def test_case(self):
if 'Access-Control-Allow-Origin' in self.resp.headers:
if self.resp.headers['Access-Control-Allow-Origin'] == "*":
self.register_issue(
Issue(
test="CORS_HEADER",
severity="Medium",
confidence="High",
text=("CORS header `Access-Control-Allow-Origin` set"
" to a wild character, this header should"
" always be set to a white listed set of URIs")))
if 'Access-Control-Allow-Methods' in self.resp.headers:
if self.resp.headers['Access-Control-Allow-Methods'] == "*":
self.register_issue(
Issue(test="CORS_HEADER",
severity="Low",
confidence="High",
text=("CORS header `Access-Control-Allow-Methods`"
" set to a wild character,it is a good"
" practice to give a white list of allowed"
" methods.")))
if 'Access-Control-Allow-Headers' in self.resp.headers:
if self.resp.headers['Access-Control-Allow-Headers'] == "*":
self.register_issue(
Issue(test="CORS_HEADER",
severity="Low",
confidence="High",
text=("CORS header `Access-Control-Allow-Headers`"
" set to a wild character,it is a good"
" practice to give a white list of allowed"
" headers")))
def test_case(self):
self.test_default_issues()
failed_strings = self.data_driven_failure_cases()
if failed_strings:
self.register_issue(
Issue(test="xml_strings",
severity="Medium",
confidence="Low",
text=("The string(s): \'{0}\', known to be commonly "
"returned after a successful XML external entity "
"attack, have been found in the response. This "
"could indicate a vulnerability to XML external "
"entity attacks.").format(failed_strings)
)
)
time_diff = self.config.time_difference_percent / 100
# Timing attacks for requesting invalid url in dtd
if (self.resp.elapsed.total_seconds() >
time_diff * self.init_response.elapsed.total_seconds()):
self.register_issue(
Issue(test="xml_timing",
severity="Medium",
confidence="Medium",
text=("The time it took to resolve a request with an "
"invalid URL in the DTD takes too long compared "
"to the baseline request. This could reflect a "
"vulnerability to an XML external entity attack."))
)
def test_case(self):
self.test_default_issues()
failed_strings = self.data_driven_failure_cases()
if failed_strings:
self.register_issue(
Issue(test="sql_strings",
severity="Medium",
confidence="Low",
text=("The string(s): \'{0}\', known to be commonly "
"returned after a successful SQL injection attack"
", have been found in the response. This could "
"indicate a vulnerability to SQL injection "
"attacks."
).format(failed_strings)
)
)
time_diff = self.config.time_difference_percent / 100
if (self.resp.elapsed.total_seconds() >
time_diff * self.init_response.elapsed.total_seconds()):
self.register_issue(
Issue(test="sql_timing",
severity="Medium",
confidence="Medium",
text=(
"A response to one of our payload requests has "
"taken too long compared to the baseline request. "
"This could indicate a vulnerability to time-based "
"SQL injection attacks"))
)
def test_case(self):
self.register_issue(
Issue(test="500_errors",
severity="Low",
text="This request generates a 500 error",
assertions=[(self.assertTrue, self.resp.status_code < 500)]))
self.register_issue(
Issue(test="length_diff",
severity="Low",
text=("The difference in length between the response to the"
"baseline request and the request returned when"
"sending an attack string exceeds {0} percent, which"
"could indicate a vulnerability to injection attacks"
).format(self.config.percent),
assertions=[(self.assertTrue, self.validate_length())]))
self.register_issue(
Issue(test="injection_strings",
severity="Medium",
text=("A known attack string was included in the response."
"This could indicate a vulnerability to injection"
"attacks."),
assertions=self.data_driven_failure_cases()))
self.register_issue(
Issue(test="success_strings",
severity="Low",
text=("None of the expected strings in [{0}] can be found in"
"the response").format(self.success_keys),
assertions=[(self.assertTrue, self.data_driven_pass_cases())
]))
self.test_issues()
def test_default_issues(self):
"""Tests for some default issues
These issues are not specific to any test type, and can be raised as a
result of many different types of attacks. Therefore, they're defined
separately from the test_case method so that they are not overwritten
by test cases that inherit from BaseFuzzTestCase.
Any extension to this class should call
self.test_default_issues() in order to test for the Issues
defined here
"""
target = self.init_request.url
domain = urlparse(target).hostname
regex = r"\bhttp://{0}".format(domain)
response_text = self.resp.text
if re.search(regex, response_text):
self.register_issue(
Issue(test="SSL_ERROR",
severity="Medium",
confidence="High",
text=("Make sure that all the returned endpoint URIs"
" use 'https://' and not 'http://'"
)
)
)
if self.resp.status_code >= 500:
self.register_issue(
Issue(test="500_errors",
severity="Low",
confidence="High",
text=("This request returns an error with status code "
"{0}, which might indicate some server-side fault "
"that could lead to further vulnerabilities"
).format(self.resp.status_code)
)
)
if (not self.validate_length() and
self.resp.status_code == self.init_response.status_code):
self.register_issue(
Issue(test="length_diff",
severity="Low",
confidence="Low",
text=("The difference in length between the response to "
"the baseline request and the request returned "
"when sending an attack string exceeds {0} "
"percent, which could indicate a vulnerability "
"to injection attacks")
.format(self.config.percent)
)
)
def register_issue(self, issue=None):
"""Adds an issue to the test's list of issues
Creates a new issue object, and associates the test's request
and response to it. In addition, adds the issue to the test's
list of issues
"""
if not issue:
issue = Issue()
issue.request = self.resp.request
issue.response = self.resp
self.issues.append(issue)
return issue
def register_issue(self, issue=None):
"""Adds an issue to the test's list of issues
Creates a new issue object, and associates the test's request
and response to it. In addition, adds the issue to the test's
list of issues
"""
if not issue:
issue = Issue()
issue.request = self.resp.request
issue.response = self.resp
self.issues.append(issue)
return issue
def test_case(self):
time_diff = self.config.time_difference_percent / 100
if (self.resp.elapsed.total_seconds() >
time_diff * self.init_response.elapsed.total_seconds()):
self.register_issue(
Issue(test="int_timing",
severity="Medium",
confidence="Medium",
text=("The time it took to resolve a request with an "
"invalid integer was too long compared to the "
"baseline request. This could indicate a "
"vulnerability to buffer overflow attacks")))
def test_case(self):
self.test_default_issues()
failed_strings = self.data_driven_failure_cases()
if failed_strings:
self.register_issue(
Issue(test="command_injection",
severity="High",
confidence="Medium",
text=("A string known to be commonly returned after a "
"successful command injection attack was "
"included in the response. This could indicate "
"a vulnerability to command injection "
"attacks.").format(failed_strings)))
elif self.resp.elapsed.total_seconds() >= 10:
self.register_issue(
Issue(test="command_injection",
severity="High",
confidence="Medium",
text=("The time elapsed between the sending of "
"the request and the arrival of the res"
"ponse exceeds the expected amount of time, "
"suggesting a vulnerability to command "
"injection attacks.").format(self.resp.elapsed)))
def test_case(self):
self.test_default_issues()
failed_strings = self.data_driven_failure_cases()
if failed_strings:
self.register_issue(
Issue(test="bof_strings",
severity="Medium",
confidence="Low",
text=("The string(s): \'{0}\', known to be commonly "
"returned after a successful buffer overflow "
"attack, have been found in the response. This "
"could indicate a vulnerability to buffer "
"overflow attacks.").format(failed_strings)))
time_diff = self.config.time_difference_percent / 100
if (self.resp.elapsed.total_seconds() >
time_diff * self.init_response.elapsed.total_seconds()):
self.register_issue(
Issue(test="bof_timing",
severity="Medium",
confidence="Medium",
text=("The time it took to resolve a request with a "
"long string was too long compared to the "
"baseline request. This could indicate a "
"vulnerability to buffer overflow attacks")))
def __init__(self, name):
self.errors = [3, 4]
self.successes = [5, 6]
self.name = name
self.failureException = Exception
issue1 = Issue(defect_type="fake",
severity=syntribos.LOW,
description="x",
confidence=syntribos.LOW)
issue1.target = "example.com"
issue1.path = "/test"
issue2 = Issue(defect_type="fake2",
severity=syntribos.MEDIUM,
description="x",
confidence=syntribos.LOW)
issue2.target = "example.com"
issue2.path = "/test2"
self.failures = [issue1, issue2]
def test_case(self):
self.test_default_issues()
self.failure_keys = self._get_strings()
failed_strings = self.data_driven_failure_cases()
if 'content-type' in self.init_request.headers:
content_type = self.init_request.headers['content-type']
if 'html' in content_type:
sev = "Medium"
else:
sev = "Low"
else:
sev = "Low"
if failed_strings:
self.register_issue(
Issue(test="xss_strings",
severity=sev,
confidence="Low",
text=("The string(s): \'{0}\', known to be commonly "
"returned after a successful XSS "
"attack, have been found in the response. This "
"could indicate a vulnerability to XSS "
"attacks.").format(failed_strings)
)
)