def delete_all(self, filter_data, target_id=None):
"""Delete all plugin output
.note::
Here keeping filter_data optional is very risky
:param filter_data: Filter data
:type filter_data: `dict`
:param target_id: target ID
:type target_id: `int`
:return: None
:rtype: None
"""
# for_delete = True: empty dict will match all results
query = self.gen_query(filter_data, target_id, for_delete=True)
# Delete the folders created for these plugins
for plugin in query.all():
# First check if path exists in db
if plugin.output_path:
output_path = os.path.join(self.config.get_output_dir_target(), plugin.output_path)
if os.path.exists(output_path):
FileOperations.rm_tree(output_path)
# When folders are removed delete the results from db
results = query.delete()
self.db.session.commit()
def cleanup_target_dirs(self, target_url):
"""Cleanup the directories for the specific target
:return: None
:rtype: None
"""
return FileOperations.rm_tree(self.get_target_dir(target_url))
def initialize(self, outbound_options=[], outbound_auth=""):
"""Initialize the proxy process
:param outbound_options: Outbound proxy options
:type outbound_options: `list`
:param outbound_auth: Authentication string
:type outbound_auth: `str`
:return: None
:rtype: None
"""
# The tornado application, which is used to pass variables to request handler
self.application = tornado.web.Application(handlers=[(r'.*', ProxyHandler)], debug=False, gzip=True,)
self.config = self.get_component("config")
self.db_config = self.get_component("db_config")
# All required variables in request handler
# Required variables are added as attributes to application, so that request handler can access these
self.application.core = self.get_component("core")
self.application.inbound_ip = self.db_config.get('INBOUND_PROXY_IP')
self.application.inbound_port = int(self.db_config.get('INBOUND_PROXY_PORT'))
self.instances = self.db_config.get("INBOUND_PROXY_PROCESSES")
# Proxy CACHE
# Cache related settings, including creating required folders according to cache folder structure
self.application.cache_dir = self.db_config.get("INBOUND_PROXY_CACHE_DIR")
# Clean possible older cache directory.
if os.path.exists(self.application.cache_dir):
FileOperations.rm_tree(self.application.cache_dir)
FileOperations.make_dirs(self.application.cache_dir)
# SSL MiTM
# SSL certs, keys and other settings (os.path.expanduser because they are stored in users home directory
# ~/.owtf/proxy)
self.application.ca_cert = os.path.expanduser(self.db_config.get('CA_CERT'))
self.application.ca_key = os.path.expanduser(self.db_config.get('CA_KEY'))
# To stop OWTF from breaking for our beloved users :P
try:
self.application.ca_key_pass = FileOperations.open(os.path.expanduser(self.db_config.get('CA_PASS_FILE')),
'r', owtf_clean=False).read().strip()
except IOError:
self.application.ca_key_pass = "******" # XXX: Legacy CA key pass for older versions.
self.application.proxy_folder = os.path.dirname(self.application.ca_cert)
self.application.certs_folder = os.path.expanduser(self.db_config.get('CERTS_FOLDER'))
try: # Ensure CA.crt and Key exist.
assert os.path.exists(self.application.ca_cert)
assert os.path.exists(self.application.ca_key)
except AssertionError:
self.get_component("error_handler").abort_framework("Files required for SSL MiTM are missing."
" Please run the install script")
try: # If certs folder missing, create that.
assert os.path.exists(self.application.certs_folder)
except AssertionError:
FileOperations.make_dirs(self.application.certs_folder)
# Blacklist (or) Whitelist Cookies
# Building cookie regex to be used for cookie filtering for caching
if self.db_config.get('WHITELIST_COOKIES') == 'None':
cookies_list = self.db_config.get('BLACKLIST_COOKIES').split(',')
self.application.cookie_blacklist = True
else:
cookies_list = self.db_config.get('WHITELIST_COOKIES').split(',')
self.application.cookie_blacklist = False
if self.application.cookie_blacklist:
regex_cookies_list = [cookie + "=([^;]+;?)" for cookie in cookies_list]
else:
regex_cookies_list = ["(" + cookie + "=[^;]+;?)" for cookie in self.db_config.get('COOKIES_LIST')]
regex_string = '|'.join(regex_cookies_list)
self.application.cookie_regex = re.compile(regex_string)
# Outbound Proxy
# Outbound proxy settings to be used inside request handler
if outbound_options:
if len(outbound_options) == 3:
self.application.outbound_proxy_type = outbound_options[0]
self.application.outbound_ip = outbound_options[1]
self.application.outbound_port = int(outbound_options[2])
else:
self.application.outbound_proxy_type = "http"
self.application.outbound_ip = outbound_options[0]
self.application.outbound_port = int(outbound_options[1])
else:
self.application.outbound_ip = None
self.application.outbound_port = None
self.application.outbound_proxy_type = None
if outbound_auth:
self.application.outbound_username, self.application.outbound_password = outbound_auth.split(":")
else:
self.application.outbound_username = None
self.application.outbound_password = None
self.server = tornado.httpserver.HTTPServer(self.application)
# server has to be a class variable, because it is used inside request handler to attach sockets for monitoring
ProxyHandler.server = self.server
# Header filters
# Restricted headers are picked from framework/config/framework_config.cfg
# These headers are removed from the response obtained from webserver, before sending it to browser
restricted_response_headers = self.config.get_val("PROXY_RESTRICTED_RESPONSE_HEADERS").split(",")
ProxyHandler.restricted_response_headers = restricted_response_headers
# These headers are removed from request obtained from browser, before sending it to webserver
restricted_request_headers = self.config.get_val("PROXY_RESTRICTED_REQUEST_HEADERS").split(",")
ProxyHandler.restricted_request_headers = restricted_request_headers
# HTTP Auth options
if self.db_config.get("HTTP_AUTH_HOST") != "None":
self.application.http_auth = True
# All the variables are lists
self.application.http_auth_hosts = self.db_config.get("HTTP_AUTH_HOST").strip().split(',')
self.application.http_auth_usernames = self.db_config.get("HTTP_AUTH_USERNAME").strip().split(',')
self.application.http_auth_passwords = self.db_config.get("HTTP_AUTH_PASSWORD").strip().split(',')
self.application.http_auth_modes = self.db_config.get("HTTP_AUTH_MODE").strip().split(',')
else:
self.application.http_auth = False
def initialize(self, outbound_options=[], outbound_auth=""):
"""Initialize the proxy process
:param outbound_options: Outbound proxy options
:type outbound_options: `list`
:param outbound_auth: Authentication string
:type outbound_auth: `str`
:return: None
:rtype: None
"""
# The tornado application, which is used to pass variables to request handler
self.application = tornado.web.Application(
handlers=[(r'.*', ProxyHandler)],
debug=False,
gzip=True,
)
self.config = self.get_component("config")
self.db_config = self.get_component("db_config")
# All required variables in request handler
# Required variables are added as attributes to application, so that request handler can access these
self.application.core = self.get_component("core")
self.application.inbound_ip = self.db_config.get('INBOUND_PROXY_IP')
self.application.inbound_port = int(
self.db_config.get('INBOUND_PROXY_PORT'))
self.instances = self.db_config.get("INBOUND_PROXY_PROCESSES")
# Proxy CACHE
# Cache related settings, including creating required folders according to cache folder structure
self.application.cache_dir = self.db_config.get(
"INBOUND_PROXY_CACHE_DIR")
# Clean possible older cache directory.
if os.path.exists(self.application.cache_dir):
FileOperations.rm_tree(self.application.cache_dir)
FileOperations.make_dirs(self.application.cache_dir)
# SSL MiTM
# SSL certs, keys and other settings (os.path.expanduser because they are stored in users home directory
# ~/.owtf/proxy)
self.application.ca_cert = os.path.expanduser(
self.db_config.get('CA_CERT'))
self.application.ca_key = os.path.expanduser(
self.db_config.get('CA_KEY'))
# To stop OWTF from breaking for our beloved users :P
try:
self.application.ca_key_pass = FileOperations.open(
os.path.expanduser(self.db_config.get('CA_PASS_FILE')),
'r',
owtf_clean=False).read().strip()
except IOError:
self.application.ca_key_pass = "******" # XXX: Legacy CA key pass for older versions.
self.application.proxy_folder = os.path.dirname(
self.application.ca_cert)
self.application.certs_folder = os.path.expanduser(
self.db_config.get('CERTS_FOLDER'))
try: # Ensure CA.crt and Key exist.
assert os.path.exists(self.application.ca_cert)
assert os.path.exists(self.application.ca_key)
except AssertionError:
self.get_component("error_handler").abort_framework(
"Files required for SSL MiTM are missing."
" Please run the install script")
try: # If certs folder missing, create that.
assert os.path.exists(self.application.certs_folder)
except AssertionError:
FileOperations.make_dirs(self.application.certs_folder)
# Blacklist (or) Whitelist Cookies
# Building cookie regex to be used for cookie filtering for caching
if self.db_config.get('WHITELIST_COOKIES') == 'None':
cookies_list = self.db_config.get('BLACKLIST_COOKIES').split(',')
self.application.cookie_blacklist = True
else:
cookies_list = self.db_config.get('WHITELIST_COOKIES').split(',')
self.application.cookie_blacklist = False
if self.application.cookie_blacklist:
regex_cookies_list = [
cookie + "=([^;]+;?)" for cookie in cookies_list
]
else:
regex_cookies_list = [
"(" + cookie + "=[^;]+;?)"
for cookie in self.db_config.get('COOKIES_LIST')
]
regex_string = '|'.join(regex_cookies_list)
self.application.cookie_regex = re.compile(regex_string)
# Outbound Proxy
# Outbound proxy settings to be used inside request handler
if outbound_options:
if len(outbound_options) == 3:
self.application.outbound_proxy_type = outbound_options[0]
self.application.outbound_ip = outbound_options[1]
self.application.outbound_port = int(outbound_options[2])
else:
self.application.outbound_proxy_type = "http"
self.application.outbound_ip = outbound_options[0]
self.application.outbound_port = int(outbound_options[1])
else:
self.application.outbound_ip = None
self.application.outbound_port = None
self.application.outbound_proxy_type = None
if outbound_auth:
self.application.outbound_username, self.application.outbound_password = outbound_auth.split(
":")
else:
self.application.outbound_username = None
self.application.outbound_password = None
self.server = tornado.httpserver.HTTPServer(self.application)
# server has to be a class variable, because it is used inside request handler to attach sockets for monitoring
ProxyHandler.server = self.server
# Header filters
# Restricted headers are picked from framework/config/framework_config.cfg
# These headers are removed from the response obtained from webserver, before sending it to browser
restricted_response_headers = self.config.get_val(
"PROXY_RESTRICTED_RESPONSE_HEADERS").split(",")
ProxyHandler.restricted_response_headers = restricted_response_headers
# These headers are removed from request obtained from browser, before sending it to webserver
restricted_request_headers = self.config.get_val(
"PROXY_RESTRICTED_REQUEST_HEADERS").split(",")
ProxyHandler.restricted_request_headers = restricted_request_headers
# HTTP Auth options
if self.db_config.get("HTTP_AUTH_HOST") != "None":
self.application.http_auth = True
# All the variables are lists
self.application.http_auth_hosts = self.db_config.get(
"HTTP_AUTH_HOST").strip().split(',')
self.application.http_auth_usernames = self.db_config.get(
"HTTP_AUTH_USERNAME").strip().split(',')
self.application.http_auth_passwords = self.db_config.get(
"HTTP_AUTH_PASSWORD").strip().split(',')
self.application.http_auth_modes = self.db_config.get(
"HTTP_AUTH_MODE").strip().split(',')
else:
self.application.http_auth = False
