Type"] ) and full_path not in xml_full_path: xml_full_path.append(full_path) content = utils.syntaxhighlighter("xml", rpt.href(full_path), response_body[i]) xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "file") + "</td>") rpt.make_module_report_file(content, str(i) + "file") collums = {"XML": ["Path", "XML Analyzed"]} rows = {"XML": xml_rows} tip = "" rpt.make_table("xml", tip, collums, rows)
def xml_analys(urls, requests, response_body, response_headers): url = urls xml_full_path = [] xml_rows = [] for i in xrange(0, requests): protocol = url[i]["protocol"] domain = url[i]["url"] path = url[i]["path"] params = url[i]["params"] query = url[i]["query"] full_path = protocol + "://" + domain + path if response_headers[i].has_key("Content-Type"): if "xml" in str(response_headers[i]["Content-Type"]) and full_path not in xml_full_path: xml_full_path.append(full_path) content = utils.syntaxhighlighter("xml", rpt.href(full_path), response_body[i]) xml_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "file") + "</td>") rpt.make_module_report_file(content, str(i) + "file") collums = {"XML":["Path", "XML Analyzed"]} rows = {"XML":xml_rows} tip = "" rpt.make_table("xml", tip, collums, rows)
def js_analys(urls, requests, response_data, request_headers, response_headers): js_rows = [] js_full_path = [] for i in xrange(0, requests): protocol = urls[i]["protocol"] domain = urls[i]["url"] path = urls[i]["path"] params = urls[i]["params"] query = urls[i]["query"] full_path = protocol + "://" + domain + path if response_headers[i].has_key("Content-Type"): if "javascript" in str(response_headers[i]["Content-Type"]) and full_path not in js_full_path: source_warnings = utils.grep_statement("javascript_patterns", response_data[i], "source") sink_warnings = utils.grep_statement("javascript_patterns", response_data[i], "sink") content = jsbeautifier.js_beautify(response_data[i], "") content = utils.syntaxhighlighter("js", rpt.href(full_path), content) if request_headers[i].has_key("Referer") is True: origin = rpt.href(request_headers[i]["Referer"]) else: origin = "No Referer Header" js_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "file") + "</td><td>" + source_warnings + "</td><td>" + sink_warnings + "</td>") rpt.make_module_report_file(content, str(i) + "file") js_full_path.append(full_path) return js_rows
def get_script_body(urls, requests, request_headers, response_data): js_body_rows = [] js_body_path = [] js_comment_rows = [] js_comment_path = [] hash_group = [] for i in xrange(0, requests): protocol = urls[i]["protocol"] domain = urls[i]["url"] path = urls[i]["path"] params = urls[i]["params"] query = urls[i]["query"] full_path = protocol + "://" + domain + path body_js = re.findall(r'(?s)<script.+?</script>', response_data[i]) comment_js = re.findall(r'(?s)/\*.+?\*/', str(body_js)) for script in body_js: if utils.md5_object(full_path + script) not in hash_group: if full_path not in js_body_path: content = jsbeautifier.js_beautify(script, "") content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(content)) js_body_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "body") + "</td>") hash_group.append(utils.md5_object(full_path + script)) js_body_path.append(full_path) else: content = jsbeautifier.js_beautify(script, "") content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(content)) rpt.make_module_report_file(content, str(i) + "body") for comment in comment_js: if utils.md5_object(full_path + comment) not in hash_group: if full_path not in js_comment_path: content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(comment)) js_comment_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + rpt.href(str(i) + "comment") + "</td>") hash_group.append(utils.md5_object(full_path + comment)) js_comment_path.append(full_path) else: content = utils.syntaxhighlighter("js", rpt.href(full_path), utils.html_escape(comment)) rpt.make_module_report_file(content, str(i) + "comment") js_body = [js_body_rows, js_comment_rows] return js_body
def js_analys(urls, requests, response_data, request_headers, response_headers): js_rows = [] js_full_path = [] for i in xrange(0, requests): protocol = urls[i]["protocol"] domain = urls[i]["url"] path = urls[i]["path"] params = urls[i]["params"] query = urls[i]["query"] full_path = protocol + "://" + domain + path if response_headers[i].has_key("Content-Type"): if "javascript" in str(response_headers[i]["Content-Type"] ) and full_path not in js_full_path: source_warnings = utils.grep_statement("javascript_patterns", response_data[i], "source") sink_warnings = utils.grep_statement("javascript_patterns", response_data[i], "sink") content = jsbeautifier.js_beautify(response_data[i], "") content = utils.syntaxhighlighter("js", rpt.href(full_path), content) if request_headers[i].has_key("Referer") is True: origin = rpt.href(request_headers[i]["Referer"]) else: origin = "No Referer Header" js_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "file") + "</td><td>" + source_warnings + "</td><td>" + sink_warnings + "</td>") rpt.make_module_report_file(content, str(i) + "file") js_full_path.append(full_path) return js_rows
def analysis(http_objs): requests = http_objs["total_requests"] response_body = http_objs["response_body"] request_headers = http_objs["request_headers"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm") path_report = utils.__workspace_path__ swf_files = [] flash_rows = [] swf_paths = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if path.endswith(".swf"): split_url = full_path.split('/') file = len(split_url) getoutput('cd ' + path_report + ';' + utils.curl_conn() + ' ' + full_path + ';' + path_flasm[0] + '/./flasm -d ' + split_url[file - 1] + ' > ' + split_url[file - 1] + '.html') swf_files.append(split_url[file - 1] + '.html') swf_paths.append(rpt.href(full_path)) if request_headers[i].has_key("Referer") is True: origin = rpt.href(request_headers[i]["Referer"]) else: origin = "No Referer Header" for i in swf_files: readfile = open(path_report + i, "r") swf_content = readfile.read() content = "" text_warning = utils.grep_statement("flash_patterns", swf_content, "text") load_warning = utils.grep_statement("flash_patterns", swf_content, "load") net_warning = utils.grep_statement("flash_patterns", swf_content, "net") url_warning = utils.grep_statement("flash_patterns", swf_content, "url") crossdomain_warning = utils.grep_statement("flash_patterns", swf_content, "crossdomain") xml_warning = utils.grep_statement("flash_patterns", swf_content, "xml") lso_warning = utils.grep_statement("flash_patterns", swf_content, "lso") header_warning = utils.grep_statement("flash_patterns", swf_content, "header") externalinterface_warning = utils.grep_statement("flash_patterns", swf_content, "externalinterface") globalvariables_warning = utils.grep_statement("flash_patterns", swf_content, "globalvariables") content = content + utils.syntaxhighlighter("as3", rpt.href(full_path), swf_content) rpt.make_module_report_file(content, str(i) + "ActionScript") flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "ActionScript") + "</td><td>" + text_warning + "</td><td>" + load_warning + "</td><td>" + net_warning + "</td>" + "</td><td>" + url_warning + "</td><td>" + crossdomain_warning + "</td><td>" + xml_warning + "</td><td>" + lso_warning + "</td><td>" + header_warning + "</td><td>" + externalinterface_warning + "</td><td>" + globalvariables_warning +"</td>") collums = {"flash":["Path", "Origin", "Flash Analyzed", "Text Write", "Load", "Net Connections", "Url Parameter", "Cross Domain", "XML Send", "lSO", "Add Header", "External Interface", "Global Variables"]} rows = {"flash":flash_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>" rpt.make_table("flash", tip, collums, rows)
def analysis(http_objs): requests = http_objs["total_requests"] response_body = http_objs["response_body"] request_headers = http_objs["request_headers"] response_headers = http_objs["response_headers"] request_URLs = http_objs["request_URL"] path_flasm = utils.parser_xml("conf/config.xml", "path", "flasm") path_report = utils.__workspace_path__ swf_files = [] flash_rows = [] swf_paths = [] rpt = report.htmltags() for i in xrange(0, requests): protocol = request_URLs[i]["protocol"] url = request_URLs[i]["url"] path = request_URLs[i]["path"] params = request_URLs[i]["params"] query = request_URLs[i]["query"] full_path = protocol + "://" + url + path if path.endswith(".swf"): split_url = full_path.split('/') file = len(split_url) getoutput('cd ' + path_report + ';' + utils.curl_conn() + ' ' + full_path + ';' + path_flasm[0] + '/./flasm -d ' + split_url[file - 1] + ' > ' + split_url[file - 1] + '.html') swf_files.append(split_url[file - 1] + '.html') swf_paths.append(rpt.href(full_path)) if request_headers[i].has_key("Referer") is True: origin = rpt.href(request_headers[i]["Referer"]) else: origin = "No Referer Header" for i in swf_files: readfile = open(path_report + i, "r") swf_content = readfile.read() content = "" text_warning = utils.grep_statement("flash_patterns", swf_content, "text") load_warning = utils.grep_statement("flash_patterns", swf_content, "load") net_warning = utils.grep_statement("flash_patterns", swf_content, "net") url_warning = utils.grep_statement("flash_patterns", swf_content, "url") crossdomain_warning = utils.grep_statement("flash_patterns", swf_content, "crossdomain") xml_warning = utils.grep_statement("flash_patterns", swf_content, "xml") lso_warning = utils.grep_statement("flash_patterns", swf_content, "lso") header_warning = utils.grep_statement("flash_patterns", swf_content, "header") externalinterface_warning = utils.grep_statement( "flash_patterns", swf_content, "externalinterface") globalvariables_warning = utils.grep_statement("flash_patterns", swf_content, "globalvariables") content = content + utils.syntaxhighlighter("as3", rpt.href(full_path), swf_content) rpt.make_module_report_file(content, str(i) + "ActionScript") flash_rows.append("<td>" + rpt.href(full_path) + "</td><td>" + origin + "</td><td>" + rpt.href(str(i) + "ActionScript") + "</td><td>" + text_warning + "</td><td>" + load_warning + "</td><td>" + net_warning + "</td>" + "</td><td>" + url_warning + "</td><td>" + crossdomain_warning + "</td><td>" + xml_warning + "</td><td>" + lso_warning + "</td><td>" + header_warning + "</td><td>" + externalinterface_warning + "</td><td>" + globalvariables_warning + "</td>") collums = { "flash": [ "Path", "Origin", "Flash Analyzed", "Text Write", "Load", "Net Connections", "Url Parameter", "Cross Domain", "XML Send", "lSO", "Add Header", "External Interface", "Global Variables" ] } rows = {"flash": flash_rows} tip = "Tip: <a href='https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project' target='_blank'>OWASP Flash Security Project</a> and <a href='https://www.owasp.org/index.php/Flash_Testing' target='_blank'>OWASP Testing Guide - Flash</a>" rpt.make_table("flash", tip, collums, rows)