def do_POST_check(parameter):
http_request_method = "POST"
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
parameter = checks.wildcard_character(parameter).replace("'", "\"")
# Check if JSON Object.
if checks.is_JSON_check(parameter):
if not settings.IS_JSON:
checks.process_json_data()
settings.PARAMETER_DELIMITER = ","
# Check if XML Object.
elif checks.is_XML_check(parameter):
if not settings.IS_XML:
checks.process_xml_data()
settings.PARAMETER_DELIMITER = ""
else:
pass
parameters_list = []
# Split multiple parameters
if settings.IS_XML:
_ = []
parameters = re.findall(r'(.*)', parameter)
parameters = [param + "\n" for param in parameters if param]
for value in range(0, len(parameters)):
_.append(parameters[value])
multi_parameters = _
else:
try:
multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
except ValueError, err_msg:
print settings.print_critical_msg(err_msg)
sys.exit(0)
def do_POST_check(parameter):
http_request_method = "POST"
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
parameter = checks.wildcard_character(parameter).replace("'","\"")
# Check if JSON Object.
if checks.is_JSON_check(parameter):
if not settings.IS_JSON:
checks.process_json_data()
settings.PARAMETER_DELIMITER = ","
# Check if XML Object.
elif checks.is_XML_check(parameter):
if not settings.IS_XML:
checks.process_xml_data()
settings.PARAMETER_DELIMITER = ""
else:
pass
parameters_list = []
# Split multiple parameters
if settings.IS_XML:
_ = []
parameters = re.findall(r'(.*)', parameter)
parameters = [param + "\n" for param in parameters if param]
for value in range(0,len(parameters)):
_.append(parameters[value])
multi_parameters = _
else:
try:
multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
multi_parameters = [x for x in multi_parameters if x]
except ValueError, err_msg:
print settings.print_critical_msg(err_msg)
raise SystemExit()
def do_POST_check(parameter):
http_request_method = "POST"
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
parameter = checks.wildcard_character(parameter).replace("'", "\"")
# Check if JSON Object.
if checks.is_JSON_check(parameter):
if not settings.IS_JSON:
checks.process_json_data()
settings.PARAMETER_DELIMITER = ","
# Check if XML Object.
elif checks.is_XML_check(parameter):
if not settings.IS_XML:
checks.process_xml_data()
settings.PARAMETER_DELIMITER = ""
else:
pass
parameters_list = []
# Split multiple parameters
if settings.IS_XML:
_ = []
parameters = re.findall(r'(.*)', parameter)
parameters = [param + "\n" for param in parameters if param]
for value in range(0, len(parameters)):
_.append(parameters[value])
multi_parameters = _
else:
multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
# Check for inappropriate format in provided parameter(s).
if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)) and \
not settings.IS_JSON and \
not settings.IS_XML:
checks.inappropriate_format(multi_parameters)
# Check for empty values (in provided parameters).
# Check if single parameter is supplied.
if len(multi_parameters) == 1:
#Grab the value of parameter.
if settings.IS_JSON:
#Grab the value of parameter.
value = re.findall(r'\"(.*)\"', parameter)
value = ''.join(value)
if value != settings.INJECT_TAG:
value = re.findall(r'\s*\:\s*\"(.*)\"', parameter)
value = ''.join(value)
elif settings.IS_XML:
#Grab the value of parameter.
value = re.findall(r'>(.*)</', parameter)
value = ''.join(value)
else:
_ = []
_.append(parameter)
parameter = ''.join(checks.check_similarities(_))
value = re.findall(r'=(.*)', parameter)
value = ''.join(value)
if checks.is_empty(multi_parameters, http_request_method):
return parameter
else:
# Replace the value of parameter with INJECT tag
inject_value = value.replace(value, settings.INJECT_TAG)
if len(value) == 0:
if settings.IS_JSON:
parameter = parameter.replace(
":\"\"", ":\"" + settings.INJECT_TAG + "\"")
else:
parameter = parameter + settings.INJECT_TAG
else:
parameter = parameter.replace(value, inject_value)
return parameter
else:
# Check if multiple parameters are supplied without the "INJECT_HERE" tag.
if settings.IS_XML:
all_params = multi_parameters
else:
all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
# Check for similarity in provided parameter name and value.
all_params = all_params.split(settings.PARAMETER_DELIMITER)
all_params = checks.check_similarities(all_params)
# Check if not defined the "INJECT_HERE" tag in parameter
if settings.INJECT_TAG not in parameter:
checks.is_empty(multi_parameters, http_request_method)
for param in range(0, len(all_params)):
if param == 0:
if settings.IS_JSON:
old = re.findall(r'\:\"(.*)\"', all_params[param])
old = ''.join(old)
elif settings.IS_XML:
old = re.findall(r'>(.*)</', all_params[param])
old = ''.join(old)
else:
old = re.findall(r'=(.*)', all_params[param])
old = ''.join(old)
else:
old = value
# Grab the value of parameter.
if settings.IS_JSON:
#Grab the value of parameter.
value = re.findall(r'\:\"(.*)\"', all_params[param])
value = ''.join(value)
elif settings.IS_XML:
value = re.findall(r'>(.*)</', all_params[param])
value = ''.join(value)
else:
value = re.findall(r'=(.*)', all_params[param])
value = ''.join(value)
# Replace the value of parameter with INJECT tag
inject_value = value.replace(value, settings.INJECT_TAG)
# Skip testing the parameter(s) with empty value(s).
if menu.options.skip_empty:
if len(value) == 0:
if settings.IS_JSON:
#Grab the value of parameter.
provided_value = re.findall(
r'\"(.*)\"\:', all_params[param])
provided_value = ''.join(provided_value)
elif settings.IS_XML:
provided_value = re.findall(
r'>(.*)</', all_params[param])
provided_value = ''.join(provided_value)
else:
provided_value = re.findall(
r'(.*)=', all_params[param])
provided_value = ''.join(provided_value)
else:
all_params[param] = all_params[param].replace(
value, inject_value)
all_params[param - 1] = all_params[param - 1].replace(
inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(
all_params)
parameters_list.append(parameter)
parameter = parameters_list
else:
if len(value) == 0:
if settings.IS_JSON:
all_params[param] = all_params[param].replace(
":\"\"", ":\"" + settings.INJECT_TAG + "\"")
elif settings.IS_XML:
all_params[param] = all_params[param].replace(
"></", ">" + settings.INJECT_TAG + "</")
else:
all_params[param] = all_params[
param] + settings.INJECT_TAG
else:
all_params[param] = all_params[param].replace(
value, inject_value)
all_params[param - 1] = all_params[param - 1].replace(
inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(all_params)
parameters_list.append(parameter)
parameter = parameters_list
else:
for param in range(0, len(multi_parameters)):
# Grab the value of parameter.
if settings.IS_JSON:
value = re.findall(r'\"(.*)\"', multi_parameters[param])
value = ''.join(value)
if settings.IS_XML:
value = re.findall(r'>(.*)</', all_params[param])
value = ''.join(value)
else:
value = re.findall(r'=(.*)', multi_parameters[param])
value = ''.join(value)
parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)
return parameter
def do_POST_check(parameter, http_request_method):
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
parameter = checks.wildcard_character(parameter).replace("'", "\"")
# Check if JSON Object.
if checks.is_JSON_check(checks.check_quotes_json_data(parameter)):
parameter = checks.check_quotes_json_data(parameter)
if not settings.IS_JSON:
checks.process_json_data()
settings.PARAMETER_DELIMITER = ","
# Check if XML Object.
elif checks.is_XML_check(parameter):
if not settings.IS_XML:
checks.process_xml_data()
settings.PARAMETER_DELIMITER = ""
else:
pass
parameters_list = []
# Split multiple parameters
if settings.IS_XML:
parameter = re.sub(r">\s*<", '>\n<', parameter).replace("\\n", "\n")
_ = []
parameters = re.findall(r'(.*)', parameter)
parameters = [param + "\n" for param in parameters if param]
for value in range(0, len(parameters)):
_.append(parameters[value])
multi_parameters = _
else:
try:
multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
multi_parameters = [x for x in multi_parameters if x]
except ValueError as err_msg:
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check for inappropriate format in provided parameter(s).
if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)) and \
not settings.IS_JSON and \
not settings.IS_XML:
checks.inappropriate_format(multi_parameters)
# Check if single parameter is supplied.
if len(multi_parameters) == 1:
# Grab the value of parameter.
if settings.IS_JSON:
# Grab the value of parameter.
value = re.findall(r'\"(.*)\"', parameter)
value = ''.join(value)
if value != settings.INJECT_TAG:
value = re.findall(r'\s*\:\s*\"(.*)\"', parameter)
value = ''.join(value)
elif settings.IS_XML:
# Grab the value of parameter.
value = re.findall(r'>(.*)</', parameter)
value = ''.join(value)
else:
_ = []
_.append(parameter)
parameter = ''.join(checks.check_similarities(_))
value = re.findall(r'=(.*)', parameter)
value = ''.join(value)
if checks.is_empty(multi_parameters, http_request_method):
return parameter
else:
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(parameter):
return parameter
if re.search(settings.VALUE_BOUNDARIES, value):
value = checks.value_boundaries(value)
# Replace the value of parameter with INJECT_HERE tag
if len(value) == 0:
if settings.IS_JSON:
parameter = parameter.replace(
":\"\"", ":\"" + settings.INJECT_TAG + "\"")
else:
parameter = parameter + settings.INJECT_TAG
else:
parameter = parameter.replace(value,
value + settings.INJECT_TAG)
return parameter
else:
# Check if multiple parameters are supplied without the "INJECT_HERE" tag.
if settings.IS_XML:
all_params = multi_parameters
else:
all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
# Check for similarity in provided parameter name and value.
all_params = all_params.split(settings.PARAMETER_DELIMITER)
all_params = checks.check_similarities(all_params)
# Check if not defined the "INJECT_HERE" tag in parameter
if settings.INJECT_TAG not in parameter:
if checks.is_empty(multi_parameters, http_request_method):
return parameter
for param in range(0, len(all_params)):
if param == 0:
if settings.IS_JSON:
old = re.findall(r'\:(.*)', all_params[param])
old = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '',
''.join(old))
elif settings.IS_XML:
old = re.findall(r'>(.*)</', all_params[param])
old = ''.join(old)
else:
old = re.findall(r'=(.*)', all_params[param])
old = ''.join(old)
else:
old = value
if settings.IS_JSON:
value = re.findall(r'\:(.*)', all_params[param])
if re.findall(r'\\"(.*)\\"', value[0]):
value = re.findall(r'\\"(.*)\\"', value[0])
value = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '',
''.join(value))
elif settings.IS_XML:
value = re.findall(r'>(.*)</', all_params[param])
value = ''.join(value)
else:
value = re.findall(r'=(.*)', all_params[param])
value = ''.join(value)
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(all_params[param]):
continue
if re.search(settings.VALUE_BOUNDARIES, value):
value = checks.value_boundaries(value)
# Replace the value of parameter with INJECT_HERE tag
# Skip testing the parameter(s) with empty value(s).
if menu.options.skip_empty:
if len(value) != 0:
all_params[param] = all_params[param].replace(
value, value + settings.INJECT_TAG)
all_params[param - 1] = all_params[param - 1].replace(
value, "").replace(settings.INJECT_TAG, "")
parameter = settings.PARAMETER_DELIMITER.join(
all_params)
else:
if len(value) == 0:
if settings.IS_JSON:
all_params[param] = all_params[param].replace(
":\"\"", ":\"" + settings.INJECT_TAG + "\"")
elif settings.IS_XML:
all_params[param] = all_params[param].replace(
"></", ">" + settings.INJECT_TAG + "</")
else:
all_params[param] = all_params[
param] + settings.INJECT_TAG
else:
all_params[param] = all_params[param].replace(
value, value + settings.INJECT_TAG)
all_params[param - 1] = all_params[param - 1].replace(
value, "").replace(settings.INJECT_TAG, "")
parameter = settings.PARAMETER_DELIMITER.join(all_params)
parameter = parameter.replace(settings.RANDOM_TAG, "")
parameters_list.append(parameter)
parameter = parameters_list
else:
for param in range(0, len(multi_parameters)):
# Grab the value of parameter.
if settings.IS_JSON:
value = re.findall(r'\"(.*)\"', multi_parameters[param])
value = ''.join(value)
if settings.IS_XML:
value = re.findall(r'>(.*)</', all_params[param])
value = ''.join(value)
else:
value = re.findall(r'=(.*)', multi_parameters[param])
value = ''.join(value)
parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)
return parameter
