def check_asp_net_debug(url: str) -> List[Result]:
results: List[Result] = []
res = network.http_custom(
"DEBUG", url, additional_headers={"Command": "stop-debug", "Accept": "*/*"}
)
if res.status_code == 200 and "OK" in res.text:
# we've got a hit, but could be a false positive
# try this again, with a different verb
xres = network.http_custom(
"XDEBUG", url, additional_headers={"Command": "stop-debug", "Accept": "*/*"}
)
# if we get a 200 when using an invalid verb, it's a false positive
# if we get something else, then the DEBUG actually did something
if xres.status_code != 200:
results.append(
Result(
"ASP.NET Debugging Enabled",
Vulnerabilities.SERVER_ASPNET_DEBUG_ENABLED,
url,
[
network.http_build_raw_request(res.request),
network.http_build_raw_response(res),
],
)
)
else:
output.debug("Server responds to invalid HTTP verbs with status 200")
results += response_scanner.check_response(url, res)
return results
def check_http_methods(
url: str,
path: Optional[str] = None) -> Tuple[List[str], List[Result]]:
results: List[Result] = []
supported_methods: List[str] = []
# before we start, we should test an invalid verb, to see if it will accept anything
res = network.http_custom("XINVALIDX", url)
results += response_scanner.check_response(url, res)
if res.status_code < 405:
# no point in continuing, it'll return as if everything is supported, which is just noise
return supported_methods, results
if path is None:
file_path = pkg_resources.resource_filename(
"yawast", "resources/http-protocol-methods.txt")
else:
file_path = path
with open(file_path) as file:
for line in file:
res = network.http_custom(line, url)
if res.status_code < 405:
supported_methods.append(line)
results += response_scanner.check_response(url, res)
return supported_methods, results
def _check_version_post(url: str) -> List[Result]:
results: List[Result] = []
res = network.http_custom("POST", url)
if res.status_code > 400:
results += get_version(url, res, "POST to root")
return results
def _check_version_verb(url: str) -> List[Result]:
results: List[Result] = []
res = network.http_custom("XYZ", url)
if res.status_code > 400:
results += get_version(url, res, "Invalid HTTP Verb")
return results
def _check_version_post(url: str) -> List[Result]:
results: List[Result] = []
try:
res = network.http_custom("POST", url)
if res.status_code > 400:
results += get_version(url, res, "POST to root")
except Exception:
output.debug_exception()
return results
def _check_version_verb(url: str) -> List[Result]:
results: List[Result] = []
try:
res = network.http_custom("XYZ", url)
if res.status_code > 400:
results += get_version(url, res, "Invalid HTTP Verb")
except Exception:
output.debug_exception()
return results
def check_trace(url: str) -> List[Result]:
results: List[Result] = []
res = network.http_custom("TRACE", url)
body = res.text
if res.status_code == 200 and "TRACE / HTTP/1.1" in body:
results.append(
Result.from_evidence(
Evidence.from_response(res),
"HTTP TRACE Enabled",
Vln.HTTP_TRACE_ENABLED,
))
results += response_scanner.check_response(url, res)
return results
def check_propfind(url: str) -> List[Result]:
results: List[Result] = []
res = network.http_custom("PROPFIND", url)
body = res.text
if res.status_code <= 400 and len(body) > 0:
if "Content-Type" in res.headers and "text/xml" in res.headers["Content-Type"]:
results.append(
Result.from_evidence(
Evidence.from_response(res),
"Possible Info Disclosure: PROPFIND Enabled",
Vln.HTTP_PROPFIND_ENABLED,
)
)
results += response_scanner.check_response(url, res)
return results
def check_trace(url: str) -> List[Result]:
results: List[Result] = []
res = network.http_custom("TRACE", url)
body = res.text
if res.status_code == 200 and "TRACE / HTTP/1.1" in body:
results.append(
Result(
"HTTP TRACE Enabled",
Vulnerabilities.HTTP_TRACE_ENABLED,
url,
[
network.http_build_raw_request(res.request),
network.http_build_raw_response(res),
],
)
)
results += response_scanner.check_response(url, res)
return results
def check_propfind(url: str) -> List[Result]:
results: List[Result] = []
res = network.http_custom("PROPFIND", url)
body = res.text
if res.status_code <= 400 and len(body) > 0:
if "Content-Type" in res.headers and "text/xml" in res.headers["Content-Type"]:
results.append(
Result(
"Possible Info Disclosure: PROPFIND Enabled",
Vulnerabilities.HTTP_PROPFIND_ENABLED,
url,
[
network.http_build_raw_request(res.request),
network.http_build_raw_response(res),
],
)
)
results += response_scanner.check_response(url, res)
return results